In an age where our personal information is increasingly digitised, the security of our online accounts has never been more critical.

This is especially true for accounts tied to essential services, which hold sensitive data and are gateways to crucial financial resources.

However, a concerning new report has shed light on a significant vulnerability that could put your data at risk.

Hackers are finding a 'side entrance' into Australians' Centrelink, Australian Taxation Office (ATO), and Medicare accounts, leading to fraudulent claims and financial chaos.

The investigation into myGov fraud has revealed a disturbing trend of scammers creating fake myGov accounts and linking them to genuine service accounts without the rightful owners' knowledge.

This process, known as ‘unauthorised linking’, allows fraudsters to make false Centrelink claims or bogus tax claims that can amount to thousands of dollars.

Scammers are infiltrating Australians' Centrelink, ATO, and Medicare accounts through fake myGov accounts and ‘unauthorised linking’. Credit: Shutterstock

Commonwealth Ombudsman Ian Anderson has pointed out that myGov's current security measures did not ‘adequately protect people’ from this type of exploitation, particularly when identity theft is involved.

The focus has been on preventing direct unauthorised access to genuine accounts, but not enough on stopping scammers from using this ‘side entrance’ method.

‘People have told us about the stress and anxiety they experienced when their personal information was stolen, and fraud committed in their name,’ Mr Anderson shared.

The report also highlighted a lack of adequate security controls for ‘high-risk transactions’, such as changing bank account details, which should require stringent verification to ensure the legitimate account holder authorises them.

‘Given the volume and sensitivity of [the] information held in member service accounts linked to myGov, robust protections to stop fraudsters gaining unauthorised access to myGov accounts are essential,’ Mr Anderson suggested.

The implications of these security breaches are far-reaching.

Scammers can use stolen identities from various sources, including large-scale data breaches like those of Optus and Medibank, phishing scams, purchases on the dark web, or simply sifting through someone's rubbish or mailbox.

Once they gain access to a myGov account, they can submit false claims for Centrelink payments, redirect government payments, and submit fraudulent tax returns to claim refunds.

This not only affects the financial well-being of the victims but can also prevent them from accessing essential financial assistance, such as the Child Care Subsidy.

Services Australia has acknowledged the gravity of the situation and has committed to implementing all the recommendations from the report.

These include enhancing security controls to prevent unauthorised linking, establishing formal processes for managing risks across the myGov ecosystem, and implementing measures like two-factor authentication for high-risk transactions.

Services Australia general manager Hank Jongen acknowledged that the organisation understands how stressful it can be for individuals when their myGov or linked services are targeted by scammers.

‘Maintaining the security of myGov and the protection of people’s personal information remains a top priority, and we’re committed to ongoing improvement,’ he declared.

‘Work is already underway to address the identified issues, as well as other security improvements to ensure myGov remains trusted, safe and secure.’

Mr Jongen stated that secure sign-in methods, such as passkey, digital ID, and two-factor authentication, have already been implemented to safeguard people's accounts.

Additionally, Services Australia locks myGov accounts and sends security alerts to customers if there is any potential unauthorised access.

As concerns over the security of personal information grow, a recent trend involving the hacking of Centrelink, Australian Taxation Office (ATO), and Medicare accounts has highlighted the vulnerabilities in existing systems.

This breach underscores the importance of enhancing digital protections, especially as discussions last year about using biometric data, such as facial recognition and fingerprints, as myGov passwords gain renewed attention.

The push for these advanced security measures aims to provide Australians with a more robust defence against such cyber threats.

Key Takeaways

• Scammers have been infiltrating Australians' Centrelink, ATO, and Medicare accounts by creating fake myGov accounts and engaging in ‘unauthorised linking’.
• The Commonwealth Ombudsman reported that myGov's security measures were inadequate in preventing accounts from being exploited following identity theft.
• The report recommended improved security controls for high-risk transactions and unauthorised linking and the establishment of formal risk management processes across the myGov ecosystem.
• Services Australia has welcomed the recommendations and is committed to enhancing security with measures such as two-factor authentication and other sign-in options to protect users' accounts.

Have you encountered any security issues with your myGov account? How do you protect your personal information online? We encourage our readers to share their experiences and tips on safeguarding their online accounts in the comments below.

 

[PetrG]

Australians have NO options other than using the so called security services provided by major Govt and non Govt organisations such as ATO, MEDIBANK, CENTRELINK plus others and as such should not be expected to carry the losses of fraudulent actions carried out by scammers using a so-called side entrance or a straight out break into our data held by the organisation. All Australians should be protected from such losses by the many agencies that insist that we must use the systems that they provide. We always hear/read that the security, safety and welfare of all customers is paramount, yet the systems are regularly subjected to failures and are seemingly intercepted by scammers. Surely enough is enough!!

 

[Redone13]

Yes, through My Gov used Medicare number to set up bank account, do a tax return, changed my phone number, tried to access my super. Discovered my details were used from a data breach either Optus or Blood bank or Medibank. Lucky for me bank sent a letter advising of a new account set up and wanting more ID. Medicare card was used for ID at bank had all correct details for me. Spent a whole day on the phone trying to sort the mess. No My gov for me unless they up their security but makes dealing Centrelink difficult.

 

[Starkey]

The Commonwealth Government want us to begin to use a NEW digital ID for , which state will make ID for self easier, however they fail to protect the data they hold on us now.
Do think we are completely bereft of intelligence?
What will happen as people live longer and need more services but are either cognitively declining or digitally excluded due to financial or lack of service availability?
People who cognitively decline often lose English skills if it their second or third language

 

[MickyMouse24]

AND the Government want us all to move to digital ID, I dont think so.

 

[Veggiepatch]

The digital wallet is a myth to be avoided. Lose your digital phone and you lose EVERYTHING!

May as well have your tax file number, myGov ID, bank account numbers and passwords, other financial information, date of birth and residential address tattooed to your forehead for all to see!

 

[BellaB18]

Well l cannot get into my, myGov account. When l try they tell me my email address is incorrect. So to make an appointment to go to an office l spent over a hour waiting to talk to someone. Finally got through to a man who sadly l had trouble understanding because of his accent. He told me three times you can book for your appointment through your myGov account. You will get this and that information on your myGov account. I don't understand what he did not understand l kept saying l cannot get into my account because it won't accept my email address.
Centre Link is a disaster one person tells you one thing another tells you another. So not surprising now they have been hacked.
Kind regards to all Vicki

 

[Rob44]

So whoever set up these systems is just bloody incompetent; and AI can now steal your face and no doubt in due course your fingerprints. Perhaps we will have to present our armpits for an ID based on our smell for sniffer dogs to verify.

However, I have avoided Centrelink and have attempted to avoid myGov. Unfortunately I can't avoid the ATO and Medibank. I have quite deliberately not got a mobile phone. This computerised interlinked internet world is a scrapyard of broken dreams populated by ghouls known as "scammers". Goya would have had a field -day drawing cartoons of such; some of his nightmarish cartoons are certainly applicable 220 years later. Life was more efficient and more secure when all we had was white paper, hand-writing, a typewriter, carbon paper, cash, cheque books and a reliable and frequent postal service.

The great AAT somehow released the data of 109 million Americans in 2020. The first I heard about it was this year.

 

[Rob44]

Australians have NO options other than using the so called security services provided by major Govt and non Govt organisations such as ATO, MEDIBANK, CENTRELINK plus others and as such should not be expected to carry the losses of fraudulent actions carried out by scammers using a so-called side entrance or a straight out break into our data held by the organisation. All Australians should be protected from such losses by the many agencies that insist that we must use the systems that they provide. We always hear/read that the security, safety and welfare of all customers is paramount, yet the systems are regularly subjected to failures and are seemingly intercepted by scammers. Surely enough is enough!!

Wait until quantum computing comes on line; it will be so fast and so powerful it will be able to be used to crack anything to do with personal information.

 

[BellaB18]

So whoever set up these systems is just bloody incompetent; and AI can now steal your face and no doubt in due course your fingerprints. Perhaps we will have to present our armpits for an ID based on our smell for sniffer dogs to verify.

However, I have avoided Centrelink and have attempted to avoid myGov. Unfortunately I can't avoid the ATO and Medibank. I have quite deliberately not got a mobile phone. This computerised interlinked internet world is a scrapyard of broken dreams populated by ghouls known as "scammers". Goya would have had a field -day drawing cartoons of such; some of his nightmarish cartoons are certainly applicable 220 years later. Life was more efficient and more secure when all we had was white paper, hand-writing, a typewriter, carbon paper, cash, cheque books and a reliable and frequent postal service.

The great AAT somehow released the data of 109 million Americans in 2020. The first I heard about it was this year.

Could not agree more Rob44
Kind regards Vicki

 

[Veggiepatch]

So whoever set up these systems is just bloody incompetent; and AI can now steal your face and no doubt in due course your fingerprints. Perhaps we will have to present our armpits for an ID based on our smell for sniffer dogs to verify.

However, I have avoided Centrelink and have attempted to avoid myGov. Unfortunately I can't avoid the ATO and Medibank. I have quite deliberately not got a mobile phone. This computerised interlinked internet world is a scrapyard of broken dreams populated by ghouls known as "scammers". Goya would have had a field -day drawing cartoons of such; some of his nightmarish cartoons are certainly applicable 220 years later. Life was more efficient and more secure when all we had was white paper, hand-writing, a typewriter, carbon paper, cash, cheque books and a reliable and frequent postal service.

The great AAT somehow released the data of 109 million Americans in 2020. The first I heard about it was this year.

I'm not aware of AAT. Is that the American Association of Turkeys? ?

 

[Rob44]

I'm not aware of AAT. Is that the American Association of Turkeys? ?

Quite probably. I apologise for slandering the intelligence of the American Association of Turkeys.

ATT ; American Telephones and Telecommunications, perhaps.

 

[Veggiepatch]

Quite probably. I apologise for slandering the intelligence of the American Association of Turkeys.

ATT ; American Telephones and Telecommunications, perhaps.

Maybe the American Association of Trumpistas?

 

[summadale]

I have commented in regards your say acc numbers are there in your Centrelink and Medicare. I’ve queried it as I don’t understand why they don’t xxxx out the numbers baring last 4. Seems too hard for them to think that as to this hacking we are left as clients out in the open.

 

[Kevin. A.]

I do not trust the digital environment to keep our personal information confidential and secure.

 

[novezar]

A very Implicated, Complex, Intricate Behemoth, is going to be bestowed upon, &, engulf us all without doubt. Very unfortunately, probably a lot sooner than later.

It's going to create a Great Mass of problems for the Greater Mass of the populous.

But who gives a damn. Certainly Not the Powers To Be. Trouble, trouble & more trouble. Wot can 1 do ?

 

[Rob44]

This took two minutes to find using Mr Google's advice.

"DroidKit provides you with an Android phone unlocking tool to unlock any phone password and unlock any screen locks, including numeric passwords, patterns, 4-digit/6-digit/custom PIN, face recognition, or fingerprint ID unlocking, etc. Why choose DroidKit to unlock phone without password? Here are some of the reasons."

This is freeware on the honest white web found by an old codger stroppy enough to use a cheque book, not to own a mobile phone and to not like any politician. If this works, and is not a subtle scam, then whoever wants us to have a digital ID card is a bloody idiot. There are also other such applications openly available if I were to scroll down that page on Google.

 

[summadale]

AND the Government want us all to move to digital ID, I dont think so.

I had to get a new license and I said I don’t want a digital one, have the plastic card

 

[marilyn joy wright]

Yes, someone asked for an advance from my pension and tried to have it paid into a SA account. I am in WA. Hadn’t checked my pension as I don’t need to rely on it. End result, Internet Fraud squad advised not to use My
Gov. It took from June to Feb to pay back and adjust the payments. Had a dodgy operator on an enquiry to change my password on Medicare a few months earlier. She was very helpful and offered to change it for me. I’m sure this is where it all started. I couldn’t even claim from Medicare because I was blocked from getting a linking code for months. Very frustrating. A couple of days ago I needed help resetting my iPad to HP wireless printer. He told me all devices where at risk as there was a bug in every device causing the printer not to work. Wanted me to purchase new network security “Easy Click” ??? Said none of the well known security networks will protect me. I might be 75 and getting beyond all this tech stuff. But I didn’t come down in the last shower. I can see how they pray on people and how easy it is to get scammed. How they can sleep at night is beyond me.

 

[Allen Thomas]

One of the things that I see a lot is the so-called tap-and-go, where there is no proof of identification. As we get older we tend to drop things or forget to retrieve items such as phones and cards. Both my phone and bankcards (Bendigo bank has this option) have the option to tap-and-go switched off. I know pin numbers are not totally secure but at least they're some form of security until ATM and cash registers have facial/fingerprint recognition installed