Fraudsters used 'side entrance' to hack Centrelink, Medicare accounts
In one phone call, a fraudster managed to hack a Centrelink customer's account, change their address and banking details before lodging a false disaster recovery payment claim.
A few days later, the customer's account was breached again when the fraudster called Medicare to change their address and request a new card. The fraudster then used the Medicare details to lodge and receive a fraudulent tax return.
The 2022 case was investigated by the Commonwealth Ombudsman as part of a damning report into Services Australia's response to cases of fraud through the myGov platform.
It found myGov's current security controls were not doing enough to protect customers from fraud related to "unauthorised linking", in which third parties used a "side entrance" to hack into customers' accounts.
Services Australia spokesman and general manager Hank Jongen said all recommendations and suggestions from the Ombudsman had been accepted.
Services Australia general manager Hank Jongen pictured in 2020. Picture by Sylvia Liber
"We understand it can be a stressful experience if people's myGov or linked service is compromised by scammers," he said.
"Maintaining the security of myGov and the protection of people's personal information remains a top priority, and we're committed to ongoing improvement."
The investigation was borne out of reports and complaints of escalating instances of tax fraud, where fraudsters were linking genuine taxpayer records to "fake" myGov accounts.
The Ombudsman's report was centred on Services Australia's response to these instances of fraud, as it both administers myGov and is also the owner of three member services: Medicare, Child Support and Centrelink.
The Ombudsman found while Services Australia had several security measures in place, they were not doing enough to protect customers from "unauthorised linking".
In order for someone to link a member service, such as Centrelink or Medicare, to their myGov account, the user must satisfy that service's proof of record ownership (PORO) process.
This process differs across each member service but generally involves the user providing personal information that only they would know.
The report found fraudsters were able to circumvent this by using stolen personal information. This can occur through data breaches, phishing scams or information stolen from mailboxes.
"... one failed PORO process can open the door to fraudsters obtaining additional personal information which they can use to access other member service accounts," the report stated.
The Ombudsman found Services Australia's security measures were focused on stopping fraudsters hacking into genuine customer myGov accounts but did not prevent them "taking a side entrance to member service accounts through unauthorised linking".
The report recommended Services Australia identify the risks associated with the existing PORO processes and consider baseline requirements for all member services.
Unlimited accounts a weak link
The report found the ability to created unlimited myGov accounts was a weak link in the system.
Services Australia explained to the Ombudsman myGov was designed this way to avoid becoming a central database of information.
It also found Services Australia should do more to verify that linking requests are authorised by the genuine record owner before a transaction is finalised.
The Ombudsman recommended additional security controls such as two-factor authentication be introduced for all "high-risk transactions", including linking between myGov and member accounts and updating contact and bank account details.
Commonwealth Ombudsman Iain Anderson pictured in 2021. Picture by Sitthixay Ditthavong
Legislation may be standing in the way
While investigating the 2022 complaint, the Ombudsman found that when the myGov customer's Centrelink account was breached, Services Australia did not check whether the person's Medicare account had also been compromised.
"It was unclear to us why Services Australia could not disclose the breach to another member service, where they were a mutual customer," the Ombudsman wrote.
Services Australia advised the Ombudsman that disclosing information between its member services could only happen if their respective enabling legislation permitted.
However the Ombudsman said member services were required to report fraud incidents to Services Australia and noted secrecy provisions contain exceptions to allow disclosures in these instances.
The Ombudsman recommended Services Australia seek external legal advice about how it can facilitate a greater level of information sharing across the member services.
Mr Jongen said work was already underway at Services Australia to address the issues identified in the Ombudsman's report.
"This includes measures funded through the 2024-25 budget to improve myGov account security and fraud incident detection," he said.
Mr Jongen said a range of security checks were already in place to protect people's accounts including passkey sign in options, digital identification, two-factor authentication and the ability to lock myGov accounts.
"In a challenging global security environment, myGov is continually evolving to meet the ongoing challenges of increasingly sophisticated and numerous scams, identity theft and other cyber security threats," he said.
