Wednesday, June 16, 2021

Vaccine Games

Got another Pfizer dose from the Richmond Green Sports Centre. The clinic was perfectly organised just like before.  However, getting appointments in Ontario continues to be difficult for almost everyone because the software is very poor quality.  Toronto has pop-up clinics when delayed vaccine shipments finally arrive.  These do not require appointments but thousands of people start lining up at 1:00am for an 8:00am opening. Many are disappointed.

I live in Richmond Hill which is in York Region which is in the northern part of the Greater Toronto Area (GTA).  Richmond Hill does not have pop-ups but some doses are available at pharmacies and hospitals.  I prefer the large clinic at the hockey arena.  Unfortunately, it is out of reach for people without cars.

I checked for covid19 appointment slots three weeks ago. Only age 80+ were eligible then and there were hundreds of open slots because of low demand by that cohort. I was informed to wait until June 14. Meanwhile, the second 80+ week was opened for 70+ but I did not notice until midweek when all the slots were taken. So I phoned the Ontario booking line which offered an appointment after twelve weeks which would give twenty-three weeks between shots. Never mind that.

On the next Monday, I logged in at 8:50 just before the 9:00am official booking time.  I could see slots opening and disappearing on the first day so I picked a slot for the next day.  I was put in a queue for a few minutes. After that, my slot was gone because someone ahead of me in the queue had taken my selection. Since the first days were first choices,  I selected another slot near the last day of the session which worked.  All the slots for seven days 9 to 6 were taken within ten minutes. 

No software was designed specifically for vaccine appointments. Instead, an existing system was hacked.  This system was intended to schedule after-school activities for parents and children. It does not have the capacity for the surge of vaccine demands so a first-in-first-out queue was added. But the hackers made a mistake.  They only put the person identifier in the queue. The slot was left open for others to select.  Imagine you have an Amazon shopping cart with several items and when you decide to check out, some of the items were already sold to another buyer.  That is the experience when attempting vaccine appointments.  Another bug is the ability to make multiple appointments but take only the most convenient.  Some selfish people will do that no matter the cost to others. It's the Trumpian thing to do.

Wednesday, June 02, 2021

Risky Login To CRA With CellPhone SMS

Communication with the CRA is mainly by HTTPS which is a secure protocol for everyday Internet activity. However,  they have introduced an additional login procedure which they call Multi-Factor Authentication (MFA). But "multi" is an exaggeration, it is better known as Two-factor Authentication (2FA).  They send a one-time, temporary passcode to your phone by SMS which you must enter on the login page to satisfy the procedure.

If CRA needs to contact you, they do not send the content of your concern, they post the content to your account and notify by email that you need to login and read the content.  This avoid exposing your personal information in email.  So they care about security.

It is probably ok to use SMS passcodes for social media and other amusements where money is not involved. However, billions of dollars flow through CRA which is an attraction for bad-actor hackers. And hackers have tools to capture SMS codes while logging in as you.  Cell phone networks have security bugs so information passing through them needs to be encrypted.  This can't be done with SMS which is plain text.

Google "risk of sms for authentication" and it's all bad news. The best advice is don't use SMS for 2FA/MFA.  It actually weakens security for CRA business.