Advertisement

In wake of data breaches, hunt for SIN alternatives intensifies

A SIN card is pictured in Kingston, Ontario on Thursday, May 9, 2019. .
A SIN card is pictured in Kingston, Ontario on Thursday, May 9, 2019. . THE CANADIAN PRESS IMAGES/Lars Hagberg

In the wake of data breaches at both of Canada’s credit monitoring agencies, some experts say the problem isn’t theft of social insurance numbers and other information, but rather our approach to proving who we are.

READ MORE: Waterloo police issue warning about social insurance number scammers

As social insurance numbers (SINs) continue to flow into the hands of hackers, industry players and consumers are increasingly on the hunt for an overhaul to how we identify ourselves in the digital age.

Over a lifetime, Canadians hand out their SINs left and right — to landlords, credit agencies, credit card companies, car rental firms, colleges and universities. In none of those cases are they required to do so, although a SIN is often requested.

Federal rules require citizens to provide their SIN only to certain government agencies as well as employers and — if the account earns interest — to financial institutions.

Story continues below advertisement
Saskatoon woman’s plans to buy home put on hold by identity theft
Saskatoon woman’s plans to buy home put on hold by identity theft

Starting in 1964, SINs originally served as client numbers tied to employment insurance programs and the Canada Pension Plan. Its current use as a kind of ultimate identity marker has far outgrown its original intent, providing effective proof of who you are when matched up with another personal document or piece of information such as a driver’s license or date of birth.

However, if criminals gets a hold of more than one of those ID verifiers, they could use them to file a fake tax return or apply for a loan or mortgage in your name, with consequences that could last decades.

Until the digital age, computer hacking hardly posed a risk to people’s data. Nor were there large databases that stored millions of SINs, outside of government institutions and banks, says Rich Mogull, CEO of Phoenix-based security firm Securosis.

READ MORE: If your SIN was stolen in the Capital One breach, getting a new one isn’t easy

“Earlier, even in my lifetime — I’m only in my 40s — everything was more local. We went into our local bank, even credit cards were generally issued from a local bank,” he said.

“But we started moving toward large-scale regional and national banking … and we started applying for things like loans online” — boosting the need for unique identifiers that could be presented remotely and recognized by a computer.

Story continues below advertisement

Increasingly, credit monitoring agencies, utilities companies and credit card vendors began to use social insurance numbers — or social security numbers in the United States — as key identifiers to keep track of clients.

Organized crime making most money in fraud and drug trafficking, former RCMP investigator says
Organized crime making most money in fraud and drug trafficking, former RCMP investigator says

“Everybody is relying on one number, and it’s not a secret,” Mogull said.

“When I went to university my student ID number was my social security number,” he recalled, shaking his head. “Once that number’s out there and exposed, there’s no taking it back. And it can be used for all sorts of fraud.”

The problem drove Quebec resident Pierre Langlois to launch an online petition calling on Ottawa to replace social insurance numbers compromised by identity theft.

READ MORE: Equifax hack: When to give out your Social Insurance Number (it’s less often than you might think)

Moved to action last summer after a breach at Desjardins Group scooped up data from nearly 2.9 million members — including their social insurance numbers, names and addresses — Langlois posted a second petition asking the government to propose a “quick solution to this security problem.”

With more than 147,000 signatories, the petition shied away from a more specific demand for two reasons, Langlois said: the difficulty of changing your SIN — proof of fraudulent use must be shown — and the dubious benefit of that tactic in the first place, since those newly assigned citizens could be just as susceptible to data breaches down the line.

Story continues below advertisement

“The government is asking us to give it to every employer you’ve ever worked for. Do you think the small restaurant where you worked has higher security than a bank?” Langlois asked in a phone interview.

Fraser Valley couple lives identity theft nightmare
Fraser Valley couple lives identity theft nightmare

The solution, says Mogull, lies in local transactions or encrypted SIN storage that would make data theft harder.

Cryptographic keys comprise a long string of random numbers that can be used to unlock personal data, but Greg Wolfond, chief executive at Toronto-based SecureKey Technologies, is skeptical of cryptographic identifiers as the answer.

“I fear that the bad folks are still going to be able to take this data and use AI and put it together in smart ways to try to become you to get a loan, to file a fake tax return in your name,” Wolfond said.

READ MORE: Here’s how to tell between a genuine CRA phone call and a scammer

He wants to get away from the “static information” model that underpins ID confirmation and motivates data hacks. Instead, Wolfond is advocating something called real-time verification as the best way to show that you are, in fact, you.

His company’s product, dubbed Verified.Me, allows customers to provide proof of their identity using information they’ve already given their financial institutions. The Verified.Me smartphone app connects with participating financial institutions and removes many of the steps currently required to establish a person’s identity.

Story continues below advertisement

Though only a few financial products are available through the app, Verified.Me counts Desjardins and the Big Five banks as Canadian partners.

B.C. woman struggles to clear fraudulent bad credit rating
B.C. woman struggles to clear fraudulent bad credit rating

In the long run, the approach could include applying for a mortgage, renting an apartment or obtaining a driver’s licence, Wolfond said.

In the past three years, millions of consumers have been affected by hacks against a panoply of companies including Canadian-based cheaters’ website Ashley Madison as well as British Airways, Uber, Deloitte and Walmart.

TransUnion revealed Wednesday that the personal information of 37,000 Canadians may have been compromised this past summer, leaving both of Canada’s credit monitoring agencies with data blemishes on their record.

Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and about 19,000 Canadians.