Looks like the CRA is rolling out a new login option (began early November 2012) to access the CRA "My Account website". You still have the option of using your old CRA login - however, if you're anything like me, you've probably forgotten the Login-ID, which of course, you can't retrieve. But - Not to freat, you have the option of creating (yet) another new account, and now, you won't have to remember your login!
CRA is working with Canadian banks on a service called: "SecureKey Concierge" ( http://securekeyconcierge.com/ ).
"SecureKey Concierge offers a convenient way to sign in to Government of Canada services. Instead of remembering yet another username and password that you rarely ever use, you can choose to sign in with a brand that you know, and use, regularly… such as your favourite Financial Institution, Bank or Credit Card."
I'd like to say - what could possibly go wrong and leave it at that, but, that isn't going to happen. Let's explore the option.
As of this writing (March 6, 2013) you are presented with 4 options to sign in:
When selecting one of the options, you're presented with a login page at the bank of your choice. Since I already logged into my bank from the machine, my Debit Card information was already saved. (Yes, I'm lazy - sue me). Following along on your normal path of login, just like when you login to your bank you are given the opportunity to enter your password and/or other details asked. In my case, it also provides me with the passmark phrase and image so I "know" it's really the bank I'm connecting to.
Once you've entered your password, you are again redirected to the original site, in my case, the CRA website, where it continues to validate who you are by asking the same information that would have been asked if you were creating a regular account.
At this point, I'm stalled in the investigation - I need to wait for a security code to be sent to me in order to continue with the registration process. But, each time I login, it remembers where I was, and promptly asks me for the security key. As such, I can assume that future visits to the site have no additional authentication method.
So what could go wrong? I mean, it's easier for the Canadian people right? Just use the same login as your bank! -- But wait -- Your bank... login..
Lets start with the obvious - Phishing
Given that there are a large number of phishing websites and emails that constantly barrage users on a daily basis, I expect this new function to only cause an increase on the number of such attempts. No longer do we need to be worried about our bank accounts and the possibility of losing all our money, but they could access any Canadian Government website we've previously logged into. I believe the phrase is Awesomesauce.
But wait -- There's MORE.
A while back there was some comments around the storage of banking passwords. (If you can find some references, that would be great). At the time, it was identified that banks typicly store your online passwords so that they could be compatible with aged telephone based applications. In other words - Convert the password into numbers.
ie; password would become 72779673, and secure45 would be 73787345. Meaning, you've gone from [A-Za-z0-9] to [0-9] as possible options. Not only that, but one could take a numeric password and convert it into letters too - so a password of 1234567890 could be entered as 1bfikmrvz0 -- This still hold true for some banks.
Now, we trust the bank with online access to our online accounts - but we have the option to also trust them with our Government accounts as well, with increadibly WEAK password storage methods.
The question is - so what? Well, besides the obvious that it's just wrong, here's a few ideas on what can happen inside the CRA portal ( Details ):
And just for good measure, some details from the FAQ's posted on the sites:
What is a “credential”? “Credentials” in information systems are widely used to control an individual’s access to information or services. The combination of a card number or user name and a password is a widely-used example of a credential. The Government of Canada uses electronic credentials to allow users to communicate securely with online-enabled Government of Canada services. What do you mean by authentication? It is a secure means to recognize a user when accessing government services online. The user remains anonymous, and the authentication process just confirms that the credential is valid and is in the hands of the owner of the credential. Credential authentication does not reveal or confirm identity to the government website. It receives only a message confirming that your credential (username/password) was successfully validated by your bank or by the government. Why is the Government of Canada offering users a choice of credentials? By offering a choice of credentials, the Government of Canada is making its online services more convenient and easier to use. Many individuals already use their online banking credentials regularly. Being able to use these same credentials to access Government of Canada services online will simply mean one less User ID and password to remember. Are the Commercial Credentials as secure as the Government Credential? Whether one chooses to use the commercial credential service (SecureKey Concierge) or the government-issued credential service, be assured that your transaction will be safe and secure. The authentication process does not carry any personally identifiable information such as name, birth date etc. and relies on strong technology, built using industry best practices. The Government of Canada is leveraging these investments made by financial institutions for secure online environments. Is any of my banking information shared if I use SecureKey Concierge? When you use either your government credential or your online banking credential, none of the personally identifiable information related to your credential is communicated to the government service you are trying to access. For users of SecureKey Concierge, the identity of the financial institution will not be shared with the Government of Canada. Similarly, no information about the government service being accessed by the user will be shared with the user's bank.
See also: http://securekeyconcierge.com/faq/
Finally, an Introduction to SecureKey Concierge video.