They should be cryptographically signed tokens you request for a single individual service, with a defined scope of access.
E.g. when you want to set up payroll tax at a new job, you go online or visit service canada, register a token, and share that with your employer.
When you’re authorizing H&R Block to do you taxes, you request a tax token for the current year.
When you’re opening a bank account you request a token and the bank verifies it.
When these leak they are easily reset, and when credit bureaus need access to your history for a hard check, they request a token with that permission.
This is kind of a pain but it means the office administrator can’t open a credit card in your name just because they have your info, and a leak at H&R Block gives a specific scope of investigation and resolution.
Your account can still be breached, buy that has a clear resolution step (verify your identity with service Ontario or Canada Post, invalidate tokens, file an investigation, and submit new tokens).
Then second step : shared responsibility for theft like if someone buy a car in your name you aren’t stuck with 100% of the problem because the dealership is 50% liable. Third step : Insurances need to be available for the residual risk but with 50-50 liability everyone will be on their best behaviour.
We really need to get rid of SIN numbers.
They should be cryptographically signed tokens you request for a single individual service, with a defined scope of access.
E.g. when you want to set up payroll tax at a new job, you go online or visit service canada, register a token, and share that with your employer.
When you’re authorizing H&R Block to do you taxes, you request a tax token for the current year.
When you’re opening a bank account you request a token and the bank verifies it.
When these leak they are easily reset, and when credit bureaus need access to your history for a hard check, they request a token with that permission.
This is kind of a pain but it means the office administrator can’t open a credit card in your name just because they have your info, and a leak at H&R Block gives a specific scope of investigation and resolution.
Your account can still be breached, buy that has a clear resolution step (verify your identity with service Ontario or Canada Post, invalidate tokens, file an investigation, and submit new tokens).
This guy gets it. 100% agree.
Then second step : shared responsibility for theft like if someone buy a car in your name you aren’t stuck with 100% of the problem because the dealership is 50% liable. Third step : Insurances need to be available for the residual risk but with 50-50 liability everyone will be on their best behaviour.