To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://networks.silicon.com/webwatch/0,39024667,11030202,00.htm

Egg's security leaves Mac users shell-shocked
First Passport, now this...

By Ben King

Published: Saturday 05 January 2002

Mac users who bank with Egg are up in arms about a serious flaw in the site that left the security of their credit card details in doubt.

A silicon.com reader and Mac user experienced problems when he tried to log-on to the egg.com website with the latest version of the Macintosh operating system, OSX.

When he attempted to make a secure connection, a dialog box appeared informing him that his browser was unable to do so. The problem recurred with all the versions of Internet Explorer and Netscape browsers he used.

Egg customer services told him to go ahead and make the connection and assured him that the connection would be secure, despite the fact that a dialog box said the contrary.

The customer service representative also told him not to worry about the fact that there was no padlock graphic in the corner of his browser window - directly conflicting advice displayed elsewhere on the Egg website.

The reader told silicon.com: "I am, along with many friends and family, now closing my account because this company obviously does not care about the security or integrity of data for its Apple Macintosh users."

Egg told silicon.com that the problem was due to an error of communication with its certificate vendor, Verisign. An update to the site means that Mac browsers can't recognise the digital certificate that normally guarantees a secure connection.

The company said in a written statement: "Egg can confirm that a small number of its customers using Apple Mackintosh [sic] computers have recently experienced difficulties accessing Egg's website.

"Egg can confirm that this message was displayed in error and at no time was any part of the Egg website insecure."

However, security experts said that while traffic between the Egg site and the user may have been encrypted, digital certificates are an integral part of securing a website that cannot be ignored.

Lee Ferman, CTO at software-testing company Tescom, said: "The user doesn't know whether it is secure or not, so that could leave it open to spoofing or other attacks."

Egg apologised to the affected users and added: "Egg has worked with its certificate providers to ensure that the message is not displayed erroneously again. Egg is of course very concerned about its customers being unable to access their accounts at any time and it has taken steps to ensure this will not happen again."

Egg claims it has now rectified the fault.