In the wake of data breaches at both of Canada’s credit monitoring agencies, some experts say the problem isn’t theft of social insurance numbers and other information, but rather our approach to proving who we are.
As social insurance numbers (SINs) continue to flow into the hands of hackers, industry players and consumers are increasingly on the hunt for an overhaul to how we identify ourselves in the digital age.
Over a lifetime, Canadians hand out their SINs left and right — to landlords, credit agencies, credit card companies, car rental firms, colleges and universities. In none of those cases are they required to do so, although a SIN is often requested.
Federal rules require citizens to provide their SIN only to certain government agencies as well as employers and — if the account earns interest — to financial institutions.
Starting in 1964, SINs originally served as client numbers tied to employment insurance programs and the Canada Pension Plan. Its current use as a kind of ultimate identity marker has far outgrown its original intent, providing effective proof of who you are when matched up with another personal document or piece of information such as a driver’s license or date of birth.
However, if criminals gets a hold of more than one of those ID verifiers, they could use them to file a fake tax return or apply for a loan or mortgage in your name, with consequences that could last decades.
Until the digital age, computer hacking hardly posed a risk to people's data. Nor were there large databases that stored millions of SINs, outside of government institutions and banks, says Rich Mogull, CEO of Phoenix-based security firm Securosis.
"Earlier, even in my lifetime — I’m only in my 40s — everything was more local. We went into our local bank, even credit cards were generally issued from a local bank," he said.
"But we started moving toward large-scale regional and national banking...and we started applying for things like loans online" — boosting the need for unique identifiers that could be presented remotely and recognized by a computer.
Increasingly, credit monitoring agencies, utilities companies and credit card vendors began to use social insurance numbers — or social security numbers in the United States — as key identifiers to keep track of clients.
"Everybody is relying on one number, and it’s not a secret," Mogull said.
"When I went to university my student ID number was my social security number," he recalled, shaking his head. "Once that number’s out there and exposed, there’s no taking it back. And it can be used for all sorts of fraud."
The problem drove Quebec resident Pierre Langlois to launch an online petition calling on Ottawa to replace social insurance numbers compromised by identity theft.
Moved to action last summer after a breach at Desjardins Group scooped up data from nearly 2.9 million members — including their social insurance numbers, names and addresses — Langlois posted a second petition asking the government to propose a "quick solution to this security problem."
With more than 147,000 signatories, the petition shied away from a more specific demand for two reasons, Langlois said: the difficulty of changing your SIN — proof of fraudulent use must be shown — and the dubious benefit of that tactic in the first place, since those newly assigned citizens could be just as susceptible to data breaches down the line.
"The government is asking us to give it to every employer you've ever worked for. Do you think the small restaurant where you worked has higher security than a bank?" Langlois asked in a phone interview.
The solution, says Mogull, lies in local transactions or encrypted SIN storage that would make data theft harder.
Cryptographic keys comprise a long string of random numbers that can be used to unlock personal data, but Greg Wolfond, chief executive at Toronto-based SecureKey Technologies, is skeptical of cryptographic identifiers as the answer.
"I fear that the bad folks are still going to be able to take this data and use AI and put it together in smart ways to try to become you to get a loan, to file a fake tax return in your name," Wolfond said.
He wants to get away from the "static information" model that underpins ID confirmation and motivates data hacks. Instead, Wolfond is advocating something called real-time verification as the best way to show that you are, in fact, you.
His company's product, dubbed Verified.Me, allows customers to provide proof of their identity using information they've already given their financial institutions. The Verified.Me smartphone app connects with participating financial institutions and removes many of the steps currently required to establish a person's identity.
Though only a few financial products are available through the app, Verified.Me counts Desjardins and the Big Five banks as Canadian partners.
In the long run, the approach could include applying for a mortgage, renting an apartment or obtaining a driver's licence, Wolfond said.
In the past three years, millions of consumers have been affected by hacks against a panoply of companies including Canadian-based cheaters' website Ashley Madison as well as British Airways, Uber, Deloitte and Walmart.
TransUnion revealed Wednesday that the personal information of 37,000 Canadians may have been compromised this past summer, leaving both of Canada's credit monitoring agencies with data blemishes on their record.
Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and about 19,000 Canadians.
This report by The Canadian Press was first published Oct. 10, 2019.