The last time I tried to log into myGov I got locked into an endless loop. The system told me I needed a new login code, but I couldn’t get a new code without logging in. Which makes it all the more galling to hear that fraudsters are scamming the government via myGov security vulnerabilities.
According to a new report, though, that is indeed happening. The report, Keeping myGov secure, was prepared by Commonwealth ombudsman Iain Anderson. Mr Anderson’s remit was to investigate Services Australia’s response to myGov fraud arising from unauthorised linking to member service accounts.
This followed media revelations in 2022 of escalating incidents of tax fraud committed by unauthorised third parties. The frauds were committed by linking genuine taxpayer records to fake myGov accounts.
The report’s findings were quite damning. Chief among them was that “myGov’s current security controls do not adequately protect people from unauthorised linking where identity theft has occurred”.
As a result of the findings, the ombudsman has outlined four recommendations and two suggestions for removing myGov’s vulnerabilities.
Unauthorised linking to myGov
The vulnerabilities exposed by Mr Anderson allowed fraudsters to use Centrelink and Medicare to engage in what’s called ‘unauthorised linking’. This entails a genuine myGov customer’s service account being linked to a fake myGov account by another party, without authorisation. This then allowed the fake accounts to make bogus tax claims worth thousands of dollars, or falsely claim support payments.
For some unsuspecting genuine myGov account holders, this had distressing consequences, such as having accounts locked and payments suspended.
Mr Anderson’s report highlighted six key findings:
- myGov’s current security controls do not adequately protect people from unauthorised linking where identity theft has occurred.
- The preventative control for unauthorised linking is each individual member service’s ‘proof of record ownership’ (PORO) processes.
- Variability in the standard of proof required to satisfy PORO processes across member services presents shared risk for myGov participants.
- There are no additional security checks to ensure high-risk transactions are authorised by the genuine customer. An apparent lack of formal processes for managing shared risks across the myGov ecosystem.
- Services Australia’s ability to provide a coordinated response to customers reporting data breaches and fraud may be limited by its enabling legislation.
Fixing the holes
The report delivered four detailed recommendations, along with two suggestions for preventing fraudsters from unauthorised linking. One of those was the implementation of additional security controls such as two-factor authentication across member services for high-risk transactions.
Mr Anderson also suggested greater communication between Services Australia and other departments, allowing them to “share learnings”.
“Given the stress and anxiety people have told us they experienced after finding out their personal information had been breached and fraudulent actions taken in their name, we consider it is essential for Services Australia to provide accessible, consistent and clear information when helping people impacted by myGov fraud.”
After the debacle that was Robodebt any lessening of stress and anxiety in all myGov areas would be very welcome.
What has your experience of myGov been like? Do the ombudsman’s report’s findings surprise you? Let us know via the comments section below.
Also read: Imposter websites and how to spot them
Disclaimer: All content on YourLifeChoices website is of a general nature and has been prepared without taking into account your objectives, financial situation or needs. It has been prepared with due care but no guarantees are provided for the ongoing accuracy or relevance. Before making a decision based on this information, you should consider its appropriateness in regard to your own circumstances. You should seek professional advice from a financial planner, lawyer or tax agent in relation to any aspects that affect your financial and legal circumstances.
