Massive, unfixed security flaw at Passport Canada
We just learned about a very serious security flaw in the Passport Canada website accepting online applications. Other people's information can be easily accessed by simply applying for a passport and then altering characters in your browser's address bar. The flaw was discovered by Jamie Laning, an IT worker at Algonquin Automotive, in Huntsville, Ontario. The available data includes SINs, driver's licence numbers, mailing addresses, business and phone numbers, federal ID card numbers and even a firearms licence number. Says Carlisle Adams, professor at U of O:
This is exactly how identity theft happens. If you want to take out a mortgage, for example, this is the type of information the bank is going to ask for to make sure you're really the person you're claiming to be. Then all of a sudden there's a mortgage in someone else's name.Although Mr. Laning alerted Passport Canada of the problem last week and the site was suspended through yesterday, the problem has not been fixed, despite Passport Canada's claim to the contrary. While the security flaw in itself is not the most terrible thing, it is deeply unsettling to learn that Passport Canada was unable to fix it within one week, that it deceptively claimed it fixed it and that Canadian law does not even require disclosure of privacy breaches. This means that there may be many more security breaches that happen but we do not know about them, unless somebody makes a FOF request.
The security breach follows two significant events concerning personal information. On Nov. 21, Justice Minister Rob Nicholson introduced legislation making it an offence to obtain, possess or traffic in people's identity information for the purposes of committing a crime. Just two days earlier, Britain's tax and customs service announced it had lost disks containing banking and personal data of 25 million people."I think it's very clear that a strong, mandatory security-breach law is long overdue in this country and it's cases like these that highlight it," said Michael Geist, a law professor at the University of Ottawa.This is not the first negative media report to hit Passport Canada. Only a couple of months ago, Canadian Press issued the following:
Canadian law does not require organizations to disclose when they've suffered security breaches. In the United States the majority of states have enacted legislation requiring organizations to disclose security breaches within a specified period of time.
Passport Canada is reporting continued long delays in processing mailed-in passport applications, despite a streamlined renewal process and hundreds of new employees. And there is concern those delays will only get longer as the busy winter travel season approaches.It now takes a minimum of six weeks to get a passport through the mail; two weeks longer than the agency's benchmark of four weeks.The way our secretive, inept government works, we would not be surprised if Mr. Laning would be charged with terrorism. It is much easier to find a scapegoat than hiring a knowledgeable IT security firm and have the problem fixed.
And that doesn't include the time it takes to get applications and documents through Canada Post.
UPDATE: Brian Masse (NDP) raised this issue in Question Period and Minister Maxime Bernier was told by CEO GĂ©rard Cossette that the website is now "among the most secure".
IT Business published an article citing concerns that the privacy breach will lead to ID theft.
Source: Passport applicant finds massive privacy breach, Globe and Mail Read More to See the Light...
EU Commissioner for Consumer Policy Web Chat
In yet one more sign that the European Commission is more committed to the interests of the individual citizens they represent, EU-commissaris - Meglena Kuneva will engage in a web chat on Wednesday, December 12. The topic of the discussion will be "product safety", particularly the last high-profile incidents with dangerous toys.
Information is a key element for making you, as Europe's citizens, fully aware of your fundamental rights as consumers. But, awareness alone is not enough. You should be able to play your full role as consumers; confident and able to discuss consumer issues. To this end, I plan to set up a web-chat. We at the Commission must be directly connected to your daily lives and we cannot do that without talking with you.
Kudos, Ms. Kuneva! :) Read More to See the Light...
Another strange Bell experience
I think among Canada's telecommunications monopolies, Bell Canada is the benevolent, customer oriented giant (while Rogers is the ugly duckling). Yet now and again, Bell Canada's customer service manages to disappoint.
Today I sent the Executive Office team the following message:
I am hereby requesting a cancellation of my Sympatico Internet account, a refund of any money charged for Internet services, and I am withdrawing permission to charge my credit card for Internet services effective immediately. I consider your failure to provide Internet services as agreed a breach of contract.
I ordered Total Internet 1Mbps over the Internet. The service was supposed to be activated on August 14, 2007. My repeated attempts to obtain a connection with the 2wire modem failed on every time.
On August 15 I attempted to contact Bell CS over the Internet, but the Bell CSR sugested I contact Sympatico then disconnected. I then tried to contact Sympatico CS over the Internet, but I received no response (see attached screen capture). The application forced me to use Internet Explorer, the most insecure browser available on the Windows platform, as it did not work with either Opera or Firefox. I then called 310-SURF and spoke to Abdul, who stated that they did not have any information in file, so I had to give it to him over the phone. He stated that the service will be available in about 2 days. He also mentioned that the line is not able to reach the stated speed, but will be at around 60% of 1Mbps.
A few days later I called again, but this time I spoke to a CSR with a strong accent, who, after placing me on hold and asking me to reboot the modem, told me that her tool does not allow her to activate the modem, but it will eventually be activated.
To this date, the modem does not connect to the CO, and the DSL light keeps blinking. Furthermore, I received an email about my Sympatico bill being available but I could not access it on your website.
While I am willing to pay $20/month of that service, I cannot pay $20/month for wasting time troubleshooting a connection that was supposed to work long time ago.
I am disappointed in the service I received from Sympatico, as I had expected at the very least for the service to be activated as claimed in the email sent August 8.
-
I also attached this photo:
I immediately got an automated response:
Thank you for emailing Bell Canada’s Executive Care Solution Centre.
We value your comments, and your concerns are important to us.
Your matter will be reviewed and someone will get back to you within 2 business days.
Thank you for your loyalty to Bell.
Bell Canada’s Executive Care Solution Centre
Hopefully, this matter, will be resolved soon.
Wunderbar Bell Experience
I recently called Bell Canada at 416-310-BELL to make some small changes to my account. It was 7:22pm, and their phone centre was called, so I tried doing those changes on the website. But - whaddyaknow! - I couldn't, so I just tried my luck with an Internet chat. Here it is:
Thank you for your patience an online representative will be with you shortly. Your wait time is approximately 21.
All of our online representatives are currently assisting other customers. Thanks for your patience. An online representative will be with your shortly. All of our online representatives are currently assisting other customers. Thanks for your patience. An online representative will be with your shortly. All of our online representatives are currently assisting other customers. Thanks for your patience. An online representative will be with your shortly. All of our online representatives are currently assisting other customers. Thanks for your patience. An online representative will be with your shortly. All of our online representatives are currently assisting other customers. Thanks for your patience. An online representative will be with your shortly. All of our online representatives are currently assisting other customers. Thanks for your patience. An online representative will be with your shortly. Welcome to bell.ca! You are chatting with Jean-Mary S. To assist you, may I please have your name and residential phone number with area code?
Jean-Mary S: I haven't heard from you. Do you wish to continue the chat?
you: hello
you: i have a question regarding extension call answer
you: i'm on the 6-flex plan and would like to replace phone maintenance with extension call answer is that possible?
you: hello
Jean-Mary S: Sure, I can definitely help you with that.
Jean-Mary S: For this please call us at 310-2355
Jean-Mary S: And we will help you, we can not do this online
you: i need to konw first if i can make the replacement, since phone maint. has restrictions on changing
Jean-Mary S: I don't have the answer please call at the phone number please
you: ??? what is then "Jean-Mary S: Sure, I can definitely help you with that. "???
Jean-Mary S: I mean I can help you but for the home phone service, please contact BEll, because I don't have this information online, sorry
As you can see, after I waited on-line for almost 30 minutes, and after being told that "sure, I can help you with that", she essentially told me to call 310-BELL, which was not possible at that time anyway. I gave the chat service a 2, bell a 5 or 6 and the rep a 4, for the following reasons:
- the waiting time was far too long, especially considering that the phone centre was closed
- although courteous, thoughtful and carefule, the chat representative was completely useless
- this seems to be a design issue rather than a problem with the rep, who seemed genuinely willing to help, but did not have the tools to do so
