18.10.2017

Link between Govpass and Medicare numbers stirs identity fraud anxiety


A video explaining the Govpass system will use Medicare cards as one element in a multi-factor verification process raised a few eyebrows online yesterday, but the concerns appear to be misplaced, based on the information provided.

The system is not yet available for the public to try out — some unnamed “stakeholders” are trying out the private beta — but at least the Digital Transformation Agency’s video appears to show someone using it.

Coming hot on the heels of Peter Shergold’s recommendations to tighten security around the system that lets health professionals look up a person’s Medicare details when they don’t have the physical card with them, some keen observers of Govpass worried it would be too easy to spoof and effectively steal someone’s digital identity.

Update: the minister responds below.

Shergold’s security review recommended Medicare cards should be retained as a “secondary” form of ID, and this is all they are used for in the Govpass sign-up process. However, the review panel was especially concerned about services that allow citizens and health providers to get their Medicare number over the phone, by passing a few verbal security checks, and recommended these be made more secure and eventually phased out.

Multiple vectors to prove identity

The Govpass video explains, perhaps a little too quickly, several steps to creating a new GovPass that relies on several separate credentials together, similar to the 100-points system, along with two-factor authentication and biometric facial analysis.

This should make the overall process reasonably difficult to fool, depending of course on the digital nuts and bolts behind it. Another deterrent is that identity fraud of this kind would also attract serious criminal charges.

The former head of the DTA’s digital identity play, Rachel Dixon, is also watching on. On Twitter she explained that Medicare cards were not used as a primary form of ID and the verification standards that were developed during her time at the agency had been shared with groups like the Australian Privacy Foundation and Electronic Frontiers Australia.

Dixon also tweeted that working on the project — which suddenly became much more private when the minister got cold feet a year ago, just as she was about to publicly unveil a prototype — was “the most difficult” thing she had ever done. She seems relieved that getting it right is no longer her problem. “Except as a citizen.”

Smile!

The Govpass website will fire up the camera that is in-built or attached to the person’s computer or mobile device and take a new photo of their face, which will be checked against their driver’s license or passport photo using the relatively new Face Identification Service.

The video doesn’t explain all the technical details such as how it ensures the image data is coming directly from a live camera, or that a printed photo isn’t being effectively held up to the camera.

Users will have to confirm they have access to an email address and a mobile phone to use for two-factor authentication. The video says they have to enter a single-use code that is sent to their email address each time they use their Govpass. “For security, we will also send a code to your mobile phone,” the website tells them. It’s not clear if this is used every time, as is standard in two-factor verification, or just once in the setup process.

To get a Govpass you also need to plug in a few details from two other forms of ID as well as your Medicare card: something with a photo such as a driver’s license or passport, along with details from your birth certificate, citizenship certificate or ImmiCard.

Do as we say, not as we do

Technology commentator Stilgherrian brought it to our attention that the DTA didn’t brief its cartoonist very well either.

A step toward simplicity

“The Australian Government has more than 30 different logins for digital services,” the Assistant Minister for Digital Transformation Angus Taylor said in yesterday’s statement. “Not only does this create extra work for users, it represents unnecessary expense for agencies.”

“I would like to see a point where we can do away with all those user names and passwords, that need to continue to be updated, when you login to a service.”

He added that “no details from the documents, or the photograph, are retained” by the Govpass system and reiterated that it is optional: “Face-to-face contact for government services will still be available, and an offline solution is being designed which will allow those who don’t have access to the appropriate documents to create a digital identity.”

Minister points to new digital identity standards

The Mandarin contacted Taylor for any further details about how Govpass will defend against identity fraud, and to whom exactly the Govpass beta had been “delivered” as per yesterday’s announcement.

The minister’s spokesperson says the face-matching system is a boost to security because it removes the possibility of human error when someone simply looks at the photo ID and compares it to the person standing in front of them.

“In addition, any entity seeking to become an identity provider within the Govpass system will have to meet the highest standards of security (currently being developed) that will become benchmarks on digital identity for the Australian public and private sectors,” the spokesperson added by email.

“The first round of Framework documents has been drafted and is now ready for consultation. We have shared these documents with Commonwealth, state and territory, and commercial sector stakeholders.”

Taylor’s office describes the Govpass private beta as “a working, but not complete, software product that is undergoing limited testing” with “a select group of users that match the product’s target audience” and tells us that new features and functionality are still being added.

“Key stakeholders being consulted on the framework of standards include government, industry and privacy advocates. The framework will be released for public consultation towards the end of the year.”

In the meantime, we were provided a table of contents describing 14 documents that make up the framework:

  • Trust Framework structure and overview: provides a high level overview of the Trust Framework including the structure and relationship between the various components.
  • Trust Framework accreditation process: defines the requirements to be met by applicants in order to achieve Trust Framework accreditation.
  • Glossary of terms: a list of all identity-specific terms and their meanings.
  • Privacy Assessment: lists the minimum privacy controls to be assessed by a privacy auditor when evaluating an identity service.
  • Security Assessment (IRAP): lists the minimum protective security controls to be assessed by an ICT security auditor when evaluating an identity service.
  • Core Privacy Requirements: sets out requirements for maintaining user privacy.
  • Core Protective Security Requirements: sets out requirements for maintaining secure identity services.
  • Core User Experience Requirements: sets out the requirements for usability and accessibility.
  • Core Risk Management Requirements: sets out the risk management responsibilities of entities undergoing accreditation.
  • Core Fraud Control Requirements: sets out requirements for fraud control.
  • Digital Identity Proofing Standard: sets out requirements relating to the digital verification of an individual’s identity.
  • Authentication Credential Standard: sets out requirements relating to authentication credentials.
  • Information Security Documentation Guide: describes content to be included in information security documentation.
  • Risk Management Guide: sets out a risk management process that participants in the identity federation can follow in order to mitigate credible, likely and realistic risks.