EE, Why no password change?

Thursday 5th May 16

Updates

I take it all back, I've just talked to someone from EE in the UK and they do have a password change feature, it is just well hidden. So, egg on my face for not finding it but it doesn't negate the fact that the call centre staff didn't know it was there and believed that doing a password reset over the phone on a recorded call was a secure thing to do.

Just had an interesting comment by @j4vv4d:

As we all know, total security is not a reality. It is true that a password can be compromised by an attacker. However, with this process in place, EE have left themselves exposed as if any fraudulent activity occurs within the users account. Whether that be undertaken by the user themselves - EE have no way of proving in court beyond a shadow of doubt that the user was in any way negligent or complicit in the fraudulent activity. Simply saying that their telephone operators are trustworthy isn't sufficient. And as history has shown (e.g. TalkTalk) call centre insiders remain a viable threat.

Main Piece

I often comment on Twitter about the bad security I find on websites I use but I've never seen something so fundamental missing before that I felt it was worth blogging about.

I've just moved to EE for home broadband and needed to log into their website to check some settings. I'd not logged in before and didn't have any credentials so called the helpline. I was told my username was asked to give the operator a password I wanted set on the account. I asked if I could change it once logged in and I was told I could so I gave a simple password and logged in. After 5 minutes of searching I still couldn't find the change password feature so I called back and after some explaining (the operator's English wasn't great) the operator finally understood what I wanted to do. She told me the easiest way to reset the password was to tell her and she would change it for me. I tried to explain why I didn't want to do that but I was it was the only way to do it and not to worry as it was secure. She explained that the calls were recorded but only used for training purposes. I pointed out that having my password played to a classroom full of trainees wasn't something I considered as secure, at that point she gave up and put be on hold. After a 10 minute hold, the call was picked up by a man who said he was the supervisor and that setting the password through him was perfectly secure. I explained again why that wasn't secure so he had a think and came up with a work around for me. He told me the only way to set the password on the site was to use the forgotten password feature. By following the link that sent me I would be able to set my own password. He also added that as the password controls my whole account it is really important to make sure it is secure which is why it can't normally be set on the site.

I can understand why a support team who are trained to work from scripts don't understand why this is an issue but what I really don't understand is how a company as big as EE has managed to build a site without a password change feature. It is a fundamental part of account management. There can't be any excuses based on legacy systems having to be kept in sync or something like that otherwise the forgotten password feature wouldn't work.

If anyone from EE reads this and would like to explain the design decision then I'm happy to listen and update the post.