89

On this webpage, the BBC says:

I’ve received a ‘Changes to your BBC account’ email claiming to be from the BBC – is this a genuine email?

At the end of September 2016, we upgraded our ‘BBC iD’ sign-in system to ‘BBC Account’, and as a result we had to sign everyone out of their ‘BBC iD’ account.

If an email address was previously registered against a ‘BBC iD’ account, we’ve been sending emails to these email addresses (from ‘bbcaccount@e.bbcmail.co.uk’) advising users that we’ve signed them out of their account and asking them to sign back in.

These are genuine emails from the BBC and not phishing emails or spam (below is a screenshot of the email content).

… and that's it.

I discovered this on a Facebook comment thread, where the above webpage was given as "proof" that an unexpected email was genuine and not a phish.

The email contains a link to "sign in" — this link will require users to input their credentials, by definition (due to the reason for sending the email in the first place).

Isn't all of this incredibly irresponsible? Isn't the BBC grossly mistraining its audience? The From field of an email has never been anywhere close to proof of the sender's identity, and providing a screenshot of the genuine content just makes it easier for fraudsters to reproduce it and con people.

Or am I missing something?

Schism
  • 107
  • 4
Lightness Races in Orbit
  • 2,173
  • 2
  • 14
  • 15
  • 26
    How can we be sure that that page is legitimate? ;) On the other hand, BBC already redirects away from HTTPS, so they're not exactly security savvy. – Rhymoid Nov 12 '16 at 23:11
  • 13
    @Rhymoid It really does not use HTTPS. Incredible in this day and age. – Jaime Gallego Nov 12 '16 at 23:17
  • 2
    @Rhymoid HTTPS is supported on the home page, and on all http://bbc.com pages. I am going to guess that the reasons for this are legacy support. They're running two domains (bbc.co.uk and bbc.com) here, as well as the archives - news.bbc.co.uk as well as others. http://news.bbc.co.uk pages don't even allow HTTPS - they just don't load. – Tim Nov 13 '16 at 17:30
  • 4
    @Rhymoid however, I did decide to contact them - with this: https://i.stack.imgur.com/x8Aur.png – Tim Nov 13 '16 at 17:43
  • 5
    @Tim For a second, I thought you wew going to contact them with [this](https://i.imgur.com/qwYQN6j.jpg), because this all seems very backwards to me. – Rhymoid Nov 13 '16 at 17:59
  • Well what else should they do to tell people the site closed... make a redirect link? – user64742 Nov 14 '16 at 10:28
  • @TheGreatDuck: No site closed. – Lightness Races in Orbit Nov 14 '16 at 11:56
  • 1
    @LightnessRacesinOrbit "At the end of September 2016, we upgraded our ‘BBC iD’ sign-in system to ‘BBC Account’, and as a result we had to sign everyone out of their ‘BBC iD’ account." If the site didn't change then what's the big deal? You got a notification. Just relog into the site directly without clicking links in the email... – user64742 Nov 14 '16 at 16:13
  • 1
    @TheGreatDuck now if you can just give that advice to everyone who got the email then problem solved – rdans Nov 14 '16 at 16:26
  • @rdans you mean the email didn't tell people to just go to the site through their web browser and not click any links in the email? – user64742 Nov 14 '16 at 16:27
  • 5
    What I want to know is why they didn't just log people out and assume people will figure it out themselves later...? – user64742 Nov 14 '16 at 16:28
  • 4
    @TheGreatDuck: The site changed. It did not close. _"Then what's the big deal?"_ Well, exactly. They shouldn't have provided a link in the email, because they didn't need to. And furthermore they shouldn't have insinuated that using such a link is safe just because an email appears to come from a BBC address. An unusual BBC domain, at that, so there are multiple layers of mistraining here! – Lightness Races in Orbit Nov 14 '16 at 17:24
  • @Tim Please don't lead the witness – Michael Nov 14 '16 at 17:57
  • @Michael Hu???? – Tim Nov 14 '16 at 18:03
  • @Tim I wouldn't offer them any information on my suspicions - at best it's going to be ignored, and at worst it gives them an out to just agree with you. – Michael Nov 14 '16 at 18:06
  • @Michael I doubt that is going to change their response. It's likely the correct answer. Let's see. – Tim Nov 14 '16 at 18:07
  • 4
    I'd like to add that I just received this email and it was automatically tagged as spam in Google Mail. So even the algorithms seem to agree that this is terrible security practice. – Nijin22 Nov 15 '16 at 07:28
  • 1
    @Tim They've fixed it now; HTTPS support across the board. – wizzwizz4 Apr 30 '19 at 06:31

1 Answers1

93

Very dangerous things could happen here, indeed. It would be laughably easy for a scammer to phish users.

A migration is an excuse many phishers already use:

There was xyz problem in our user database [...] just "log in" or you won't be able to use our service.

So the legitimate reason

we upgraded our ‘BBC iD’ sign-in system to ‘BBC Account’

aligns quite perfectly with these nefarious activities. Spammers could even put a "proof" with the website link. Users see that the email layout is the same, think oh, this is legit, click sign-in and send the credentials to the attackers.

Having access to a BBC account isn't much of a threat, as far as I know. However, for those users who have the same password in all sites (and no two-step verification), then you've got an easy way to access email, bank accounts, and the like.

The BBC dropped the ball hard. I'll be contacting them to fix the issue, I encourage you to do the same thing.

Jaime Gallego
  • 815
  • 7
  • 8
  • 64
    It may be true that the BBC Account may not have much of value worth protecting. Even so the real damage here is perpetuating the idea that emails like this are ever legit. In addition there is nothing here that couldn't be communicated more effectively and timely when users visit the site. Which leaves me feeling like this email is mostly meant to remind you to visit the site. It's actually genuine spam. – candied_orange Nov 12 '16 at 21:44
  • 21
    @CandiedOrange Enough people re-use passwords that the password itself is probably orders of magnitude more valuable than the BBC Account. – David Richerby Nov 13 '16 at 14:43
  • 1
    They should write on the very same page to check for duplicate e-mails, since everyone concerned gets a one legitimate one. – loa_in_ Nov 13 '16 at 16:33
  • 2
    Also: "please re-register, giving us your postcode, as despite numerous claims of Culture-level technology being created to find out if you have a TV License when using iPlayer, in fact the only real way is to try to match your BBC Account postcode to a registered License postcode." – Eight-Bit Guru Nov 14 '16 at 12:11
  • 1
    Not much of a threat? My BBC account got hacked, and now my TARDIS has been stolen! – Michael Nov 14 '16 at 17:58
  • 1
    Whenever I see an email like that that I confirm is fake, I don't send my credentials. I type in as many fake credentials as I can think of. Sometimes I even type in as a password "Did you really think that would work?". – user64742 Nov 14 '16 at 22:17
  • 2
    @TheGreatDuck: With that, you're potentially just letting them know that your email address is valid and connects to a person... which, a lot of the time, is all they wanted to know in the first place. Don't engage at all. – Lightness Races in Orbit Feb 16 '18 at 01:53