Tuesday, February 13, 2007

STILL flaws and security with SIN and Passports

Fraser: Feds fail to improve management of the Social Insurance Number scheme

Progress in closing passport security gaps, but weaknesses remain, AG says

Fraser: Feds fail to improve management of the Social Insurance Number scheme
CanWest News Service February 13, 2007

OTTAWA - The federal government has consistently failed to improve management of the Social Insurance Number scheme or how Canadians' personal information is used, says a damning report by Auditor General Sheila Fraser.

Both are long-standing problems that have real and serious implications in an age of identity theft and security fraud, she warned.

Fraser singled out the management of the Social Insurance Number as having serious and widespread problems that, unlike other areas under audit, haven't incorporated prior recommendations to improve its operations.

"This is the fourth time since 1998 that we've reported these two problems," Fraser said in a statement. "The government should have resolved them by now."

Despite identifying problems numerous times over the course of nine years, the audit found that the Human Resources and Social Development Department doesn't properly keep track of personal information and other data kept in its Social Insurance Register, which creates the potential for fraud and other abuses of the number.

Problems with the government's database, and the fact personal information is often unreliable, incomplete and not up to date, means there is an increased risk of fraud, identity theft and other security problems, according to the report.

"The prevalence of identity theft and the associated risks and costs to individuals and other stakeholders make the integrity of the register important not only for the department, but for all programs that rely on the SIN," the report says.

The audit found that in the Canadian population aged 30 and over as of June 2005, there were nearly three million excess SINs. Of the three million, about 2.1 million were classed as dormant, which is associated with a higher degree of risk for fraud.

Dormant SINs can be used as the "first step to access benefits," like Employment Insurance, Old Age Security and Canada student loans because federal agencies that administer such programs are not told when cards are inactive.

"It is important that this information be accurate and up to date to protect against fraud," the report says.

Exacerbating the problem is the fact the SIN is being more widely used both inside and outside the government, and can consequently be used to access social programs, banks, the Canada Revenue Agency and to steal a person's identity if it falls in the wrong hands.

Although there has been a significant decrease from the five million excess SINs reported in the 2002 audit, there is still a large number of dormant and unauthorized cards that could represent increased risks of fraud or other security issues.

"Confirming identity has taken on heightened importance in light of growing security concerns, identity fraud, and use of the Internet and telephone for service delivery," the report says.

The report also criticizes the fact federal departments aren't clearly told how they can use the number, which has led to different interpretations and policies on the control of the number. In addition, the Youth Initiatives program of the federal government continues to use the SIN, despite the fact it is not authorized to do so.

Fraser noted the Human Resources Department has made improvements with the way it issues SINs and how it identifies and investigates related fraud.

Fraser's report says the department is working on a plan to better manage the information in the database, an indication that it may be on the way to resolving the long-standing problems.

Progress in closing passport security gaps, but weaknesses remain, AG says
February 13, 2007 CBC News

The federal government has made progress in tightening some security gaps in Canada's passport program but weaknesses in critical areas remain, the auditor general says.

In her report tabled Tuesday, Sheila Fraser, who two years ago found serious security weaknesses in the passport office, said Passport Canada is moving quickly to address concerns.

"I am pleased with the progress Passport Canada has made in the relatively short time since our 2005 audit," she said from Ottawa.

Fraser said Passport Canada is improving its security watch list by sharing database information with Corrections Canada and the police. But she said the list should be made broader to include not only convicted criminals, but people charged with serious crimes.

She said passport personnel now have the proper training to determine whether identity documents are authentic. But, added Fraser, the system could be improved by having a computer link with the provinces so passport workers could verify vital birth information of Canadian-born applicants.

A similar link with Immigration Canada could check the vital statistics of new Canadians, she said.

"There are still some weaknesses in the critical areas of security and verification of identity," she said.

Worries about gaining security access

She said it's still too easy to get access to the passport system, and employees who don't have the authority to make them are able to do so through a generic user identification system.

"It is something that we think the department can easily resolve. They did try to make an effort to do that but they weren't very effective, so I would hope they would address that quickly."

The agency has admitted that wait times for passports are stretching to 60 days since a U.S. law took effect on Jan. 23 that requires all Canadians on flights to the U.S. to have a valid passport.

Fraser said regional passport offices had no contingency plans to deal with the increased demand.

Fraser also expressed concern about "two serious and long-standing problems" with management of Social Insurance Numbers — there's questionable accuracy of the massive list of number holders and lack of clarity about how federal departments may use the key identifier.

"This is the fourth time since 1998 that we've reported these two problems," she said. "The government should have resolved them by now."

Agencies rely on SIN numbers to issue billions of dollars in federal benefits and the number is also commonly used outside government.

Fraser said strong management of the SIN system was "more important than ever," given the growing global incidence of identity theft, fraud and security risks.