If you’re Canadian and have recently tried filing your taxes online, ordering a passport, or changing your address, you’re familiar with the ePass Canada system. Chris and I have already detailed how frustrating it is to use, but my experience has also revealed that the system is fundamentally unsecure. Obviously I’m not willing to demonstrate exactly how a hack could be executed against the system (I’m not that stupid) but I can outline the secure risk in broad-terms.
If you’re a web-developer and you’ve never head of cross-site scripting, take an hour and read up on it. It’s probably the number one open exploit on the web, and if you haven’t heard of it, it’s probably open on your site. In its simplest form, it allows malicious hackers to put up fake login forms (or anything else they want) on a legitimate website and trick visitors into giving away sensitive information.
For example, they could make a page on the government domain gc.ca, secured by SSL, that looks exactly like the ePass login form and trick you into giving the hacker your username and password (a process known as phishing). They can even make it look like you’ve logged in successfully, and if you trust the ePass system, would you really have a second thought to giving them your social insurance number, credit card number, or any other document?
So I ask, why is this big, gaping hole (sorry for the goatse imagery) in the ePass Canada system?! Millions of tax dollars were spent on this program, and it’s completely open to exploit by the lowliest of hackers. We have (and I have to admit that I had to google this one) a Canadian Cyber Incident Response Centre (CCIRC) that is documenting every security hole in Firefox but they aren’t analyzing the government’s own online system? FutureShop.ca is more secure than the ePass system!
In the end, it’s up to you whether you use the ePass system or not. There’s no way I’d file my taxes on paper, so I’ll probably continue using it myself. But rest-assured that someone (whose a much better “hacker” than I) has also seen these same security holes, and if they haven’t exploited them already, it’s just a matter of time. If they already had, would we even know about it? 
Hey.. I just received a message with the heading government of canada , (epass canada) telling me I am entitled to a 241 dollar tax refund…i have a number of questions..one: why are they asking for my credit card number and the last three digits and expiry date..question: why did they not send any rebate by canada post..three: how in hell did they get my email address to send me this notation…
It would appear that someone has already hacked the system…Hal
What was the sender’s email address? Did they actually have your SIN number or anything? Spammers were probably just blanketing everyone with a generic message trying to trick you into putting in your credit card on some clone of the ePass site. AFAIK, the government doesn’t give back money on credit cards.
I would recommend forwarding it on to ePass to have a look at, but if you follow the rest of my posts, you’ll see I’m still waiting 2 years later for them to get back to me about the security hole I found