Log In
Register
Home
Topic RSS
Facebook
Twitter
Email this6:45 am
October 27, 2018
Offline
Previously, CRA Myaccount needed a unique userid and password. This was somewhat secure.
Now, there is a "Sign in partner" and it lists many financial institutions, so in order to login, one would input their financial institution login details and it logs onto the CRA myaccount.
In my opinion, this is a CRA security breach in-the-making. So if someone hacks your financial institution login, they have effectively also hacked into your CRA's Myaccount. Instead of ID theft security, this makes ID theft easier to execute.
CRA should eliminate this "Sign-in Partner" asap and revert back to only CRA Secure Login.
7:06 am
October 21, 2018
Offline
Who do you trust more? The Government's IT department or the bank's. I'll stay with Sign-in Partner.
BTW, you can still use the old sign-in if you want to.
7:53 am
October 27, 2013
Offline
The sign-in partner option has been available for a number of 'years' now. I agree the sign-in partner option is likely more secure of the two.....though I continue to use the direct login approach.
9:26 am
March 30, 2017
Offline
Patch002 said
Previously, CRA Myaccount needed a unique userid and password. This was somewhat secure.Now, there is a "Sign in partner" and it lists many financial institutions, so in order to login, one would input their financial institution login details and it logs onto the CRA myaccount.
In my opinion, this is a CRA security breach in-the-making. So if someone hacks your financial institution login, they have effectively also hacked into your CRA's Myaccount. Instead of ID theft security, this makes ID theft easier to execute.
CRA should eliminate this "Sign-in Partner" asap and revert back to only CRA Secure Login.
You trust the password you use to sign in to ur bank account, but not the same login/password used to access your tax info ?
Unless you worry about one login/password to both but then if ur bank account links to other FI already, its already one login/password allows potential breach to many of ur other bank accounts, which is way worse...
9:41 am
September 11, 2013
Offline
Here's the current list of sign in partners (option 1):
https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services/list-sign-partners.html
As AltaRed says, not new, been available for some time now.
I've always used option 2, direct sign in, never had a problem.
There is option 3 for BC users too.
9:44 am
October 27, 2018
Offline
It's not a matter of whom I trust more, it is a matter that if your CRA account login is breached, can they access your banking info? The answer is no.
However, if your Banking info is breached, the hacker can use your bank sign-in and also access CRA myaccount.
The point is that the Sign-in Partner is a bad idea.
10:40 am
April 6, 2013
Offline
Why wouldn't the hacker also have the CRA MyAccount signin as well? How does one think the hacker actually got the banking password in the first place?
If a keyboard sniffer has been installed and has been sniffing the keystrokes on the home computer or mobile phone for months, the hacker would have all the passwords anyways.
12:39 pm
October 29, 2017
Offline
And when was the last time that bank account IDs and passwords got hacked and stolen?
3:55 pm
April 2, 2018
Offline
Vatox said
And when was the last time that bank account IDs and passwords got hacked and stolen?
People's Trust, few years ago
4:00 pm
October 29, 2017
Offline
pooreva said
People's Trust, few years ago
Okay, interesting.
So I’m guessing they weren’t using 256-bit encryption.
4:17 pm
October 21, 2013
Offline
I believe there is a thread here somewhere about the Peoples breach. It was in about 2013. Many forum members were affected.
4:29 pm
October 27, 2018
Offline
BMO, Simplii Financial, Interac transfers.
Banks and everyone else have either been hacked or are waiting to be hacked. Protect yourself as no-one else will.
Not to mention: Equifax, Trans Union, Capital One, McDonalds, Yahoo emails, the list goes on and on.
I also have an issue with those entities who use just an email account as a user id. A unique userid is more difficult to breach than an email account userid. Passwords? Well so many use "1234" or birthday or favourite colour it is not funny. And they use the same password on different applications.
Crooks are getting more creative all the time. CRA should not make it any easier for them.
4:46 pm
April 6, 2013
Offline
Vatox said
And when was the last time that bank account IDs and passwords got hacked and stolen?
pooreva said
People's Trust, few years ago
No account ID's and passwords were taken at Peoples Trust in 2013.
The exact information compromised is detailed in PIPEDA Report of Findings #2015-007:
11. The breached database held the information of approximately 12,000 individuals, including customers and related third parties (e.g., guarantors and beneficiaries). The information compromised for each affected individual generally included several of the following information elements: names, dates of birth (“DOB”), addresses, social insurance numbers (“SIN”), employment information, contact information, mother’s maiden name (for security question purposes), and in twelve cases, banking information from other financial institutions (for electronic funds transfer, “EFT”, purposes). The type of information in the database for each individual depended on the type of product for which the customer had applied via the web portal.
4:51 pm
October 29, 2017
Offline
Loonie said
I believe there is a thread here somewhere about the Peoples breach. It was in about 2013. Many forum members were affected.
This may be that thread:
https://www.highinterestsavings.ca/forum/peoples-trust/peoples-trust-privacy-breach-class-action/
I read some of it. Doesn’t seem to be passwords stolen.
Personal info isn’t something I consider to be secured info anyways, it’s everywhere out there. Having said that, it should have been encrypted and safeguarded anyways, to prevent idiots from trying to Phish or use identity theft.
It’s the password that is sacred. And Tha’s what the Sign-in Partner is using via the FI login.
8:19 am
October 27, 2018
Offline
A little while ago Yahoo emails were breached. The clients did not give out their passwords yet Yahoo sent out a notice for everyone to change their passwords. Why do you think that Yahoo did that? (hint, when data is stolen, how do you know that it doesn't include passwords, would a target company "volunteer" that information to the public?)
You may do as you wish, I'm just saying that the "CRA Sign-in partner" is a weakness. Call me cautious, I do not want that option.
8:37 am
February 16, 2013
Offline
Patch002 said
The clients did not give out their passwords yet Yahoo sent out a notice for everyone to change their passwords. Why do you think that Yahoo did that?
If I had to guess, I suspect some people inappropriately use personal information as their password, like the city they live in, their birthdate, etc.
10:28 am
April 6, 2013
Offline
Yahoo did admit that the hashed passwords were stolen in Yahoo! Yodel: An Important Message About Yahoo User Security.
Should that ever happen at a sign-in partner, the partner could block all sign-ins, both to its online banking and to others (like CRA), until the user changes their password.
If one uses a sign-in banking partner that one does regular online banking with, then the partner can detect outlier sign-ins, like a CRA sign-in attempt from Boliva just an hour after an online banking sign-in from within Canada.
8:59 pm
October 17, 2018
Offline
Today I heard a story on the radio about a Calgary woman that received a message that she had been approved for the CERB although she had not applied and found that someone had changed her address and direct deposit info and collected benefits on her behalf. Sketchy on the details , it was on Globalnews afternoon talk show.
9:22 pm
April 6, 2013
Offline
She was likely the victim of identity theft.
Someone got her name, date of birth, and matching fake ID. The culprit opened a bank account in her name, applied for CERB in her name, and asked that the payments be direct deposited to the new bank account in her name. 
Kind of like what happened to one victim in Thief uses B.C. man’s identity to open fake bank account, apply for CERB.
Please write your comments in the forum.