Some CRA Accounts Have Been Breached . . . | General financial discussion | Discussion forum

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Some CRA Accounts Have Been Breached . . .
August 15, 2020
1:49 pm
Dean
Valhalla Mountains, British Columbia
Member
Members
Forum Posts: 2158
Member Since:
January 12, 2019
sp_UserOfflineSmall Offline

.
Today's CBC article: https://www.cbc.ca/news/politics/canada-revenue-agency-cra-cyberattack-1.5688163

I just checked my account ... all looks OK.

    Dean

sf-cool " Live Long, Healthy ... And Prosper! " sf-cool

August 15, 2020
1:57 pm
Norman1
Member
Members
Forum Posts: 7195
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

Looks like some taxpayers used the same password for their CRA account as they used at some other site.

Other site was compromised and hackers found the same password also worked for the victim's CRA account! sf-surprised

CRA account should be fine if it has a different password:

The incidents are a type of attack known as "credential stuffing," the Treasury Board's Office of the Chief Information Officer said in a statement.

"These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts."

Aside from CRA accounts, thousands of others linked to GCKey — a secure portal that allows Canadians to access government services online — were also affected.

"Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity," the statement read.

August 15, 2020
2:08 pm
Dean
Valhalla Mountains, British Columbia
Member
Members
Forum Posts: 2158
Member Since:
January 12, 2019
sp_UserOfflineSmall Offline

Norman1 said

Looks like some taxpayers used the same password for their CRA account as they used at some other site.

Other site was compromised and hackers found the same password also worked for the victim's CRA account! sf-surprised

CRA account should be fine if it has a different password.  

Sadly, it's a common mistake (bad habit) some people make. sf-confused

Laziness with passwords, can cost you; A Lot O' Grief

    Dean

sf-cool " Live Long, Healthy ... And Prosper! " sf-cool

August 15, 2020
4:01 pm
davidgeorge
Member
Members
Forum Posts: 335
Member Since:
May 20, 2016
sp_UserOfflineSmall Offline

CRA login is down.

cra.JPG

August 15, 2020
8:23 pm
Kidd
Member
Banned
Forum Posts: 840
Member Since:
February 27, 2018
sp_UserOfflineSmall Offline

If i remember correctly... didn't a forum member raise this concern a week or so ago? Their post dealt with, if they log into their cra account using their bank log in data, then their bank and their cra account can be breached because the same password data is being used.

If they used their bank log in data only for their bank and a cra my account password. The two entities would remain separate.

August 15, 2020
9:41 pm
Norman1
Member
Members
Forum Posts: 7195
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

That's only true if one uses the same password at the bank and at CRA separately.

That is not how the sign-in partner system works at CRA. With the system, CRA never has a copy of the password. One actually signs into the bank first and the bank vouches for the person to CRA.

It is secure as long as one does not use that banking password for some unregulated site, like that a bitcoin exchange or some free e-mail site. That would result in another copy of the password stored in a place that is likely easier for hackers to reach undetected than within CRA or within the bank.

If instead the hackers get onto one's home computer and install a keyboard sniffer, then it doesn't matter if one uses different passwords. Over a course of months, the hackers will be able to sniff all the password used.

August 16, 2020
6:34 am
savemoresaveoften
Member
Members
Forum Posts: 2994
Member Since:
March 30, 2017
sp_UserOfflineSmall Offline

Norman1 said
That's only true if one uses the same password at the bank and at CRA separately.

That is not how the sign-in partner system works at CRA. With the system, CRA never has a copy of the password. One actually signs into the bank first and the bank vouches for the person to CRA.

It is secure as long as one does not use that banking password for some unregulated site, like that a bitcoin exchange or some free e-mail site. That would result in another copy of the password stored in a place that is likely easier for hackers to reach undetected than within CRA or within the bank.

If instead the hackers get onto one's home computer and install a keyboard sniffer, then it doesn't matter if one uses different passwords. Over a course of months, the hackers will be able to sniff all the password used.  

yeah the CRA partner login partner feature is still better than the separate CRA feature in my mind. Basically if someone hacks your bank password in order to access CRA, they would have done something to your bank account as well, which can be setup to have real time text alert to your phone, etc

August 16, 2020
10:34 am
Dean
Valhalla Mountains, British Columbia
Member
Members
Forum Posts: 2158
Member Since:
January 12, 2019
sp_UserOfflineSmall Offline

davidgeorge said

CRA login is down.

cra.JPG  

I just checked ... it's Still not available.

Hopefully, it'll be available by Monday.

    Dean

sf-cool " Live Long, Healthy ... And Prosper! " sf-cool

August 16, 2020
10:51 am
pwm
Headingley MB
Member
Members
Forum Posts: 110
Member Since:
October 21, 2018
sp_UserOfflineSmall Offline

The hacked accounts were tied to GCKey, which I had never heard of. Apparently it's yet another means to access GOC websites.

August 16, 2020
1:40 pm
Dean
Valhalla Mountains, British Columbia
Member
Members
Forum Posts: 2158
Member Since:
January 12, 2019
sp_UserOfflineSmall Offline

.
Update, as of 2:05 pm CST today https://winnipeg.ctvnews.ca/canada-revenue-agency-shuts-down-online-services-after-two-cyberattacks-1.5066070

I've got my fingers crossed for Monday, but there's still no word on when the CRA online services ('My Account', etc.) will be restored.

    Dean

sf-cool " Live Long, Healthy ... And Prosper! " sf-cool

August 16, 2020
2:23 pm
Norman1
Member
Members
Forum Posts: 7195
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

According to CBC.ca: CRA shuts down online services after …, it is about 5,500 CRA accounts and about 9,000 GCKey-linked accounts.

It isn't clear how much overlap there is between the two sets of accounts.

August 16, 2020
6:07 pm
pooreva
Member
Banned
Forum Posts: 440
Member Since:
April 2, 2018
sp_UserOfflineSmall Offline

Why are you SO desperate to get into your account?????
If you are not affected, just chill out...

August 16, 2020
6:23 pm
Kidd
Member
Banned
Forum Posts: 840
Member Since:
February 27, 2018
sp_UserOfflineSmall Offline

I'm sorry i paid my june tax installment early, tax payments will be put off indefinitely.

I hear, the CRA have hired the Phoenix payroll programmers to fix their current security issues.  Yeah, good luck with that.

August 16, 2020
6:52 pm
suburbs4life
Member
Members
Forum Posts: 178
Member Since:
April 20, 2019
sp_UserOfflineSmall Offline

Kidd said
I'm sorry i paid my june tax installment early, tax payments will be put off indefinitely.

I hear, the CRA have hired the Phoenix payroll programmers to fix their current security issues.  Yeah, good luck with that.  

I hope you are joking about the people behind the Phoenix payroll program being involved. Better count on nothing being done.

I am just stressing about not knowing my September tax instalment amount... any word on when we might know this?

August 16, 2020
7:10 pm
rodeworthy
Member
Members
Forum Posts: 196
Member Since:
February 1, 2016
sp_UserOfflineSmall Offline

Last week we received email from CRA indicating we had new messages. We logged on and determined the messages were notices of the September and December installment amounts. The information is there.

You should be able to get this information once the CRA site is back up.

August 17, 2020
6:07 am
suburbs4life
Member
Members
Forum Posts: 178
Member Since:
April 20, 2019
sp_UserOfflineSmall Offline

rodeworthy said
Last week we received email from CRA indicating we had new messages. We logged on and determined the messages were notices of the September and December installment amounts. The information is there.

You should be able to get this information once the CRA site is back up.  

Much appreciated. I never got any email updates and my cra account early last week had nothing new. However, it sounds like it will happen soon then if people are being updated.

August 17, 2020
6:26 am
pwm
Headingley MB
Member
Members
Forum Posts: 110
Member Since:
October 21, 2018
sp_UserOfflineSmall Offline

We got our emails on Friday Aug 14.

August 17, 2020
9:50 am
Dean
Valhalla Mountains, British Columbia
Member
Members
Forum Posts: 2158
Member Since:
January 12, 2019
sp_UserOfflineSmall Offline

Dean said

I just checked ... it's Still not available.

Hopefully, it'll be available by Monday.

    Dean

  

Well ... it's Monday, but still No Luck.

I can get into 'My Service Canada Account' (via the GCKey), but the CRA 'My Account' is still not available ... and there is no indication when it will be available ❗

I guess we all just get to sit back, and wait. sf-confused

    Dean

sf-cool " Live Long, Healthy ... And Prosper! " sf-cool

August 17, 2020
10:10 am
Dean
Valhalla Mountains, British Columbia
Member
Members
Forum Posts: 2158
Member Since:
January 12, 2019
sp_UserOfflineSmall Offline

.
UPDATE ... The CRA expects their site to be available again by 'Wednesday'.

Source ➡ https://www.bnnbloomberg.ca/cra-expects-online-services-back-wednesday-following-breaches-1.1480865

    Dean

sf-cool " Live Long, Healthy ... And Prosper! " sf-cool

August 18, 2020
7:17 am
Nehpets
Ontario
Member
Members
Forum Posts: 994
Member Since:
December 20, 2016
sp_UserOfflineSmall Offline

Current instructions for managing CRA login credentials (Source: CRA website):

To manage any of the following CRA security options, you must first login to a service. Once you have logged in, you can access these options on the "CRA login and security options" page.

    Change CRA user ID
    Change CRA password
    Change CRA security questions and answers
    Update additional security feature preference
    Revoke CRA user ID
    View the Terms and conditions of use
    View recent CRA login history

Password
Your password must contain between 8 and 16 characters, one upper-case letter, one lower-case letter, one digit, no space, and no accented characters. The only special characters you can use are: dot (.), dash (-), underscore (_), and apostrophe ('). You cannot use more than 4 consecutive, identical characters. The password and the confirm password must match.

Stephen

No permission to create posts

Please write your comments in the forum.