TV Licence website said it was secure. It wasn’t

Personal information was not encrypted when it was transmitted from customers' PCs.

TV Licence website said it was secure. It wasn't

One of the glorious things about living in the UK is that we have to pay a licence fee if we want to watch television.

It must seem crazy to much of the rest of the world, but it’s a bargain at £150.50 each year (just £2.89 per week) that gives us the glorious (and ad-free) BBC. The BBC is as British as poor weather and bad sex, and we wouldn’t be the same without it.

So how do you pay for a TV licence? You go to www.tvlicensing.co.uk, of course.

Unfortunately, as blogger Mark Cook revealed last week, the official UK TV licensing website was allowing license purchasers to submit their personal identifiable information and bank details in unsafe, unencrypted plaintext.

The problem was that the TV Licensing website didn’t force visitors to its HTTPS version. If you used https://www.tvlicensing.co.uk, any data you typed into the site’s online forms would have been sent via an encrypted connection. Good news!

But many users probably weren’t careful enough to ensure that they had remembered the “s” on “https”, and would have unwittingly found themselves on the unencrypted HTTP version instead.

Tv license website

Oh dear. One wonders if TV Licensing have been ignoring the advice of the National Cyber Security Centre, which advises that all webpages should always be served over HTTPS “even if they don’t include private content, sign-in pages, or credit card details.”

Part of the problem with TV Licensing’s site, explained Cook, was that a canonical tag in the website’s source code actually told search engines like Google to prefer the insecure HTTP version over the safer HTTPS edition! D’oh!

This rather undermines the message that one assumes the website’s creators put in the sidebar to reassure licence purchasers that the details they entered onto the site were safe:

Secure website

Whether you’re paying for your TV Licence, setting up a Direct Debit, or updating your details, you can relax in the knowledge that this is a secure website and your personal information is safe with us.

Cook poked the website’s Twitter account about the poor security, only to be eventually told:

Our website is secure and our website’s security certificates are up to date, so rest assured, personal details are safe.”

However, some hours after Cook published a blog post about his findings, the TV Licensing website was taken down for maintenance. Was this just pure coincidence?

I think not, because on the site’s return it properly forced all visitors to use its HTTPS incarnation, ensuring that any personal information or banking details were sent via an encrypted connection between the license buyer’s PC and TV Licensing’s server.

Furthermore, in an FAQ about the unexpected downtime published on its website, TV Licensing admitted it had been busy fixing its website:

We were recently alerted to an issue with our website’s security following a technical update. We took the site down straight away so that we could fix it.

We take the security of our customer’s data very seriously. That’s why it’s our normal practice that when our customers make payments or send us financial or other personal details through our website, the data is encrypted to keep it safe.

Q: What is the likelihood that I have been affected?
A: Customers may have been affected if they visited the TV Licensing website from 29 August until around 3.20pm on 5 September 2018 and entered personal data into the website. The risk of customers having their data accessed is very low, and we are not aware of anyone’s data being obtained.

Q: What personal data of mine could have been at risk?
A: During this limited period, customer transactions using debit and credit cards were still encrypted. However, if the HTTP version of a web page was being used, personal data such as customers’ names, addresses, bank details (sort code and account number) given to us – for example, to set up or amend a direct debit - were not encrypted. There is no evidence of the website being subject to any sort of attack, or anyone having acted maliciously and the chances of anyone having accessed this information are very small.

TV Licensing is right. There isn’t any evidence that anyone’s data was accessed because of this screw-up. But what they aren’t telling you is that there’s actually no way they would actually know if it had been.

Tags: , , , , , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , , ,

3 Responses

  1. Mark

    September 13, 2018 at 4:40 pm #

    Hmmm. In the UK we have a TV Licence and not a License ;-)

  2. Stuart

    September 13, 2018 at 6:16 pm #

    I would not say the programmes aired on the BBC tv channels are worth the licence anymore.

  3. Gabor

    September 17, 2018 at 11:43 am #

    That’s what FirstDirect says as well. To this day they still sending emails to customers with link directing customers to their HTTP login page. :|

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.