This appeared a few days ago:
Payday lenders ask customers to share myGov and banking passwords, putting them at risk
ABC Science
By technology reporter Ariel Bogle
Payday lenders are asking applicants to share their myGov login details, as well as their internet banking password — posing a security risk, according to some experts.
It also goes against the advice of the government website.
As spotted by Twitter user Daniel Rose, the pawnbroker and loan provider Cash Converters asks people receiving Centrelink benefits to provide their myGov access details as part of its online approval process.
A Cash Converters spokesperson said the company gets data from myGov, the government's tax, health and entitlements portal, via a platform provided by the Australian financial technology firm Proviso.
This occurs online, and computer terminals are also provided in-store.
Luke Howes, CEO of Proviso, said "a snapshot" of the most recent 90 days of Centrelink transactions and payments is collected, along with a PDF of the Centrelink income statement.
Some myGov users have two-factor authentication turned on, which means they must enter a code sent to their mobile phone to log in, but Proviso prompts the user to enter the digits into its own system.
This lets a Centrelink applicant's recent benefit entitlements be included in their bid for a loan. This is legally required, but does not need to occur online.
Keeping data safe
A Department of Human Services spokesperson said users should not share their myGov credentials with anyone.
"Anyone who is concerned they may have provided their username and password to a third party should change their password immediately," she added.
Disclosing myGov login details to any third party is unsafe, according to Justin Warren, chief analyst and managing director of IT consultancy firm PivotNine.
Especially given it is the home of My Health Record, Child Support and other highly sensitive services.
Nigel Phair, director of the Centre for Internet Safety at the University of Canberra, also advised against it.
He pointed to recent data breaches, including the credit score agency Equifax in 2017, which affected more than 145 million people.
"It's great to outsource certain functions, but you can't outsource the risk," he said.
ASIC penalised Cash Converters in 2016 for failing to adequately assess the income and expenses of applicants before signing them up for payday loans.
A Cash Converters spokesperson said the company uses "regulated, industry standard third parties" like Proviso and the American platform Yodlee to securely transfer data.
"We don't wish to exclude Centrelink payment recipients from accessing funding when they need it, nor is it in Cash Converters' interest to make an irresponsible loan to a customer," he said.
More here:
Frankly reading this was a huge WTF moment!
So what we have here are rather ethically challenged companies (Pay day lenders) asking for and getting log on details for myGov which among other things – unless I have this very wrong – also provide access to a person’s myHR if they happen to have one!
Who knows who collects this access information and what arrangements there are in place to prevent use of any information the collectors see in the myHR.
This is all wrong and utterly offensive at all sorts of levels.
There are only three possible solutions I can see to this atrocious situation.
1. The myHR is given its own portal or
2. All entities such as payday lenders and everyone else are prevented from accessing personal information from the myGov portal and / or.
3. Draconian penalties are introduced for any third-party use of a myGov login.
As well there need to be public warnings re handing over such credentials!
No matter how you look at it access to a myHR via a login provided to assist in establishing financial credentials for the poorer among us stinks!
Who knows what other groups are doing similar things and just have not been noticed and the implications recognized.
From this last line of the article “Yodlee, Nimble and Wallet Wizard did not return the ABC's request for comment.” it looks like a there is a bit of ‘going to ground’ happening.
The ADHA needs to put out a press release on Monday explaining just how this issue is being handled from the perspective of the myHR and its users. This is the sort of secret nonsense that just ruins any confidence any of us might have in Government!
David.
10 comments:
If I freely give someone my MyGov UserID/Password then am I not giving them consent to view all the data that I, and therefore they, can then access?
What legislation could possibly distinguish between payday lenders and a carer, friend partner, or relation? We are not talking about operating the MyHT system, just viewing the data. You know, the data that you are supposed to have complete control over? (Yes, I know you don't really, but let's pretend, like the government does)
They might try legislating that payday lenders cannot demand such access, but all the lenders have to say is that it's voluntary and things will be so much quicker and easier if you do.
Is this not an unintended consequence of a single sign-on system designed to "make things easier"?
It's rather like the Department of Health designing a health record system to make access to everyone's health data easier. They now have the much harder problem of making some access more difficult.
Medicos know this as "sometimes the cure is worse than the ailment".
"If I freely give someone my MyGov UserID/Password then am I not giving them consent to view all the data that I, and therefore they, can then access?"
I would argue it is not freely given - you NEED the money.
Anyway I would ban all third party access to myGOV - only the data-subject and no-one else to get to your records - or myHR needs a separate portal!
David.
Person centred information is to valuable. Another fine pickle they have created. Still if nothing else works, a total pig-headed unwillingness to look facts in the face will see us through.
I would argue it is not freely given - you NEED the money.
Well stated David, I am no lawyer but that sounds like shaking territory for informed consent, manipulation perhaps? Won’t be long before the Gov makes MyHR mandatory for Medicare benefits
MyHR needs a separate portal!
Although there is intention to use one during the Optout phase I cannot see that lasting long. As for ADHA making any statements or championing a change, I cannot see that happening. They have demonstrated through their treatment of staff that people count for very little.
That is a tough one. From the lenders perspective they seemingly want to make the approval process as efficient as possible. They are also bound to risk based lending practices and whatever industry regulations and standards. To do that income and financial history, ability to repay the loan etc.. the alternative is I believe obtaining this records and then submitting them in PDF. All of which collects information and is stored in various places as the user downloads, emails and so on.
What I don’t get from this is in the information is stored or destroyed by the collecting the information.
will insurance companies be next?
then potential employers?
Experts sound alarm as biometric data from driver's licences added to government database
http://www.abc.net.au/news/2018-01-15/alarm-raised-as-drivers-licences-added-to-government-database/9015484
Does anyone seriously believe that the government will not be at least tempted to link myhr with "the interoperability Hub"?
Many agencies already have the power to request data from myhr; joining it to "the interoperability Hub" would just make it so much easier and quicker.
And would the interoperability initiative being run by ADHA allow access via myhr directly into GP and hospital systems?
If the government said - "of course we have no intention of doing that", would we believe them?
Maybe we should take up a collection and buy them all some T-Shirts?
1984 is not an instruction manual
Maybe on the back you could have - ‘The Machine Stops’ is for us
Post a Comment