How to practise ‘cyber hygiene’ in wake of CRA breach

By | August 16, 2020

TORONTO — As a recent breach of 5,500 accounts with the Canada Revenue Agency (CRA) has shown, personal hygiene isn’t the only thing Canadians need to worry about during this pandemic.

According to Ritesh Kotak, a digital technology expert, it’s important to keep up with your “cyber hygiene” as well to ensure you don’t become a victim of digital fraud.

The CRA temporarily suspended its online services on the weekend in response to the cyberattack. The agency, which has been used by thousands of Canadians during the pandemic to apply for the $2,000-per-month Canada Emergency Response Benefit (CERB) for COVID-19, said the attack was a “credential stuffing” scheme.

One victim told the Canadian Press that someone who had hacked into her account applied for CERB in her name and received funds by using her information.

But what is “credential stuffing”? And how can Canadians stay safe?

“A credential is a username and password, and stuffing is when, essentially you have these usernames and passwords and you test them against very popular sites,” Kotak told CTV News.

Hackers who have acquired hundreds of usernames and passwords will turn to bots to see if the account details allow them access to anything.

“This bot will actually go out, and it will try to input your username and password into popular sites, and if there’s a match, then the fraudster gets notified,” Kotak said.

“So the big question is, how do these hackers even get your username and password? And the most common way is through other breaches.”

If financial institutions, hotels, airlines or any place you have given your information, get hacked, that personal information, such as a username, an email address and a password, can now be accessed and shared, Kotak explained.

“And if you’re re-using your username and password, you now become vulnerable to these types of attacks.”

If the login you’ve used to book a hotel that suffers a breach is the same as your login for your bank account, or another account that contains banking details on it, these hackers can gain access to an extraordinary amount of data.

“Once you get access to somebody’s account, it is whatever information is available on that account, you now have access to it,” Kotak said. “So it could be your personal information, your financial information, your previous returns, essentially anything. And once you’re in, you can also change up information, such as your mailing address or email address to make it even more difficult for the rightful owner to gain access back to their account.”

With this recent breach on the CRA, Kotak said it seems that the hackers were purely “after the money.”

“It seems that the motivation behind these breaches is strictly financial. It is to get as much money in a short amount of time as possible, without getting detected.”


Much like with guarding against COVID-19, the strategies you can use to avoid becoming the victim of a “credential stuffing” plot are as simple as putting on a mask or washing your hands.

Just use different passwords and usernames, Kotak says.

“It is convenient for us to use the same username and password,” he admitted. “We have maybe a hundred different accounts online, we have our email, we have data storage, we might have our food delivery apps, so we have a lot of different apps that all require usernames and passwords. And as a result, a lot of us kind of get a little bit lazy.

“Let this be a lesson on why it is important to have different usernames and passwords for different sites, so if a breach does occur, you will not be affected.”

Kotak calls it “basic cyber hygiene to have different usernames and passwords.” He emphasized that creating “strong passwords” which mix upper and lowercase letters, numbers, symbols, and avoid using “dictionary words” is also important.

However, he said the blame is not on just one person for these types of breaches.

There are other parties involved, such as the CRA, and other financial institutions, which are responsible for putting in fraud detection mechanisms to catch these schemes early on.

“This is joint responsibility,” he said. “As users, use different usernames and passwords. As the CRA, or any government entity, ensure that you put proper security measures in place, and you use some sort of anomaly detection, and same thing with these financial institutions. If we all take these steps, then these types of breaches are preventable.” 

View original article here Source