Mr. Luca had been receiving his pensions through Centrelink per fortnight, but in mid-July, he found out his MyGov account was breached by a fraudster. They changed his bank account number and his BSB number, then requested and obtained an advance of his age pension. This is despite him having a “very obscure” password and three secure verification questions.
Mr. Luca quickly reported the matter to Centrelink, Australia’s government welfare payment manager. After talking to staff, he gained a new insight: he was not the only one who had his account targeted by identity theft.
The Centrelink staff told him she “personally already had another three clients who had had the similar thing happen with their payments.”
“This means that there are likely to be thousands of people in a similar situation,” he told The Epoch Times.
Mr. Luca’s situation is still unresolved. Although he was able to recreate his MyGov account and managed to protect his pension payment from the fraudster, he still did not have online access to Centrelink.
“And now the government is proposing putting all personal data in one place. This is a potential disaster—as things stand the fraudsters will just walk in and grab all the data they care to have,” he said.
In July, Finance Minister Katy Gallagher told the Australian Financial Review’s Government Services Summit that she expected the national digital identity model to be implemented in an “economy-wide system.”
The system will bundle together a person’s driver’s licence, Medicare card, passport details, Centrelink details, and other credentials. The government will announce legislation related to the new digital identity platform in September.
The Epoch Times has confirmed with Centrelink that Mr. Luca’s account was indeed hacked while revealing a spike in identity theft activity over the past year.
“There is a growing trend of scammers impersonating government organisations, including myGov and Services Australia, to try and steal myGov sign-in credentials and other personal information, such as bank details,” General Manager Hank Jongen said in an email response to The Epoch Times.
Mr. Jongen assured that the myGov system “remains secure and has not been compromised. It’s an unfortunate reality that opportunistic scammers steal identity information to carry out fraudulent activities.”
“Services Australia takes the security of customer information very seriously and has robust protections in place,” he said.
“We’ve extended an offer to contact the customer to ensure all appropriate steps have been taken to secure their accounts.”
MyGov is currently the Australian government’s digital identity app that allows people to log in to access details about tax, business, immigration, and social services. Centrelink is part of Services Australia, which delivers income support, social security payments, and other services.
Expert Raises Concerns About The National Digital ID
Customer Mr. Luca’s experience with identity theft adds to growing concerns about the security of the upcoming centralized digital ID system due in mid-2024.
Australia’s finance minister has admitted there is pushback against the scheme, but branded them as “theories … coming out of COVID” as well as ”conspiracy theories about what government’s trying to do.”
She argued the national ID was “really about you having control as citizens; control of their information that allows them to access government systems in a very easy, secure, voluntary and efficient way.”
However, identity theft and security specialist Phillip Bos, who has more than 35 years of experience in the cybersecurity sector, said this might not be the case.
“We do not yet know the system architecture for this reform. Fundamentally, a storage repository of critical identity data, that is accessed by agencies or business when authorized by consumers or customers, is flawed,” he told The Epoch Times.
“The culture of demanding, requiring, storing and sharing unnecessary personal identification data not relevant to the transaction at hand, is overdue to be discarded.”
He said until that is done by the government and business by way of legislative and operational reform, “a new digital government identity paradigm will still allow breaches.”
Phillip Bos is the cybersecurity expert and founder of privacy protection app BlueKee. He has more than 35 years of experience providing strategic security solutions to risk-averse organizations and high-net-worth individuals throughout Australia.
Mr. Bos added that once government accounts are successfully targeted by identity thieves or cyber hackers, trust will be broken, as “the agency that is protecting someone from financial distress failed to protect that person’s basic identity.”
“Citizens who had identity thieves succeed in their own backyard will discount the government’s ability to manage a wider, ubiquitous identity system.”
What’s Missing in the Government’s System?
Mr. Bos, CEO and founder of privacy protection app BlueKee, said a proper identity system “pre-identifies you ahead of any transaction, strips the produced identity token of any personal data, and then uses a mathematical object that uniquely represents you, which is impervious to reverse engineering.”
“In such a system, the concept of storing, accessing, or disclosing identity fields (such as name, address, date of birth, or driver’s license card number) becomes meaningless. Storing details never arises. Any details stored that may be necessary for further business (and not for the purpose of identity verification) are stored in a distributed fashion, on the user device.”
He noted that his privacy app BlueKee “offers users a complete self-sovereign identity solution, giving customers the ability to authenticate their own identity while allowing businesses to seamlessly verify customer information without the need to store sensitive data.”
Mr. Bos noted that he believed “the government and the private sector working together is the future solution, and we are keen to see how those processes will play out.”
How To Protect Your Digital ID
Meanwhile, General Manager Jongen advised customers to be wary of unexpected contact and only sign in to their myGov account by searching my.gov.au in their trusted web browser or by using the official myGov app.
“Setting up a myGov account alone is not sufficient to access member service accounts. For a person to link their myGov account to any member service, they must provide proof of record ownership to that service,” he said.
Scam messages relating to myGov may tell customers a range of reasons why they need to click on suspect links.
For example, a user’s account information may be inaccurate and they need to update their details by clicking a link, or a refund is waiting for their action and they need to click a link to get the payment, or customers should click to avoid their myGov account being suspended or frozen.
If a customer suspects someone else has gained access to their myGov account, they are encouraged to call Centrelink’s Scams and Identity Theft Helpdesk on 1800 941 126.