A new report into the security of Australians’ myGov accounts has revealed serious vulnerabilities and exposed how hackers exploited account linking technology to steal Centrelink, Medicare and the Australian Taxation Office accounts.
The study found that hackers were exploiting Medicare and Centrelink accounts through the myGov platform by linking them to fake myGov accounts and making fake tax claims worth thousands of dollars, or falsely claiming tax payments. alimony.
This practice is called “unauthorized linking”: the member service account of a genuine myGov customer is linked to a “fake” myGov account by another party, without authorization.
Many victims have had their accounts blocked and payments suspended, causing further harm, according to a report by ombudsman Iain Anderson.
The report follows an investigation sparked by the discovery of large volumes of confidential information, including MyGov login details, being sold online.
Anderson’s report on myGov fraud found that “myGov’s current security controls do not adequately protect people from unauthorized links where identity theft has occurred.”
The Ombudsman made four recommendations to Services Australia to improve its security, all of which it accepted.
Services Australia and its partners responded to more than 6,000 scams attempting to impersonate MyGov in 2023, Government Services Minister Bill Shorten said in April.
How hackers exploit myGov accounts
The Ombudsman said it had received complaints from people affected by fraudsters using stolen personal information to access their Centrelink, Medicare and ATO online accounts through myGov.
Personal information has been stolen in a variety of ways, including targeted attacks, phishing scams, purchasing someone’s information via the dark web, or harvesting personal information from documents found in trash. household or professional items or stolen from mailboxes.
The perpetrators then submitted false applications for Centrelink payments, advances and loans in the victims’ names and redirected their pension payments.
Some victims were then unable to qualify for financial assistance, such as child care allowance, until Services Australia and its members had completed their investigations.
What does the mediator’s report find?
The investigation found that myGov’s security controls do not protect people from having their accounts linked and exploited once their data is stolen.
The report also reveals that there are not enough security checks to ensure customer authenticity, particularly when it comes to changing bank details.
He highlighted that unauthorized linking is a serious problem that could be addressed by requiring greater evidence to link Medicare and Centrelink accounts to the central myGov hub.
“We found that overall, current security measures aim to prevent fraudsters from accessing customers’ genuine myGov accounts, but do not necessarily prevent them from accessing members’ service accounts via unauthorized links “, the report said.
The report recommends changes to the way Services Australia manages account linking security, including two-factor authentication for every high-risk transaction, including changing bank details.
It also recommended establishing a formal process to investigate and rectify violations and seeking additional external legal advice on better information sharing between departments.
How has Services Australia responded?
Jarrod Howard, acting chief executive of Services Australia, said the organization welcomed the ombudsman’s investigation.
“Services Australia is committed to protecting people from identity theft and scammers,” he wrote in a letter attached to the report.
“The survey provides us with useful recommendations on how we can further strengthen the security of the myGov platform, the role of member services in strengthening security and gives us confidence that we are on the right track with a number of measures that we already have in progress.