Egg admits to flaw in security measures

Error allowed access to account even after user had logged off

Online banking service Egg has admitted to a flaw in its software that allowed credit-card accounts to be accessed without authorisation until yesterday.

The defect, which arose from software actually designed to improve security, meant that people could still access a user's account even after they thought they had signed off. The defect only affected Netscape 4.6 browsers, and could only be worked around by closing the browser. The problem was fixed Thursday, according to Egg.

Two weeks ago Egg introduced a log-out button on its site designed to automatically remove the security cookies from a user's computer. Unfortunately a problem with the software enabling this feature led to the security hole.

Although this is just the latest in a long line of concerns over Egg's security measures, Pete Marsden, director of information technology at Egg, does not see this problem as a major concern. "There were absolutely no instances of anyone exploiting this," he says. "We have no concerns about it at all. As soon as it was brought to our attention, we fixed it."

Marsden also promises that the situation has been entirely remedied adding, "It is now browser independent as we don't want to be at the behest of browser manufacturers. We are always in the process of updating our security."

Egg has in fact introduced a "browser health check" service to ensure that there browser are entirely compliant with Egg's security measures.

Egg's dubious security record does not seem to have affected its prosperity. The online arm of the Prudential, Egg has issued more than 150,000 cards to customers and receives approximately 3,500 applications each day.

What do you think? Tell the Mailroom. And read what others have said.

See also: the e-commerce special.