Fake myGov profiles are being used to hack ATO accounts.
Dec 18, 2022 7:12:05 GMT 7
itsmylife08 and mspurple like this
Post by Banjo on Dec 18, 2022 7:12:05 GMT 7
Fake myGov profiles are being used to hack ATO accounts.
"Congratulations on selling your Footscray house," an accountant told Sue* last month while the pair were discussing a routine tax return.
The comment was baffling. Sue didn't own a house in Footscray.
But according to her Australian Tax Office (ATO) records, not only did her supposed inner-Melbourne home go under the hammer but her return had already been lodged.
In fact, more amendments had been put through on previous years' tax returns and one more was still pending.
As Sue and her accountant pored over the details on his screen, a horrifying realisation set in. Someone had accessed her account, impersonated her, and fraudulently lodged five refunds from the ATO amounting to $25,000.
Amid the high-profile data breaches involving Medibank and Optus, she thought perhaps she was the victim of an unreported major government agency breach.
The truth was far more complicated.
Through Sue, ABC Investigations has uncovered a vulnerability in the myGov and ATO systems which is being exploited by cybercriminals to defraud the taxpayer.
It's a loophole which no amount of careful management of your online activity can prevent.
Sue has worked for several decades in the banking and large commercial sectors.
Recently retired, she divides her time between a city pad and a regional Victorian "tree change" property.
The Melbourne woman is what cyber security and information experts would characterise as the model citizen for digital hygiene.
She knows to never click on unsolicited or strange links; she never discloses her passwords, which are complex and unique; she keeps her myGov and ATO online sessions restricted to one device, which she has scanned extensively for malware or viruses.
Sue even shreds her physical receipts; but scrupulous security habits could only take her so far, as she discovered that day in her accountant's office.
Whenever a user logs into myGov to access their ATO account, a two-factor authentication (2FA) is triggered; in Sue's case, she was supposed to be sent a code to her phone.
She had not received any such account authorisation request in recent months.
"We found that the address, the [bank] account number, the telephone number, the email had all been changed," Sue said.
Sue had been an Optus breach victim. She initially thought the hacker must have used that information to help crack into her ATO account — but ABC Investigations found this wouldn't have been enough for the perpetrators to get in.
Read more... www.abc.net.au/news/2022-12-18/ato-tax-hacked-via-mygov-services-australia-exploit/101781656
"Congratulations on selling your Footscray house," an accountant told Sue* last month while the pair were discussing a routine tax return.
The comment was baffling. Sue didn't own a house in Footscray.
But according to her Australian Tax Office (ATO) records, not only did her supposed inner-Melbourne home go under the hammer but her return had already been lodged.
In fact, more amendments had been put through on previous years' tax returns and one more was still pending.
As Sue and her accountant pored over the details on his screen, a horrifying realisation set in. Someone had accessed her account, impersonated her, and fraudulently lodged five refunds from the ATO amounting to $25,000.
Amid the high-profile data breaches involving Medibank and Optus, she thought perhaps she was the victim of an unreported major government agency breach.
The truth was far more complicated.
Through Sue, ABC Investigations has uncovered a vulnerability in the myGov and ATO systems which is being exploited by cybercriminals to defraud the taxpayer.
It's a loophole which no amount of careful management of your online activity can prevent.
Sue has worked for several decades in the banking and large commercial sectors.
Recently retired, she divides her time between a city pad and a regional Victorian "tree change" property.
The Melbourne woman is what cyber security and information experts would characterise as the model citizen for digital hygiene.
She knows to never click on unsolicited or strange links; she never discloses her passwords, which are complex and unique; she keeps her myGov and ATO online sessions restricted to one device, which she has scanned extensively for malware or viruses.
Sue even shreds her physical receipts; but scrupulous security habits could only take her so far, as she discovered that day in her accountant's office.
Whenever a user logs into myGov to access their ATO account, a two-factor authentication (2FA) is triggered; in Sue's case, she was supposed to be sent a code to her phone.
She had not received any such account authorisation request in recent months.
"We found that the address, the [bank] account number, the telephone number, the email had all been changed," Sue said.
Sue had been an Optus breach victim. She initially thought the hacker must have used that information to help crack into her ATO account — but ABC Investigations found this wouldn't have been enough for the perpetrators to get in.
Read more... www.abc.net.au/news/2022-12-18/ato-tax-hacked-via-mygov-services-australia-exploit/101781656