Services Australia Launches Bold Security Revamp for myGov

Quick Read

• Services Australia is set to roll out new security protocols for myGov by June of next year.
• Multi-factor authentication (MFA) to be introduced for transactions deemed high-risk.
• A new security dashboard will assist users in managing and improving their account security.
• Creation of an Enterprise Customer Authentication Tool (ECAT) to scrutinize high-risk transactions.
• Establishment of a myGov Incident Response System (MIRS) to enhance information-sharing practices.
• Emphasis on boosting security for Centrelink, Medicare, and Child Support services.

Fortifying Security Measures for myGov

Services Australia has disclosed a thorough security enhancement for myGov, slated for implementation by June of the coming year. This initiative addresses vulnerabilities utilized through the platform’s single sign-on system and the unrestricted creation of accounts.

Guaranteeing Uniform Verification Processes

The agency is dedicated to guaranteeing uniform verification processes across its services, including Centrelink, Medicare, and Child Support. Nevertheless, other departments relying on myGov for digital service delivery are urged to embrace similar protocols to ensure uniformity.

Cybersecurity Issues Raised by Ombudsman

An investigation by the Commonwealth Ombudsman disclosed that cybercriminals encountered few obstacles while using stolen credentials to infiltrate myGov accounts. Once they gained access, they could easily modify personal information and connect to other digital government services without notifying the user.

Launch of Multi-Factor Authentication

The Ombudsman suggested the adoption of multi-factor authentication (MFA) for transactions classified as high-risk. This measure would significantly lower risks by notifying users of potential breaches in real-time and preventing unauthorized transactions.

Discrepancies in Customer Service Channels

Investigations also uncovered discrepancies in the way customer service channels managed account modifications. For example, Centrelink’s contact center agents required users to verify existing bank details for updates, a procedure not replicated in online updates. This inconsistency provided openings for fraudsters to exploit different channels.

Legal and Legislative Hurdles

Services Australia has observed that legislative limitations hinder them from flagging breaches across various services within myGov. Legal counsel is being sought to clarify the extent of these restrictions and to explore potential remedies.

Variety of Security Measures Currently Underway

Services Australia is dedicated to advancing a series of security enhancements, which entail:

• Establishing baseline standards and checks for all services accessed via myGov.
• Bolstering security concerning bank account updates and concealing bank account details online.
• Launching a myGov security dashboard to encourage users to strengthen their security settings.
• Developing an Enterprise Customer Authentication Tool (ECAT) to facilitate secure telephone and in-person service delivery.
• Implementing a myGov Incident Response System (MIRS) for refined information sharing among services.

Security Dashboard and Passkeys

By June of next year, users will gain access to a myGov security dashboard that will visually display their security settings and prompt actions such as upgrading to passkeys or Digital ID. Passkeys for myGov were rolled out in late June and are being promoted as a more secure option compared to traditional username-password methods.

Enterprise Customer Authentication Tool (ECAT)

The ECAT will be designed to assist telephone and in-person service delivery channels. It will scrutinize high-risk transactions, thereby diminishing the possibility of fraudulent changes to phone numbers, email addresses, and other user details.

myGov Incident Response System (MIRS)

Services Australia is also in the process of creating the myGov Incident Response System (MIRS) to enable quicker, more precise, and auditable information sharing between the myGov platform and associated services. This initiative will be financed by the latest federal budget and is anticipated to be delivered in two phases by June 2025.