Wednesday, June 02, 2021

Risky Login To CRA With CellPhone SMS

Communication with the CRA is mainly by HTTPS which is a secure protocol for everyday Internet activity. However,  they have introduced an additional login procedure which they call Multi-Factor Authentication (MFA). But "multi" is an exaggeration, it is better known as Two-factor Authentication (2FA).  They send a one-time, temporary passcode to your phone by SMS which you must enter on the login page to satisfy the procedure.

If CRA needs to contact you, they do not send the content of your concern, they post the content to your account and notify by email that you need to login and read the content.  This avoid exposing your personal information in email.  So they care about security.

It is probably ok to use SMS passcodes for social media and other amusements where money is not involved. However, billions of dollars flow through CRA which is an attraction for bad-actor hackers. And hackers have tools to capture SMS codes while logging in as you.  Cell phone networks have security bugs so information passing through them needs to be encrypted.  This can't be done with SMS which is plain text.

Google "risk of sms for authentication" and it's all bad news. The best advice is don't use SMS for 2FA/MFA.  It actually weakens security for CRA business.