One of the glorious things about living in the UK is that we have to pay a licence fee if we want to watch television.
It must seem crazy to much of the rest of the world, but it’s a bargain at £150.50 each year (just £2.89 per week) that gives us the glorious (and ad-free) BBC. The BBC is as British as poor weather and bad sex, and we wouldn’t be the same without it.
So how do you pay for a TV licence? You go to www.tvlicensing.co.uk, of course.
Unfortunately, as blogger Mark Cook revealed last week, the official UK TV licensing website was allowing license purchasers to submit their personal identifiable information and bank details in unsafe, unencrypted plaintext.
The problem was that the TV Licensing website didn’t force visitors to its HTTPS version. If you used https://www.tvlicensing.co.uk, any data you typed into the site’s online forms would have been sent via an encrypted connection. Good news!
But many users probably weren’t careful enough to ensure that they had remembered the “s” on “https”, and would have unwittingly found themselves on the unencrypted HTTP version instead.
Oh dear. One wonders if TV Licensing have been ignoring the advice of the National Cyber Security Centre, which advises that all webpages should always be served over HTTPS “even if they don’t include private content, sign-in pages, or credit card details.”
Part of the problem with TV Licensing’s site, explained Cook, was that a canonical tag in the website’s source code actually told search engines like Google to prefer the insecure HTTP version over the safer HTTPS edition! D’oh!
This rather undermines the message that one assumes the website’s creators put in the sidebar to reassure licence purchasers that the details they entered onto the site were safe:
Whether you’re paying for your TV Licence, setting up a Direct Debit, or updating your details, you can relax in the knowledge that this is a secure website and your personal information is safe with us.
Cook poked the website’s Twitter account about the poor security, only to be eventually told:
“Our website is secure and our website’s security certificates are up to date, so rest assured, personal details are safe.”
However, some hours after Cook published a blog post about his findings, the TV Licensing website was taken down for maintenance. Was this just pure coincidence?
I think not, because on the site’s return it properly forced all visitors to use its HTTPS incarnation, ensuring that any personal information or banking details were sent via an encrypted connection between the license buyer’s PC and TV Licensing’s server.
Furthermore, in an FAQ about the unexpected downtime published on its website, TV Licensing admitted it had been busy fixing its website:
We were recently alerted to an issue with our website’s security following a technical update. We took the site down straight away so that we could fix it.
We take the security of our customer’s data very seriously. That’s why it’s our normal practice that when our customers make payments or send us financial or other personal details through our website, the data is encrypted to keep it safe.
Q: What is the likelihood that I have been affected?
A: Customers may have been affected if they visited the TV Licensing website from 29 August until around 3.20pm on 5 September 2018 and entered personal data into the website. The risk of customers having their data accessed is very low, and we are not aware of anyone’s data being obtained.
Q: What personal data of mine could have been at risk?
A: During this limited period, customer transactions using debit and credit cards were still encrypted. However, if the HTTP version of a web page was being used, personal data such as customers’ names, addresses, bank details (sort code and account number) given to us – for example, to set up or amend a direct debit – were not encrypted. There is no evidence of the website being subject to any sort of attack, or anyone having acted maliciously and the chances of anyone having accessed this information are very small.
TV Licensing is right. There isn’t any evidence that anyone’s data was accessed because of this screw-up. But what they aren’t telling you is that there’s actually no way they would actually know if it had been.