- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Quebec is the only province where consumers can freeze their credit — an easy way to protect against identity fraud by blocking access to your credit report, so fraudsters can’t open credit card accounts or take out loans.
Credit freezes are “very useful and effective” says anti-fraud consultant Vanessa Iafolla, especially in the wake of a growing number of data breaches, like the recent Ticketmaster incident which exposed customers’ credit card information.
“When you have this much access to personal data, identifiable information, fraudsters can very easily get at the necessary information to secure credit products. So a credit freeze basically puts up a moat,” said Iafolla, from Anti-Fraud Intelligence Consulting, based in Halifax.
“And the reason why that is so deeply important when it comes to preventing fraud is that, by the time people usually figure out that their credit has been accessed, it’s too late.”
It’s amazing our system for identity theft is “discover incident yourself, prove there’s damage, get a police report, then we’ll think about giving you a new SIN but it restarts your credit history”
In today’s day and age the SIN should be morning more than a unique identifier for your identity, and should only be trusted when accompanied by a unique SIN authorization token:
This would not prevent a SIN + token pair from leaking, but they could only be abused within one institution, which is generally the same surface area as however your token leaked in the first place. Plus the source of the leak becomes immediately clear.
If there is a leak, you can report it and reauthorize a new token for whatever you need.
You could go further with this concept to improve it by adding a handshake with org level certificates and keys required to verify a token.
For situations where one company must verify your identity to another (e.g. an employee wants to submit your info for insurance purposes, or a bank wants to work with a partner bank), this is where a business entity level key could come into play. It wouldn’t be sufficient for the original auth token to propagate to the partner because that increases exposure during a leak.