Exposed: UK’s TV Licence agency fails to secure customers bank details & data
After a Twitter spat, where multiple heavy-weight InfoSec pros, including Scott Helme and Troy Hunt, clearly exposed the UK’s TV licensing agency insecure handling of data. The publicly funded organisation (after some denial) had to shut down their website for some much-needed maintenance to fix the issue.
Originally discovered by self-proclaimed ‘naughty SEO’ Mark Cook when updating his TV licence, he discovered that the agency was delivering & receiving data un-encrypted. It all started when Google Chrome released version 68, providing users with the information of whether a website has an ‘unsecure’ network. The HTTPS protocol uses a cipher to disguise the messages so that it cannot be read if intercepted, HTTP, on the other hand, doesn’t attempt to disguise the traffic. As the UK’s National Cyber Security Centre advises, all websites should use HTTPS “even if they don’t include private content, sign-in pages, or credit card details.”
With 27 million people in the UK owning a television in 2018 and as a matter of law required to purchase a TV license. Securing customer’s data submitted through the website is a matter of importance in terms of public security. Even though the website labelled itself as “secure” chrome was quick to identify that it was not safely encrypting some traffic and data.
So how un-secure was the TV Licensing website?
The TV licensing website was available in both HTTP and HTTPS. However, the TV licensing website was directing customers from search engines and within the site, directly to the unsecure HTTP version of the site. When setting up and applying for a TV license there are three main steps. The first is “About the TV License holder” where you give personal details about yourself, including your email address. The second is “address to be licensed”, self-explanatory, and lastly entering your card or direct debit details. As Cook identified, every single step could be set up on HTTP, an unsecured network. This means that all personal details including bank account numbers and sort codes could have been intercepted by a hacker. Thankfully, in this case, credit and debit card details were redirected to a HTTPS page through a third-party bank provider.
The Norwich-based Director contacted the TV Licencing Twitter account, following his discovery, where they stated:
Our website is secure and security certificates are up to date. Pages where customers enter data are HTTPS. Non HTTPS pages are safe to use despite messages from some browsers (e.g. Chrome) that say they are not.— TV Licensing (@tvlicensing) September 5, 2018
Source: Mark Cook’s Blog i83.co.uk/why-tvlicensing-co-uk-are-processing-millions-of-customers-data-insecurely/
Hosting a website on HTTP is like advertising free data for hackers, so what does this really mean for people and their data?
The TV licensing agency – through hosting an unsecure website enabled the potential for hackers to snoop and steal information from their customers. A hacker with your personal details can set up bank and credit cards, take out loans, intercept refunds, open accounts, and much more.
Even a hacker lifting just an email address and name from the site could give them enough to set up a pretty convincing phishing email after signing up.
After some bashing on Twitter, on the 5th September, the TV Licensing website was taken down for some ‘planned maintenance’. The TV Licensing website has now added to their FAQ’s why their website was temporarily unavailable. They have stated that there is no evidence of a data breach, however, recognise that customer data was not properly protected. Following some effective security public shaming, the TV licensing website has now migrated all their pages to HTTPS.