TV Licensing takes down website after Norwich tech expert spots security weakness
PUBLISHED: 13:22 07 September 2018 | UPDATED: 15:42 07 September 2018
The company responsible for TV licensing appears to have been forced into a cyber-security u-turn after a Norwich digital marketing expert pointed out a weakness in its website.
Mark Cook, a director at Candour (formerly Applin Skinner) in Norwich, called out TV Licensing on Twitter after noticing a page on the firm’s website used to take payments from customers was flagged by his internet browser as not having a secure (HTTPS) connection.
After the company responded to say there were no security issues with its website Mr Cook replied with a screenshot from his browser, showing the “not secure” connection.
It comes as British Airways is dealing with the fallout of a vast data breach which compromised some 380,000 customer payments.
The debate centres around whether the TV Licensing web pages were HTTPS (the secure version of HTTP, hyper text transfer protocol), the method used by browsers and websites to ensure the secure, encrypted exchange of sensitive data such as personal information or bank account details.
In a later blog post Mr Cook posted further screenshots showing that pages for taking personal, address and payment details on the TV Licensing website were flagged up as insecure, despite the pages claiming all personal information shared on them was “safe”.
After the Twitter spat on Wednesday the TV Licensing website was taken offline for “planned maintenance”. It was still unavailable at the time this article was published.
In his blog post Mr Cook said: “Even if only your name and email address was sent over an unencrypted connection, this is enough for a potential attacker to act on. Knowing the name, email address and time that customers were purchasing TV licences gives you all the information you need for a quick-response phishing email.
“Imagine signing up for a TV licence and within an hour, receiving an official looking email, addressed to you, saying that your payment for the TV license you just bought failed. No problem, just [click here] to pay again, on the attacker’s very convincing-looking website.”
He added: “A quick Google search shows there was £3.7bn collected in license fees in 2016/17. To get some rough numbers, if we assume everyone paid their £150, that’s around 24.5m TV licenses, right? Even if only a quarter of these people pay for their licenses online, that’s six million license transactions that are affected.”
A TV Licensing spokesperson said: “We take security very seriously which is why we use encryption for all payment transactions. However, an issue has been brought to our attention over the recent level of security on transactional pages which were previously fully secure via HTTPS, and as a precaution, we have taken the website offline until this is resolved and are working urgently to fix it.
“We’ve identified that this issue has happened very recently, and we’re not aware of anyone’s data being compromised.”