Log In
Register
Home
Topic RSS
Facebook
Twitter
Email this9:34 am
January 12, 2019
Offline
.
CBC News Link ➡ https://www.cbc.ca/news/politics/cra-accounts-locked-1.5947714
And just as this year's tax season gets underway ❗
- Dean
" Live Long, Healthy ... And Prosper! "
10:17 am
April 6, 2013
Offline
It looks like CRA is obtaining lists of e-mail addresses and passwords being sold and seeing if the passwords also work against people's CRA accounts:
As part of its cybersecurity efforts, CRA will lock all accounts that use the same login information as other accounts that have been made available on the so-called "dark web", a part of the internet that can be accessed only through a special browser.
10:40 am
December 12, 2009
Offline
Norman1 said
"dark web", a part of the internet that can be accessed only through a special browser.
Thanks, Norman. Reading between the lines of the above further, it looks like they're specifically referring to content available on the Tor anonymity network. I'm a bit surprised they actually made a point of mentioning "a part of the internet that can be accessed only through a special browser," though, since the so-called "dark web" includes more than just websites available through the Tor network.
Cheers,
Doug
1:53 pm
September 11, 2013
Offline
CBC acts like 800,000 is a lot (just like with the vaccines) but this affects relatively few people, about 3% of filers. In our family 3 tried to access My Account today, all had zero problems.
3:00 pm
February 27, 2018
Offline
Bill said
CBC acts like 800,000 is a lot (just like with the vaccines) but this affects relatively few people, about 3% of filers. In our family 3 tried to access My Account today, all had zero problems.
This 800,000 in March is in addition to the 100,000 in February.
Bill, if everyone in canada used the cra web link, then maybe some might consider 900,000 a small number. This number is huge. Sadly this happens every year to the cra, every year. In past the cra have extended the filing date. Ohhhhhh canada
5:34 pm
October 27, 2013
Online
Except it is not a CRA breach. It is user id and password info CRA has found on the dark web from other third party breaches. To the extent CRA is finding passwords that are the same as what people are using to login to CRA, this is on the taxpayer, not CRA. They are doing some taxpayers good service by protecting them from themselves.
7:11 pm
February 27, 2018
Offline
So the story goes??? the cra found canadian email addresses and passwords on the dark web? The cra is doing a cross reference to see if those Canadian's use the same password on the cra web site?
So... if the cra have blocked 900,000 cra user accounts. the cra must have found ballpark 15 million email addresses and passwords on the dark web, to determine 900,000 of those are used on the cra web site? Really???
Well, believe that if you will. BUT HONESTLY the cra do NOT have the a ability to cross reference "found" email passwords. Have you heard of other countries doing this?
A more likely scenario... someone at the cra was mining bitcoin using the cra servers. To do so, the servers must have lowered their firewalls and a data breach occurred. The cra are the ones who released the email information. That's more plausible.
Canada home of the Phoenix payroll boondoggle. Our government employees use Velcro to close their shoes because they don't know how to tie them.
7:27 pm
October 27, 2013
Online
I am of the opinion CRA would not blatantly lie to this degree on such a visible matter, so I will give them the benefit of the doubt for the time being.
7:37 pm
February 27, 2018
Offline
AltaRed... most people use the likes of gmail, outlook etc... how do you distinguish Canadian?
7:30 am
September 15, 2020
Offline
Kidd said
Well, believe that if you will. BUT HONESTLY the cra do NOT have the a ability to cross reference "found" email passwords. Have you heard of other countries doing this?
This statement may have been correct 5 years ago, but there are now online resources that allow you to look up a database of passwords against known breached/stolen passwords.
See the following link:
https://www.troyhunt.com/welcoming-the-canadian-government-to-have-i-been-pwned/
This service collates passwords found on the dark web and allows registrants to query against encrypted (hashed, to be precise) passwords for matches. It's a legit and reputable service.
What has likely happened is that CRA has run the query and found 800,000 passwords that were a hit against the breached password database. No need to know the associated username or email address. Just the password.
3:01 pm
October 27, 2013
Online
savingtime said
What has likely happened is that CRA has run the query and found 800,000 passwords that were a hit against the breached password database. No need to know the associated username or email address. Just the password.
Agreed. The password is the critical part. But CRA could also have looked for matches at a User ID level too, whether that User ID is an email address or some other alphanumeric combination. To me, User ID matching would be overkill...unless it was matched with a password as well - in which case the door to the vault is open.
4:05 pm
January 12, 2019
Offline
.
And now ... the Expert's chime in :
-
CTV News Link ➡ https://www.ctvnews.ca/canada/experts-call-on-cra-to-get-serious-about-cybersecurity-after-800k-users-locked-out-as-a-precaution-1.5346546
Quote :
-
"In what might be considered the most complicated tax season yet, Canadians who have lost access to their accounts will be unable to regain access until at least March 22, according to the CRA."
.
A Sad State Of Affairs ❗
-
Dean
" Live Long, Healthy ... And Prosper! "
7:06 pm
February 27, 2018
Offline
I would ask, why is this only a canadian phenomena? The IRS must be doing the same to protect the American tax payer?
OR are you under the belief, canada is cutting edge, an innovator, the leader of the pack?
OR maybe just maybe... because canada outsources everything, the cra willingly gave all of our data to a 3rd party to alphabetize.
6:31 am
November 8, 2018
Offline
I suspect outsourcing.
My personal experience: have not had fake CRA calls at all. One year, CRA requested support documentation on tax deductions I claimed.
Since that year, I am routinely getting fake CRA calls about my taxes.
Ironically, not all CRA calls, does not matter how unrealistic they sound, are fake: Check your paperwork or you may wind up with an $8M tax bill like this barista.
8:20 pm
January 3, 2013
Offline
Kidd said
So the story goes??? the cra found canadian email addresses and passwords on the dark web? The cra is doing a cross reference to see if those Canadian's use the same password on the cra web site?So... if the cra have blocked 900,000 cra user accounts. the cra must have found ballpark 15 million email addresses and passwords on the dark web, to determine 900,000 of those are used on the cra web site? Really???
Well, believe that if you will. BUT HONESTLY the cra do NOT have the a ability to cross reference "found" email passwords. Have you heard of other countries doing this?
A more likely scenario... someone at the cra was mining bitcoin using the cra servers. To do so, the servers must have lowered their firewalls and a data breach occurred. The cra are the ones who released the email information. That's more plausible.
Canada home of the Phoenix payroll boondoggle. Our government employees use Velcro to close their shoes because they don't know how to tie them.
We use a service in our company to do this exact thing. We do it monthly and tell the employee to reset their password immediately. Basically, we tell the employee! Hey. Isn't this your username / password that you use on this and this and this site? That scares them enough to start using different passwords.
Plus the MFA of course.
Please write your comments in the forum.