Quebec is the only province where consumers can freeze their credit — an easy way to protect against identity fraud by blocking access to your credit report, so fraudsters can’t open credit card accounts or take out loans.
Credit freezes are “very useful and effective” says anti-fraud consultant Vanessa Iafolla, especially in the wake of a growing number of data breaches, like the recent Ticketmaster incident which exposed customers’ credit card information.
“When you have this much access to personal data, identifiable information, fraudsters can very easily get at the necessary information to secure credit products. So a credit freeze basically puts up a moat,” said Iafolla, from Anti-Fraud Intelligence Consulting, based in Halifax.
“And the reason why that is so deeply important when it comes to preventing fraud is that, by the time people usually figure out that their credit has been accessed, it’s too late.”
To answer your question “why only Quebec”, it seems it’s a law in response to the major data breach of Groupe Desjardins in 2019.
So basically, a law written in “blood”.
It’s amazing our system for identity theft is “discover incident yourself, prove there’s damage, get a police report, then we’ll think about giving you a new SIN but it restarts your credit history”
In today’s day and age the SIN should be morning more than a unique identifier for your identity, and should only be trusted when accompanied by a unique SIN authorization token:
- You have a new job or tax situation, or need proof of eligibility to work in Canada, or need to satisfy KYC for a bank or financial institution.
- You visit Service Canada or the CRA and revalidate your identity, then you may request a new Social Insurance Authorization Token.
- You provide the unique token and your SIN number to the employer/bank/etc.
- The bank or company verifies the token and your identity with Service Canada. A stolen SIN no longer proves authorization, it simply identifies you.
- All tax forms from that institution, and all banking details must be submitted with the SIN and token.
This would not prevent a SIN + token pair from leaking, but they could only be abused within one institution, which is generally the same surface area as however your token leaked in the first place. Plus the source of the leak becomes immediately clear.
If there is a leak, you can report it and reauthorize a new token for whatever you need.
You could go further with this concept to improve it by adding a handshake with org level certificates and keys required to verify a token.
For situations where one company must verify your identity to another (e.g. an employee wants to submit your info for insurance purposes, or a bank wants to work with a partner bank), this is where a business entity level key could come into play. It wouldn’t be sufficient for the original auth token to propagate to the partner because that increases exposure during a leak.