Your myGov account may be at risk, a new report has found.
The Commonwealth Ombudsman has urged the government to do more to protect Australians’ accounts, labelling its current efforts inadequate.
An investigation was launched by the ombudsmen into the platform’s security controls following user complaints and media reports.
Know the news with the 7NEWS app: Download today
It found cases of “unauthorised linking”, where scammers link a genuine myGov member’s service account to a fraudulent myGov account, were not protected against enough.
“We found that overall, the current security measures focus on stopping fraudsters getting into genuine customer myGov accounts, but do not necessarily prevent them taking a side entrance to member service accounts through unauthorised linking,” the report said.
Preventative security controls for unauthorised linking are limited to the proof of record ownership processes that are implemented by the individual myGov member service agencies, the report said.
These processes vary across those individual agencies, with no additional security control in place for high-risk account updates like changing bank account details.
“APS agencies responsible for administering a system or program that involves other agencies, like myGov, should understand the levels of risk across the system and ensure risks that could impact other participants are managed effectively, including through identifying and managing shared risks,” Commonwealth Ombudsman Iain Anderson said.
Urgent action recommended
Anderson recommended Services Australia implement additional security controls such as two-factor authentication across its three member services for all high-risk transactions, including linking a member service account to myGov and updating contact and bank account details.
He also recommended security settings be applied at consistently high standards across all available service delivery channels for Service Australia member services.
Anderson further recommended that Services Australia establish formal processes for managing shared risks across the myGov ecosystem “including identifying, assessing and documenting shared risks, periodically assessing the effectiveness of agreed controls, and responding to indications that risk assessments should be updated”.
Services Australia should also seek external legal advice about options for sharing information across the myGov ecosystem while meeting legislative obligations, Anderson said.
He suggested that Services Australia also share “learnings and information” about its authentication processes across the myGov ecosystem, and “regularly review and update its communications regarding potential myGov and member service account breaches”.
The report also detailed case studies where users felt they had been let down by the myGov ecosystem.
“People have told us about the stress and anxiety they experienced when their personal information was stolen, and fraud committed in their name,” Anderson said.
In these circumstances, it is particularly important that Services Australia provide accessible, consistent and clear information to help people.
“Given the volume and sensitivity of information held in member service accounts linked to myGov, robust protections to stop fraudsters gaining unauthorised access to myGov accounts are essential,” Anderson said.
Services Australia accepted the Ombudsman’s recommendations and suggestions.