I spoke to Hallie Cotnam on CBC Ottawa Morning about the hacks.
Over the August 15th weekend, the Canada Revenue Agency (CRA) took the drastic step of disabling user logins to it’s system. It did this because of two separate cyberattacks that exposed thousands of Canadian’s accounts to fraud.
What Happened?
According to official statements and reports, the CRA fell victim to multiple cyberattacks that targeted users accounts through a credential stuffing attack.
A credential stuffing attack is when a cybercriminal uses credentials (pairs of usernames and passwords) from one site to attempt to log in to another.
Credentials are commonly available for sale in the digital underground and a prime target during any attack on a service.
With these credentials in hand, the cybercriminals simply try one after the other to see if any are valid. When they gain access to an account, they then exploit that access for their own gain.
During the CRA attack, this meant the attackers changed the direct payment information for any account they could access. Then they either applied for Canada Emergency Response Benefits (CERB) or diverted existing payments to the attacker control accounts.
While this attack is based on a Canadian example, many governments have taken the same approach to pandemic relief; making it as simple as possible to get benefits. This has increased the likelihood that they will be targeted by cyberattacks. Cybercriminals see this as easy money.
Account Protections
The most common protection against credential stuffing is for a service to offer multi-factor or two factor authentication.
With this technique, to login a user needs;
- username
- password
- one time code
This one time code is usually sent via text message or generate via an app on their smartphone. Some enterprises still use hardware tokens to accomplish the same thing but that practice is being replaced by smartphones as it’s a lot more convenient for the users.
The CRA does not offer multi-factor authentication. Why?
Serving Citizens
While multi-factor authentication significantly increases the security of an account, it also increase the support burden.
Let’s be honest, most citizens only interact with the government sparingly. It’s not a daily use account like GMail, Twitter, or Facebook.
Because of that, multi-factor authentication actually presents a serious support risk.
The CRA doesn’t publish statistics on support calls, but I’m willing to bet they regularly work through the password reset process for most users. After all, you usually only interact with the Ministry during tax time or—at best—once a quarter for tax payments.
Authentication with the CRA and other government departments is actually quite complex and citizens only see the tip of the iceberg here. This is the source for the second cyberattack.
“Solving” Sign-Ons
The Canadian Government was at the forefront of online service delivery in the mid-nineties. Many departments provided their services online and that access has only grown.
One of the challenges of being out front early is that you learn some difficult lessons.
Authentication—determining who is who—was one of those lessons. Over thirty different departments created their own systems to manage authentication. The end result was that Canadians would have multiple accounts for dealing with the federal government.
This was and still is a huge problem.
It’s been “solved” by multiple waves of a “one account to rule them all” strategy. The latest iteration being GCKey.
During the CRA hack, the cybercriminals not only used the stolen credentials directly against the CRA’s systems but also against the GCKey login to then gain access to the CRA accounts of affected individuals.
Lagging Behind
Because of the complexity of the access systems and the sheer number of departments involved, the authentication systems used by the government is lagging behind.
There are different requirements for password complexity. Some departments stick to the classic “8 characters or longer with at least an uppercase, lowercase, a number, and a symbol.” Others are slowly starting to standardize on the 2016 NIST recommendations of long passphrases.
The low frequency use of the accounts makes rolling out multi-factor authentication difficult. While it would improve the security of individual accounts, it is also likely to create a huge support burden for an organization not known for it’s customer service while at the same time locking a large number of Canadians out of their accounts.
This puts a lot of the burden for securing accounts on the account holder. These account holders have a wide range of technical literacy and most probably don’t even remember that they have this access until it’s absolutely needed (like the night before taxes are due).
That’s a problem without a clear solution.
What’s Next?
It’s easy to sit back and point out the problems…
“They should use multifactor authentication!”
“There should only be one authentication system for the government!”
…and while these statements are probably true, implementing them is a completely different matter. IT at this scale is messy at the best of times. Add the usual government overhead and it quickly becomes a nightmare.
It’s important to note that while the CRA leads the public service in data breaches by volume, they also have a proven track record of making very conservative decisions when recovering from an incident.
Time and time again, they have shut down services and taken a reputation hit in order to avoid any further risk to their users; Canadian citizens. That’s admirable and—honestly—much appreciated by this citizen.
Eventually, authentication as a federal government service will get cleaned up. In the meantime, make sure that you are taking the following steps to protect your accounts;
- use a long passphrase whenever possible, seven or more random words is a good target
- enable multi-factor authentication wherever it’s offered
- use a password manager to store and generate new passwords
- use a unique password for every site and service you use (the password manage will help with this)
- pay attention to any account update emails and if you didn’t make the change, contact the service provider immediately
- change your passwords once a year or if you have reason to suspect they have been breached
Passwords are frustrating, annoying, and the least-worst solution to the problem of figuring our who you are online. The are critical to how the digital world works which is why they are often the main target for cybercriminals.
A little password hygiene will go a long way to keep you safe online.