They should be cryptographically signed tokens you request for a single individual service, with a defined scope of access.
E.g. when you want to set up payroll tax at a new job, you go online or visit service canada, register a token, and share that with your employer.
When you’re authorizing H&R Block to do you taxes, you request a tax token for the current year.
When you’re opening a bank account you request a token and the bank verifies it.
When these leak they are easily reset, and when credit bureaus need access to your history for a hard check, they request a token with that permission.
This is kind of a pain but it means the office administrator can’t open a credit card in your name just because they have your info, and a leak at H&R Block gives a specific scope of investigation and resolution.
Your account can still be breached, buy that has a clear resolution step (verify your identity with service Ontario or Canada Post, invalidate tokens, file an investigation, and submit new tokens).
Then second step : shared responsibility for theft like if someone buy a car in your name you aren’t stuck with 100% of the problem because the dealership is 50% liable. Third step : Insurances need to be available for the residual risk but with 50-50 liability everyone will be on their best behaviour.
I agree but we don’t even have to get that far. No institution should rely on SIN secrecy. It’s as simple as that. It should be treated as semi-publicly available information like birthdates and important stuff like opening a bank account should require more factors of authentication.
Several countries don’t create these secret numbers that “no one should have but you” without having to rely on revoke-able tokens and whatnot. Like many things, crypto has a clever solution for this but the current status quo is so bad that a not-stupid approach would already be quite the improvement.
We really need to get rid of SIN numbers.
They should be cryptographically signed tokens you request for a single individual service, with a defined scope of access.
E.g. when you want to set up payroll tax at a new job, you go online or visit service canada, register a token, and share that with your employer.
When you’re authorizing H&R Block to do you taxes, you request a tax token for the current year.
When you’re opening a bank account you request a token and the bank verifies it.
When these leak they are easily reset, and when credit bureaus need access to your history for a hard check, they request a token with that permission.
This is kind of a pain but it means the office administrator can’t open a credit card in your name just because they have your info, and a leak at H&R Block gives a specific scope of investigation and resolution.
Your account can still be breached, buy that has a clear resolution step (verify your identity with service Ontario or Canada Post, invalidate tokens, file an investigation, and submit new tokens).
This guy gets it. 100% agree.
Then second step : shared responsibility for theft like if someone buy a car in your name you aren’t stuck with 100% of the problem because the dealership is 50% liable. Third step : Insurances need to be available for the residual risk but with 50-50 liability everyone will be on their best behaviour.
I agree but we don’t even have to get that far. No institution should rely on SIN secrecy. It’s as simple as that. It should be treated as semi-publicly available information like birthdates and important stuff like opening a bank account should require more factors of authentication.
Several countries don’t create these secret numbers that “no one should have but you” without having to rely on revoke-able tokens and whatnot. Like many things, crypto has a clever solution for this but the current status quo is so bad that a not-stupid approach would already be quite the improvement.