Bill Shorten: Making myGov unhackable

We need to protect ourselves as best we can because data is the new hot commodity. The black market works on stolen information.

featured-image

Fraud and scams have been around since someone figured out that deceit could be monetised. A Greek sea merchant from 300 BC is thought to have the (dis)honour of being the first to try it on. Hegestratos took out an insurance policy, called a bottomry, on his ship and cargo of corn.

There are a number of explanations of the origin of the word bottomry. One is that it come from the Latin word for ship — bustrum. The other is that it was a scheme that allowed a ship’s master to borrow money upon the bottom (or keel) of the ship.



If the loan was not repaid once the cargo was delivered, the lender could repossess the vessel — bottom and all — as well as goods to the value of the cargo. Hegestratos took out the loan but attempted to sink his empty ship, still intending to sell the corn, and pocket all the money, including the loan. One problem.

He was caught in the act, chased off the ship and then drowned attempting to escape. Today, we still use the term “snake oil salesman” to describe someone trying to scam people with promises of a miracle cure or get-rich-quick scheme. Simone Grogan That term may have originated in the 1800s but it came back to prominence during COVID when conspiracy theories abounded.

Ivermectin, anyone? Education and internet literacy are our best defences against online scams that are becoming increasingly sophisticated. A point to make is that there is a difference between a hack and a scam. A hack is when cyber criminals use their skills to break through defence mechanisms — to illegally access your computer or bank account or to steal your personal data.

This can happen on a large scale, as we saw with the Optus and Medibank breaches. A scam is when you are conned into giving out your information, often via interacting with a fake website that looks very much like the real deal, or through a social media conversation. Last financial year Services Australia observed, analysed and responded to more than 10,000 unique agency impersonation scams — 86 per cent referenced myGov in some way.

All with the intent of scamming members of the community. But that does not mean myGov is unsafe. It has not successfully been hacked.

But scammers may try to trick myGov users into clicking a link to a fake website in order to get personal details and then steal their payments. But they cannot do it unless you hand over your information. So, we have a role to play in keeping our data safe.

If you get a text that is supposedly from myGov that asks you to click on a link, it is not from the Australian Government. We do not send links to sign in to myGov. Do not click on it.

Katina Curtis myGov was among the first digital government services in the world to introduce passkeys as a simple, fast and more secure way to sign in, and just a few months later more than 400,000 people are using it to sign in. We need to protect ourselves as best we can because data is the new hot commodity. The black market works on stolen information.

We can take some comfort in the fact that in Australia, even though the number of scams is rising, losses are on the decline for the first time since 2016. This can be attributed to government intervention. The Albanese Government’s $168 million investment in scams prevention is clearly working.

But Australians must remain vigilant. Scammers will keep coming up with new tactics to manipulate consumers. And the Government will keep developing ways to thwart the scammers’ business model.

Laura Pond I’ve been working on a way with my colleagues, the Minister for Finance, Senator Katy Gallagher, who has carriage of Digital ID, and Assistant Treasurer and Minister for Financial Services, Stephen Jones on protecting Australians against scammers. It’s called Trust Exchange. The Trust Exchange is still in development but is intended to make the sharing of personal information easier, more secure and trustworthy.

The beauty of Trust Exchange is that it is what we call a “distributed” model. That means your data won’t be stored in a single location. The data is not centralised.

One more time for the people up the back (or some who have trouble understanding this yet still write about it) this is not a centralised operation. Instead, it is a case of the Australian Government simply allowing you to take control of your credentials — confirming you are who you say you are, in a safer, more private, self-managed way. I’ll give you an example.

Glenn Murray You go to a pub and if you look young, they ask for your proof of age. Instead of handing over your licence to be copied, the plan is that you would just hold your phone to a tap-to-pay style machine that would ask your digital wallet for a digital token that confirms you are over 18. You only share what you choose to share.

It is what amounts to a digital thumbs up by the Australian Government. Every time you perform a transaction like this, you will see exactly what information is being requested, and it will only be shared if you agree. This is all great but how does it stop the crooks? Trust Exchange has the potential to massively change the way we operate.

If it passes the proof-of-concept stage at the end of this year, we will explore how this innovation could be applied in a range of settings — from registering with a health practice, proving concessional entitlement, to setting up a bank account or applying for a rental property. Imagine never again having to do that tedious chore of find a seemingly endless list of documents so you can rent a house or put your wages away safely. We also need to help the private sector store less information and that may be a matter for the Parliament to amend laws that were brought in after 9/11.

We told businesses to “know your customer” and that meant storing a lot of superfluous information. But data storage and cybercrime have moved on. You might think, “this is all great but how does it stop the crooks?” Well, it means there would no longer be a gold mine of data in the one spot for cyber criminals to exploit.

And if we move to encrypted data only being accepted — that’s verified credentials — it means moving away from having to hand over plain text documents. And plain text documents are the easiest to sell on the data black market because anybody can read them. Trust Exchange is a new, world-leading concept.

To have it integrated into Australia’s cyber security environment would be something akin to a shop that puts up a sign that says “no cash kept on these premises”. It would send a signal to all scammers that Australia is not an easy touch. They can take their criminal enterprises elsewhere.

Bill Shorten is the Minister for the NDIS, Minister for Government Services and Federal member for Maribyrnong.