Rishi Maharaj: The Canada Revenue Agency has no excuse for being this pathetic
The CRA has no physical presence. Its phone lines routinely refuse to connect you at all, simply saying that all queues are full.
By: Rishi Maharaj
If you think tax season is stressful, try being one of 800,000 Canadians whose Canada Revenue Agency online accounts were locked this month over fears that their credentials had been leaked to fraudsters.
If you were spared from that debacle, perhaps you were involved in the previous one, where over 100,000 accounts were locked for similar reasons. That was less than a month prior, on February 17.
Before that, the CRA temporarily froze all access to its website in August 2020 after three separate cybersecurity incidents, in which it detected “suspicious activity” on at least 48,500 taxpayer accounts.
On top of those incidents, basic CRA online account functions, like changing your address or bank information, were suspended for nearly a year to thwart fraudsters who use those functions to collect tax refunds and other benefits on behalf of unwitting Canadians.
What on Earth is going on at the CRA?
First of all, it should be noted that many Canadians’ poor online security etiquette played a role in all of these incidents. People have been reusing usernames and passwords from elsewhere to register for government services, making them vulnerable to an attack known as “credential stuffing” — fraudsters attempting to use a username/password combination stolen elsewhere to access a higher-value target, like banks and email accounts. The CRA should be commended for surveilling which usernames and passwords are being sold by fraudsters and proactively freezing those accounts.
But that’s where the plaudits end.
“Credential stuffing” and other cyberattacks aren’t new. They are as old as the Internet itself. Anyone operating more than the online equivalent of a lemonade stand should be using all available techniques to protect themselves and their users. The single most effective way to thwart account compromise is multi-factor authentication (MFA). The vast majority of Canadians will be familiar with this type of system from a variety of other services including Google, Apple, Facebook and Twitter. Return-It Express, the online bottle deposit-return system in British Columbia, supports MFA for getting your dimes back.
Yet the guardian of Canadians’ sensitive data and billions of dollars of benefit payments only started to pilot MFA for selected users last month. Determined to take one step forward and one step back, the CRA only made available the least secure form of MFA — text messages to your cell phone — which is vulnerable to another well-known cyberattack called SIM porting. If you haven’t heard of SIM porting, don’t fear — you will doubtless be reading about it in next month’s CRA security breach.
Regardless of what cybersecurity techniques the CRA employs, though, a certain number of account compromises are inevitable. And that is where the CRA’s second big failing comes to light. Any identity checking system must have a workable means for people to recover their credentials, whether because they’ve forgotten their password, lost access to their MFA token or unwittingly gave access to someone else.
For instance, your provincial health card is your key to hospital and physician services. If you lose it, gathering your proof of residency and queuing up at the local provincial government office is a hassle, but it’s something most people can accomplish within a few business days of the loss. Here in British Columbia, for instance, Service BC is ready to help you in communities as small as Bella Coola (population 807). And in the meantime, you won’t be turned away from the ER. We could call this a somewhat robust identity system.
But unlike many other government agencies that we deal with for essential services, the CRA seems determined to avoid interacting with Canadians at all. It has no physical presence. Such is the number of Canadians trying to resolve account issues that the CRA’s phone lines routinely refuse to connect you at all, simply saying that all queues are full and to try again later. Industrious Canadians have come up with various tricks, like calling through a VoIP system to get through during the hours where the CRA is only open for Atlantic Canada (sorry) or calling the collections number (not sorry).
Should you succeed in speaking with a CRA agent, how do they verify your identity? Through the only information they have about you, of course — your past tax returns. But once a person’s CRA account has been accessed by a fraudster, any information contained on past returns accessible through that account must be assumed to be compromised and can no longer be used for identity verification. This leaves us one final option: mailing a security code to your last valid address. It may take up to six weeks to arrive.
All of this amounts to a pathetic level of service for any provider. If this were a ham radio or pleasure craft licence application, I might grumble under my breath a little and move on. But this is not that. The Canada Revenue Agency is the one federal government agency that nearly every adult Canadian will need to deal with on a regular basis if they plan to ever qualify for government benefits, purchase a home or just have a bank account that isn’t regularly garnished for non-payment of taxes.
Yet not only is the CRA not willing or not able to implement secure and functional online services, it also does not provide an acceptable minimum level of service for when that online system inevitably fails. In short, the CRA does not take itself seriously.
Unfortunately for Canadians, treating the CRA as flippantly as it treats itself is not an option. Rest assured, applying the same level of diligence to your tax obligations as the CRA applies to cybersecurity will not be to your benefit.
Canadians have every right to expect functional, secure, online and human-based tools for transacting necessary business with their government. We have become too accepting of the fact that many government services are in a perpetual state of brokenness that we must muddle through. If the CRA’s attitude toward cybersecurity reflects Ottawa’s attitude toward Canadians, then a wake-up call is in order.
Rishi Maharaj is an electrical engineer. He lives in Powell River, B.C.
The Line is Canada’s last, best hope for irreverent commentary. We reject bullshit. We love lively writing. Please consider supporting us by subscribing. Follow us on Twitter @the_lineca. Fight with us on Facebook. Pitch us something: firstname.lastname@example.org