The Canada Revenue Agency Site Is Back Online…. And I Believe Their New Security Measures Are A #Fail

Today the online services related to the Canadian Revenue Agency are back online for the most part. They were taken down after they were pwned by hackers using a technique called credential stuffing. Now during a news conference the Canadian Government said that they were going to mitigate this. I’ve had a look at their mitigation strategy, and I am not impressed. But I am getting ahead of myself here. Let me explain what credential stuffing is using this Wikipedia article:

Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.

Since the attack is automated, you have to stop the automation from being effective. The way that the Canada Revenue Agency has chosen to do this is to use a CAPTCHA like system. In short, when you log in, you’ll be required to recognize shapes or objects. Something that humans excel at, but computers suck at. Which is why this is a way of stopping an automatic attack such as credential stuffing. Here’s what I saw when I logged into the Canada Revenue Agency:

In this case, I had to pick out all the buses on this screen. There were 9 pictures of which I only had to pick out the correct three pictures. I logged in a few times and I only had to pick out three pictures every time. Which seems kind of low to me.

Here’s my main problem with this. This is not the best way to stop this kind of attack. What the Canada Revenue Agency should be doing is using multi-factor authentication. In short, multi-factor authentication requires multiple factors to verify your identity. For example, a password and a code from an app installed on your smart phone. The reason why this is better is that CAPTCHA like systems can be defeated by machine learning attacks, cheap human labor, or services on the dark web that specialize in defeating CAPTCHA like systems. Multi-factor authentication systems on the other hand requires the attacker to have all the factors in hand, or to simulate them to make an attack successful. That’s possible to do, but is way harder to pull off. Especially if a system like Microsoft Authenticator or Google Authenticator is used. Another plus is that if you out of the blue get a request to authenticate a login, and you are not logging into anything, then you know that you are potentially being hacked. Think of it of being a canary in the coal mine.

Given that the Canada Revenue Agency has been hacked multiple times, they have to do much better to protect Canadians. And I do not believe that what they have done is enough to stop the next attack. Hopefully, they improve the security of their infrastructure over time.

One other thing. If you are a Canadian with a Canada Revenue agency account, I would strongly suggest that you log in and do the following:

  • Change your password to something that is at least 8 characters long, contains upper and lower case character, and has at least one numeric character in it. And it should not be something that is used in whole or in part on another website.
  • Make sure you have an email address entered so that if your personal information is changed, you will get an email alert. That will alert you to a possible hack. You can get more info on that here here.
  • Check your account to make sure that your personal information such as baking info and address info has not been changed.

2 Responses to “The Canada Revenue Agency Site Is Back Online…. And I Believe Their New Security Measures Are A #Fail”

  1. […] to get their hands on COVID-19 benefits and how shambolic the response has been, as well as how lame the security measures that were put in place after this hack, I am not at all surprised that there’s now a class action lawsuit over this whole affair. […]

  2. […] website offline for a few days and affected a number of government departments in the process while security was improved. CTV News has the […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: