CRA Shuts Down “Secure” Services on Security Concerns
CRA has shut down all “secure” access to their website (i.e. areas where you must log in are not currently available). These areas include EFILE, NETFILE, My Account, My Business Account and Represent a Client.
At the time of writing, CRA is expecting to resume electronic service over the weekend.
Rumors are circulating that the issue is due to a virus, but those rumors are simply not true – and the problem, though recently discovered, has existed for more than two years. The problem is a coding error (dubbed the “Heartbleed bug”) in the software that makes the transmissions secure. This software is widely used by many websites across the Internet and was used by such popular sites as Yahoo! Mail. The issue with a specific version of the software, which was released in December 2011, is that it is possible for a hacker to see some of the encrypted information. Unfortunately, it is impossible to tell what, if any, information has been compromised. The vulnerability was only discovered recently by security researchers.
Although it’s possible that some tax return information has been compromised as a result, the bigger issue is that logon data may have been compromised. If logon information has been compromised, this would allow the hacker to perform any function that the user could have performed by logging into the CRA site using the stolen username and password. As a precaution, CRA has closed down online access to these services until the situation is resolved.
A new release of the software with this issue fixed is currently available so the first step will be that CRA will upgrade their systems to use the new version. Beyond that, CRA may determine that all existing passwords will have to be changed. For EFILE, that could be resolved by CRA issuing a new password to EFILERs. It has generally been CRA’s policy not to send passwords for other services through email so it remains to be seen how access to Represent a Client, for example, will be restored. It does not appear that any of the Canadian banks that are CRA partners have been compromised so one possibility is that login through a banking partner may be used. CRA has promised daily updates at 3PM EST on their home page until the issue is resolved.
Because this same software is in use by a significant number of online websites, it is possible that passwords have been compromised elsewhere as well. Some pundits are recommending that all Internet passwords be changed, however, you need to be aware that, if you change your password on a site that is still using the old version of the software, your new password may be compromised as well. Be sure that if you have a password on a compromised site that you change it after the site is once again secure. In addition, credit card information may have been compromised if you have used your card for online purchases on a compromised site. Be sure to check your credit card statements carefully for fraudulent use.