The IT Nerd

Today the online services related to the Canadian Revenue Agency are back online for the most part. They were taken down after they were pwned by hackers using a technique called credential stuffing. Now during a news conference the Canadian Government said that they were going to mitigate this. I’ve had a look at their mitigation strategy, and I am not impressed. But I am getting ahead of myself here. Let me explain what credential stuffing is using this Wikipedia article:

Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.

Since the attack is automated, you have to stop the automation from being effective. The way that the Canada Revenue Agency has chosen to do this is to use a CAPTCHA like system. In short, when you log in, you’ll be required to recognize shapes or objects. Something that humans excel at, but computers suck at. Which is why this is a way of stopping an automatic attack such as credential stuffing. Here’s what I saw when I logged into the Canada Revenue Agency:

In this case, I had to pick out all the buses on this screen. There were 9 pictures of which I only had to pick out the correct three pictures. I logged in a few times and I only had to pick out three pictures every time. Which seems kind of low to me.

Here’s my main problem with this. This is not the best way to stop this kind of attack. What the Canada Revenue Agency should be doing is using multi-factor authentication. In short, multi-factor authentication requires multiple factors to verify your identity. For example, a password and a code from an app installed on your smart phone. The reason why this is better is that CAPTCHA like systems can be defeated by machine learning attacks, cheap human labor, or services on the dark web that specialize in defeating CAPTCHA like systems. Multi-factor authentication systems on the other hand requires the attacker to have all the factors in hand, or to simulate them to make an attack successful. That’s possible to do, but is way harder to pull off. Especially if a system like Microsoft Authenticator or Google Authenticator is used. Another plus is that if you out of the blue get a request to authenticate a login, and you are not logging into anything, then you know that you are potentially being hacked. Think of it of being a canary in the coal mine.

Given that the Canada Revenue Agency has been hacked multiple times, they have to do much better to protect Canadians. And I do not believe that what they have done is enough to stop the next attack. Hopefully, they improve the security of their infrastructure over time.

One other thing. If you are a Canadian with a Canada Revenue agency account, I would strongly suggest that you log in and do the following:

• Change your password to something that is at least 8 characters long, contains upper and lower case character, and has at least one numeric character in it. And it should not be something that is used in whole or in part on another website.
• Make sure you have an email address entered so that if your personal information is changed, you will get an email alert. That will alert you to a possible hack. You can get more info on that here here.
• Check your account to make sure that your personal information such as baking info and address info has not been changed.

This entry was posted on August 20, 2020 at 11:15 am and is filed under Commentary with tags Canada, Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.