Friday, May 7, 1999 Published at 15:28 GMT 16:28 UK
Business: The Company File
Crack in Egg's security
It's security, but not as you'd want it
UK Internet savings bank Egg, owned by Prudential, has rushed to close a security flaw that allowed some users to see other potential savers' confidential financial information.
Egg did not make the security flaw public, but BBC News Online was alerted to the problem by two of its readers.
One of them called the lack of security "very worrying".
New site with flaws
The fault developed 10 days ago when Egg moved its operations fully to the Internet and relaunched its Website with new technology.
Several people who tried to apply online for an Egg account, suddenly saw somebody else's application flash up on the screen - including confidential information like home address, phone numbers, e-mail address, the amount of money to be invested and other details.
Two shocked customers alerted Egg to the problem, whose IT team then desperately tried to track down the fault.
Peter Marsden, IT director at Egg, told BBC News Online that the flaw was corrected during the afternoon of the same day.
Encryption breaches security
People who try to apply for an Egg account are asked to log on to the system by identifying themselves with their e-mail address and a password.
This information is then encrypted and used to 'log the session', i.e. make sure that the computer makes the right connection between the Internet user and its own electronic records.
However, the new system was not configured to cope with long e-mail addresses. Every e-mail address longer than about 30 letters was automatically truncated.
Because of the encryption process, people with long, albeit very different e-mail addresses, could end up with identical IDs.
The flaw became apparent when, for example, mandatory sections in the application form were not filled in correctly and Egg's web server sent back the page demanding additional information.
At this point, a page containing confidential information could be sent to somebody else with the identical ID.
If hackers had been aware of the security flaw, they could have deliberately flooded Egg's servers, identifying themselves with long, but false e-mail addresses, hoping to glean personal information of Egg customers.
Egg has now ironed out the problem and changed the system so it can cope with e-mail addresses of any length.
Online, and growing
The Egg savings account has been a phenomenal success, exceeding the wildest expectations of parent company Prudential.
Within six months the company managed to reach its five-year target, with 500,000 customers who have put £5bn in its accounts.
To help its customers to get online, the Egg has launched a free Internet access service, similar to Dixon's succesful Freeserve.
However, the success has come at a price. The Egg venture is losing millions, and Prudential does not expect it to make money for some years.
The Company File Contents