Services Australia will implement a range of security challenges and controls in myGov by June next year after exploitation of the platform’s single sign-on model and unlimited creation of accounts.
The agency has committed “to ensure sufficient and consistent verification steps are in place” across its own services accessed via myGov - Centrelink, Medicare and Child Support.
But it will be up to other departments and agencies that run digital service delivery through myGov to do the same on their ends to ensure consistency.
A Commonwealth Ombudsman investigation [pdf] found that where cybercriminals used stolen credentials to access a myGov account, they generally faced no further challenges when changing personal details, bank accounts or linking to other digital government services or accounts.
Users may also not receive any indication of changes being made to their accounts.
Early in the investigation, Services Australia indicated this was a feature, not a flaw.
“Once a customer is signed into their myGov account, there are currently no additional security measures for high-risk transactions,” the ombudsman found.
“Services Australia advised this is because myGov was designed to provide a single sign-on to securely access government services and reduce the need for multiple online accounts and passwords.”
But the ombudsman saw this model being at odds with a broader push by the government towards multi-factor authentication (MFA).
The ombudsman suggested MFA challenges could be used when performing certain actions within myGov accounts.
“In our view, requiring multi-factor authentication for high-risk transactions offers substantial mitigation against the risk of loss resulting from unauthorised linking and access to genuine customer accounts, by alerting customers in real time that their records may have been breached and stopping unauthorised transactions before they are finalised,” it said.
The ombudsman also found inconsistencies between customer service channels in the handling of account changes.
Centrelink’s contact centre agents, for example, are required to challenge a bank account change by asking the user to confirm the existing details in the system.
“However, no such check is required when a user updates bank details in a Centrelink online account,” the ombudsman said.
The phone-based challenge was inconsistently applied, however.
In one case, a fraudster “was able to change the address, bank account details for [an] account and lodge a disaster recovery payment claim” by calling in.
The ombudsman said that “claims staff did not ask all the required security questions of the fraudster” during the phone call.
In this particular case, the fraudster moved between various online services, trying different avenues to redirect payments or make claims.
The ombudsman found this was possible because each service in myGov doesn’t share with the others if a customer’s account has been breached.
Services Australia said it was legislatively prevented from flagging a breach involving one service - for example, Centrelink - with others within its own agency, such as Medicare - let alone with other departments.
Legal advice is now being sought on the extent to which this is actually true.
Raft of security protections now in the works
Services Australia has committed to a range of security improvements for myGov.
These include setting baseline standards and controls for all services accessed via myGov, as well as specific IT changes within Services Australia’s portfolio.
These will add “security around updates to bank accounts; and obfuscation of bank account details in the online platforms for Centrelink, Medicare, Child Support (as well as the Centrelink payments service in myGov).”
Also by June next year, Services Australia intends to present users with a “myGov security dashboard” - “a visual presentation of their current security settings [that] will prompt them to take action such as uplifting their sign-in settings to either passkeys or Digital ID to better secure their account.”
Passkeys for myGov were introduced in late June and are being pushed as a more secure sign-on method than traditional username-password.
Another new tool - the enterprise customer authentication tool or ECAT - will be developed “to support telephony and face to face service delivery channels” to challenge high-risk transaction types.
“We anticipate the strengthened measures ECAT introduces will reduce the risk of fraudulent updates to phone numbers, email, and addresses made in staff facing channels,” Services Australia said.
Finally, in its role as myGov overseer, Services Australia is developing a myGov incident response system - MIRS - “to provide faster, more accurate and auditable sharing of information between the myGov platform and linked member services”, using funds from the most recent federal budget.
“We anticipate delivering MIRS across two iterations by June 2025,” Services Australia said.
“This will include obtaining further legal advice on information sharing.”