It seems very simple to create a mygov account. Name and address (could be anything) and an email address. A mobile phone number is optional. I supplied my mobile number so they 2FA me via SMS when I log on. I don’t know what happens to those who had not supplied a mobile number at account creation.
But by itself a mygov account is nothing more than an account in a database. Nothing more than lots of accounts I have registered in various online sites to enhance my user experience or receive push emails about whatever.
The harder part is then using the mygov account to do anything useful. It has to be then linked to gov services, which requires more rigorous authenticating documentation.
From memory it only requires related personal account details. Most commonly those released in online or other data breeches.
The only difficulty I had was with the ATO, resolved with a phone call and ATO supplied linking code. I don’t recollect having to provide copies of any proof of ID in linking any service.
Contrast the recent requirement for company directors to register their ID’s with ASIC. It required an upload/image scan of a physical ID (passport my choice) and a live front facing personal image transmitted in real time with the mobile.
It’s useful to note both 2FA for MyGov and the Company Director ID both rely on your mobile number as part of the chain. It raises the bar with the value of your mobile and risks of loss. Or worse your Telco porting your number in response to fraud or by error to someone else.
The article is quite confusing as to whether the TFN was or was not required. I think the answer was that the TFN was used in that identity theft - and therefore the TFN was obtained from somewhere but I don’t believe that TFNs would have come from any of the recent high-profile data breaches. Clearly though your TFN is not a secret shared only between you and the ATO.
You have to answer the secret question. (I personally always choose ridiculous and fictitious questions and answers - so that the compromise of one web site does not automatically lead to the compromise of other web sites who may be using the same secret question - and so that even someone who knows my life will not know the answers. Needless to say that this entails making a record of the questions and answers.)
And of course store the answers to the questions per site in the same place as you store your userids and passwords. In the cloud somewhere.
One of my banks recently changed their online system. At login, I was forced to change my password as the rules had changed. But the system treated it as a ‘forgot password’ routine and I was asked an answer to a secret question I had answered 15 years ago. What the ??
Fortunately I was able to guess the name of my long dead cat from that time.
Generally your employer needs your TFN. Now think about how many companies have had security breaches, and how many of them might have lost their employee details.
Totally. There are many potential sources of your TFN. Any employer. Any bank. Any share registrar. The ATO itself.
A good employer (etc.) though would at least store the TFN encrypted so that a direct database breach does not reveal any TFNs i.e. the same way that credit card numbers are handled.
At this stage, we don’t know how the scammer got her TFN.
I assume you are taking the **** - at least as far as that would apply to me.
Sorry about that @person . When I said ‘you’ I didn’t mean it to be directed, but just generic to all the you’s out there who put their security info into the cloud.
If one gets locked out of their myGov account the only recovery is to make a new one, so a proliferation of accounts is there by design. Any individual might have one or many depending on how many times they ‘forget’ their passwords.
It appears the voice print account access for ATO and Centrelink accounts can be forged bu AI voice generation to gain access to people’s accounts. While the Customer reference access detail is needed this can more easily be found as the Customer reference numbers are often included in correspondence from these organisations.
EDIT: Adjusted the post by removing the MyGov reference as it is about the phone service offered by ATO and Centrelink.
We still seem to need to use a password with the CRN, plus 3 factor ID using a code sent by SMS to our mobile number. The voice prompt has only come up when phoning in, after which there are more ID questions when a real person is on the other end.
Sounds like yet another good reason not to rely upon their voice recognition. If you don’t really require it, think of it as merely another possible way for someone to gain access to your accounts.
There are self service options without having to speak to an operator and the article doesn’t go to deep into what they did other than to be able to access the accounts with the voice recognition. A quote from the article about the self service options
“The self-service phone system allows people to access sensitive material such as information on their payment of benefits and to request documents to be sent by mail, including replacement concession or healthcare cards.”
If they did explain the entire detail would that have been a roadmap for less scrupulously oriented people to take further advantage?
The response from Centrelink was that this was not really possible to gain access, I am wary still of the possibility.
Teslas continue to be our top selling BEVs and personal privacy of owners is important to Tesla, but as with anything the weakest links are not as infatuated with policies or protocols so other peoples’ privacy becomes their plaything.
This could equally well sit under tenants rights but this must be one of the more creepy privacy breaches by a private individual. Or is it the agent’s doing?
Most of us would use a shredder but this wonderful 3 piece security product seems to be selling to certain demographics. If you do not at least roll your eyes or smile you might be one of them
Haha. That reminds me of a TV show years ago on the ABC called The Inventors, and a certain female judge on the show would always ask if a new invention would be available in different colours.
