We really need to get rid of SIN numbers.
They should be cryptographically signed tokens you request for a single individual service, with a defined scope of access.
E.g. when you want to set up payroll tax at a new job, you go online or visit service canada, register a token, and share that with your employer.
When you’re authorizing H&R Block to do you taxes, you request a tax token for the current year.
When you’re opening a bank account you request a token and the bank verifies it.
When these leak they are easily reset, and when credit bureaus need access to your history for a hard check, they request a token with that permission.
This is kind of a pain but it means the office administrator can’t open a credit card in your name just because they have your info, and a leak at H&R Block gives a specific scope of investigation and resolution.
Your account can still be breached, buy that has a clear resolution step (verify your identity with service Ontario or Canada Post, invalidate tokens, file an investigation, and submit new tokens).
This guy gets it. 100% agree.
Then second step : shared responsibility for theft like if someone buy a car in your name you aren’t stuck with 100% of the problem because the dealership is 50% liable. Third step : Insurances need to be available for the residual risk but with 50-50 liability everyone will be on their best behaviour.
I agree but we don’t even have to get that far. No institution should rely on SIN secrecy. It’s as simple as that. It should be treated as semi-publicly available information like birthdates and important stuff like opening a bank account should require more factors of authentication.
Several countries don’t create these secret numbers that “no one should have but you” without having to rely on revoke-able tokens and whatnot. Like many things, crypto has a clever solution for this but the current status quo is so bad that a not-stupid approach would already be quite the improvement.
People affected:
If you worked at B.C.'s Interior Health authority between 2003 and 2009 and believe you may be the victim of stolen identity or a hacked CRA account, please email, in confidence, [email protected] or text or call 416-526-4704. Click here to contact CBC News completely anonymously using SecureDrop.
And as a condition to use their site the CRA makes you agree that you can’t hold them responsible for any misuse of your data they may allow. How conveeeeeenient.
Axe the Tax!
And get a weak, insecure, and underfunded CRA…
Really the carbon tax was funding the CRA?
Great. Good thing (?) I didn’t unlock my account after the last breach because I never have 3 hours to do nothing while I wait on hold with CRA support.
deleted by creator
