The UK's TV Licensing agency has admitted that 25,000 viewers were induced into sending their bank details over an insecure connection.
HTTPS crypto-shame: TV Licensing website pulled offlineREAD MORE
The organisation ran transactional pages for bank debits through an insecure connection before being called out on the practice earlier this month.
In response to criticism by techie Mark Cook and others as well as press criticism in The Register and elsewhere, the publicly funded agency temporarily took its website offline as it migrated everything over to HTTPS.
TV Licensing already had an HTTPS website but it was running an HTTP site in parallel hosting forms that invited the submission of sensitive personal information. This issue ran from 29 August until around 3.20pm on 5 September 2018, as per the FAQ. Running an insecure version of its site simply to provide information in this era of HTTPS ubiquity would have been inadvisable, but TV Licensing went far beyond that.
The agency pushed to get the insecure site to appear at the top of search engine rankings and there was no attempt to redirect users over to HTTPS, even when it came to filling out sensitive bank direct debit payment application forms, as The Register previously reported.
Privacy, performance and search optimisation be damned. The setup was wrong-headed and TV Licensing compounded its errors by initially ignoring complaints from infosec types.
Its online support staff at one point even told surfers to ignore any warning Chrome might throw up because of the HTTP page, as evidenced below.
Our website is secure and security certificates are up to date. Pages where customers enter data are HTTPS. Non HTTPS pages are safe to use despite messages from some browsers (e.g. Chrome) that say they are not.— TV Licensing (@tvlicensing) September 5, 2018
Card payments were managed by an external provider and always went over HTTPS.
TV Licensing eventually admitted the error of its ways. On Monday, it supplied a post-slip-up statement admitting that 25,000 customers had been sent down an insecure route for submitting their bank details, lower than initial estimates of 40,000.
We can now confirm that fewer than 25k customer sent over unencrypted bank details and that credit and debit cards numbers were always secure. We mailed 40k people who may have entered bank details and sort codes as a precaution but we've now been able to confirm that the actual number was much lower.
The UK's National Cyber Security Centre has recommended that websites should use HTTPS "even if they don't include private content, sign-in pages, or credit card details".
Any information submitted to an unencrypted site might be stumbled upon by hackers. An unencrypted site might also be more easily targeted by people impersonating others and some forms of man-in-the-middle attacks.
TV Licensing has started to contact affected customers directly. Its support service has been telling people to be wary about phishing emails. ®