CRA myaccount security | General financial discussion | Discussion forum

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
CRA myaccount security
August 5, 2020
6:45 am
Patch002
Member
Members
Forum Posts: 26
Member Since:
October 27, 2018
sp_UserOnlineSmall Online

Previously, CRA Myaccount needed a unique userid and password. This was somewhat secure.

Now, there is a "Sign in partner" and it lists many financial institutions, so in order to login, one would input their financial institution login details and it logs onto the CRA myaccount.

In my opinion, this is a CRA security breach in-the-making. So if someone hacks your financial institution login, they have effectively also hacked into your CRA's Myaccount. Instead of ID theft security, this makes ID theft easier to execute.

CRA should eliminate this "Sign-in Partner" asap and revert back to only CRA Secure Login.

August 5, 2020
7:06 am
pwm
Headingley MB
Member
Members
Forum Posts: 70
Member Since:
October 21, 2018
sp_UserOfflineSmall Offline

Who do you trust more? The Government's IT department or the bank's. I'll stay with Sign-in Partner.

BTW, you can still use the old sign-in if you want to.

August 5, 2020
7:53 am
AltaRed
Member
Members
Forum Posts: 1278
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

The sign-in partner option has been available for a number of 'years' now. I agree the sign-in partner option is likely more secure of the two.....though I continue to use the direct login approach.

August 5, 2020
9:26 am
savemoresaveoften
Member
Members
Forum Posts: 475
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

Patch002 said
Previously, CRA Myaccount needed a unique userid and password. This was somewhat secure.

Now, there is a "Sign in partner" and it lists many financial institutions, so in order to login, one would input their financial institution login details and it logs onto the CRA myaccount.

In my opinion, this is a CRA security breach in-the-making. So if someone hacks your financial institution login, they have effectively also hacked into your CRA's Myaccount. Instead of ID theft security, this makes ID theft easier to execute.

CRA should eliminate this "Sign-in Partner" asap and revert back to only CRA Secure Login.  

You trust the password you use to sign in to ur bank account, but not the same login/password used to access your tax info ?

Unless you worry about one login/password to both but then if ur bank account links to other FI already, its already one login/password allows potential breach to many of ur other bank accounts, which is way worse...

August 5, 2020
9:41 am
Bill
Member
Members
Forum Posts: 2265
Member Since:
September 11, 2013
sp_UserOfflineSmall Offline

Here's the current list of sign in partners (option 1):
https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services/list-sign-partners.html

As AltaRed says, not new, been available for some time now.

I've always used option 2, direct sign in, never had a problem.

There is option 3 for BC users too.

August 5, 2020
9:44 am
Patch002
Member
Members
Forum Posts: 26
Member Since:
October 27, 2018
sp_UserOnlineSmall Online

It's not a matter of whom I trust more, it is a matter that if your CRA account login is breached, can they access your banking info? The answer is no.

However, if your Banking info is breached, the hacker can use your bank sign-in and also access CRA myaccount.

The point is that the Sign-in Partner is a bad idea.

August 5, 2020
10:40 am
Norman1
Member
Members
Forum Posts: 3789
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

Why wouldn't the hacker also have the CRA MyAccount signin as well? How does one think the hacker actually got the banking password in the first place?

If a keyboard sniffer has been installed and has been sniffing the keystrokes on the home computer or mobile phone for months, the hacker would have all the passwords anyways.

August 5, 2020
12:39 pm
Vatox
Member
Members
Forum Posts: 827
Member Since:
October 29, 2017
sp_UserOfflineSmall Offline

And when was the last time that bank account IDs and passwords got hacked and stolen?

August 5, 2020
3:55 pm
pooreva
Member
Members
Forum Posts: 206
Member Since:
April 2, 2018
sp_UserOfflineSmall Offline

Vatox said
And when was the last time that bank account IDs and passwords got hacked and stolen?  

People's Trust, few years ago

August 5, 2020
4:00 pm
Vatox
Member
Members
Forum Posts: 827
Member Since:
October 29, 2017
sp_UserOfflineSmall Offline

pooreva said

People's Trust, few years ago  

Okay, interesting.
So I’m guessing they weren’t using 256-bit encryption.

August 5, 2020
4:17 pm
Loonie
Member
Members
Forum Posts: 6830
Member Since:
October 21, 2013
sp_UserOnlineSmall Online

I believe there is a thread here somewhere about the Peoples breach. It was in about 2013. Many forum members were affected.

August 5, 2020
4:29 pm
Patch002
Member
Members
Forum Posts: 26
Member Since:
October 27, 2018
sp_UserOnlineSmall Online

https://www.cbc.ca/news/canada/nova-scotia/bank-of-montreal-bmo-data-privacy-breach-stolen-information-1.4799203#:~:text=In%20late%20May%2C%20BMO%20and,information%20of%20about%2090%2C000%20customers.&text=Zinck%20said%20he's%20been%20told%20he%20was%20one%20of%2050%2C000,information%20was%20hacked%20in%20May.

BMO, Simplii Financial, Interac transfers.
Banks and everyone else have either been hacked or are waiting to be hacked. Protect yourself as no-one else will.

Not to mention: Equifax, Trans Union, Capital One, McDonalds, Yahoo emails, the list goes on and on.

I also have an issue with those entities who use just an email account as a user id. A unique userid is more difficult to breach than an email account userid. Passwords? Well so many use "1234" or birthday or favourite colour it is not funny. And they use the same password on different applications.

Crooks are getting more creative all the time. CRA should not make it any easier for them.

August 5, 2020
4:46 pm
Norman1
Member
Members
Forum Posts: 3789
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

Vatox said

And when was the last time that bank account IDs and passwords got hacked and stolen?  

pooreva said

People's Trust, few years ago

No account ID's and passwords were taken at Peoples Trust in 2013.

The exact information compromised is detailed in PIPEDA Report of Findings #2015-007:

11. The breached database held the information of approximately 12,000 individuals, including customers and related third parties (e.g., guarantors and beneficiaries). The information compromised for each affected individual generally included several of the following information elements: names, dates of birth (“DOB”), addresses, social insurance numbers (“SIN”), employment information, contact information, mother’s maiden name (for security question purposes), and in twelve cases, banking information from other financial institutions (for electronic funds transfer, “EFT”, purposes). The type of information in the database for each individual depended on the type of product for which the customer had applied via the web portal.

August 5, 2020
4:51 pm
Vatox
Member
Members
Forum Posts: 827
Member Since:
October 29, 2017
sp_UserOfflineSmall Offline

Loonie said
I believe there is a thread here somewhere about the Peoples breach. It was in about 2013. Many forum members were affected.  

This may be that thread:

https://www.highinterestsavings.ca/forum/peoples-trust/peoples-trust-privacy-breach-class-action/

I read some of it. Doesn’t seem to be passwords stolen.

Personal info isn’t something I consider to be secured info anyways, it’s everywhere out there. Having said that, it should have been encrypted and safeguarded anyways, to prevent idiots from trying to Phish or use identity theft.

It’s the password that is sacred. And Tha’s what the Sign-in Partner is using via the FI login.

August 6, 2020
8:19 am
Patch002
Member
Members
Forum Posts: 26
Member Since:
October 27, 2018
sp_UserOnlineSmall Online

A little while ago Yahoo emails were breached. The clients did not give out their passwords yet Yahoo sent out a notice for everyone to change their passwords. Why do you think that Yahoo did that? (hint, when data is stolen, how do you know that it doesn't include passwords, would a target company "volunteer" that information to the public?)

You may do as you wish, I'm just saying that the "CRA Sign-in partner" is a weakness. Call me cautious, I do not want that option.

August 6, 2020
8:37 am
MG
Member
Members
Forum Posts: 129
Member Since:
February 16, 2013
sp_UserOfflineSmall Offline

Patch002 said
The clients did not give out their passwords yet Yahoo sent out a notice for everyone to change their passwords. Why do you think that Yahoo did that?

If I had to guess, I suspect some people inappropriately use personal information as their password, like the city they live in, their birthdate, etc.

August 6, 2020
10:28 am
Norman1
Member
Members
Forum Posts: 3789
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

Yahoo did admit that the hashed passwords were stolen in Yahoo! Yodel: An Important Message About Yahoo User Security.

Should that ever happen at a sign-in partner, the partner could block all sign-ins, both to its online banking and to others (like CRA), until the user changes their password.

If one uses a sign-in banking partner that one does regular online banking with, then the partner can detect outlier sign-ins, like a CRA sign-in attempt from Boliva just an hour after an online banking sign-in from within Canada.

August 6, 2020
8:59 pm
Oscar
Member
Members
Forum Posts: 225
Member Since:
October 17, 2018
sp_UserOfflineSmall Offline

Today I heard a story on the radio about a Calgary woman that received a message that she had been approved for the CERB although she had not applied and found that someone had changed her address and direct deposit info and collected benefits on her behalf. Sketchy on the details , it was on Globalnews afternoon talk show.

August 6, 2020
9:22 pm
Norman1
Member
Members
Forum Posts: 3789
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

She was likely the victim of identity theft.

Someone got her name, date of birth, and matching fake ID. The culprit opened a bank account in her name, applied for CERB in her name, and asked that the payments be direct deposited to the new bank account in her name. sf-surprised

Kind of like what happened to one victim in Thief uses B.C. man’s identity to open fake bank account, apply for CERB.

Please write your comments in the forum.