One of the glorious things about living in the UK is that we have to pay a licence fee if we want to watch television.
It must seem crazy to much of the rest of the world, but it’s a bargain at £150.50 each year (just £2.89 per week) that gives us the glorious (and ad-free) BBC. The BBC is as British as poor weather and bad sex, and we wouldn’t be the same without it.
So how do you pay for a TV licence? You go to www.tvlicensing.co.uk, of course.
Unfortunately, as blogger Mark Cook revealed last week, the official UK TV licensing website was allowing license purchasers to submit their personal identifiable information and bank details in unsafe, unencrypted plaintext.
The problem was that the TV Licensing website didn’t force visitors to its HTTPS version. If you used https://www.tvlicensing.co.uk, any data you typed into the site’s online forms would have been sent via an encrypted connection. Good news!
But many users probably weren’t careful enough to ensure that they had remembered the “s” on “https”, and would have unwittingly found themselves on the unencrypted HTTP version instead.
Oh dear. One wonders if TV Licensing have been ignoring the advice of the National Cyber Security Centre, which advises that all webpages should always be served over HTTPS “even if they don’t include private content, sign-in pages, or credit card details.”
Part of the problem with TV Licensing’s site, explained Cook, was that a canonical tag in the website’s source code actually told search engines like Google to prefer the insecure HTTP version over the safer HTTPS edition! D’oh!
This rather undermines the message that one assumes the website’s creators put in the sidebar to reassure licence purchasers that the details they entered onto the site were safe:
Whether you’re paying for your TV Licence, setting up a Direct Debit, or updating your details, you can relax in the knowledge that this is a secure website and your personal information is safe with us.
Cook poked the website’s Twitter account about the poor security, only to be eventually told:
“Our website is secure and our website’s security certificates are up to date, so rest assured, personal details are safe.”
However, some hours after Cook published a blog post about his findings, the TV Licensing website was taken down for maintenance. Was this just pure coincidence?
I think not, because on the site’s return it properly forced all visitors to use its HTTPS incarnation, ensuring that any personal information or banking details were sent via an encrypted connection between the license buyer’s PC and TV Licensing’s server.
Furthermore, in an FAQ about the unexpected downtime published on its website, TV Licensing admitted it had been busy fixing its website:
We were recently alerted to an issue with our website’s security following a technical update. We took the site down straight away so that we could fix it.
We take the security of our customer’s data very seriously. That’s why it’s our normal practice that when our customers make payments or send us financial or other personal details through our website, the data is encrypted to keep it safe.
Q: What is the likelihood that I have been affected?
A: Customers may have been affected if they visited the TV Licensing website from 29 August until around 3.20pm on 5 September 2018 and entered personal data into the website. The risk of customers having their data accessed is very low, and we are not aware of anyone’s data being obtained.
Q: What personal data of mine could have been at risk?
A: During this limited period, customer transactions using debit and credit cards were still encrypted. However, if the HTTP version of a web page was being used, personal data such as customers’ names, addresses, bank details (sort code and account number) given to us – for example, to set up or amend a direct debit – were not encrypted. There is no evidence of the website being subject to any sort of attack, or anyone having acted maliciously and the chances of anyone having accessed this information are very small.
TV Licensing is right. There isn’t any evidence that anyone’s data was accessed because of this screw-up. But what they aren’t telling you is that there’s actually no way they would actually know if it had been.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
4 comments on “TV Licence website said it was secure. It wasn’t”
Hmmm. In the UK we have a TV Licence and not a License ;-)
I would not say the programmes aired on the BBC tv channels are worth the licence anymore.
That's what FirstDirect says as well. To this day they still sending emails to customers with link directing customers to their HTTP login page. :|
TV Licencing are still security amateurs even in December 2021.
Have been receiving email invites from [email protected] to push an onscreen button to go paperless. But who knows where that may take me or what it might download. Under ‘security’ section they attempt to assure me they are legitimate because they can quote my surname and part of my postcode in the message. Very amateur. Both those pieces of data are freely available on the Electoral Register and every time you order something on line, your email is linked to your address, so name, geographic address and email are a linked item of data widely available in the data Wild West.
This is not evidence of their legitimacy but rather evidence of incompetence and ignorance of cyber security
There is nothing up front in the TV Licensing email such as even your licence number etc to assure you the email is legitimate before you push the button, and go down the rabbit hole to who knows where, with their worthless upfront assurance of security.
It potentially may lower ones caution to further data you may be asked to confirm.
How can you take an organisation seriously with this idea of cyber security in an increasingly sophisticated world of hack and scam