Researchers find myGovID is subject to an easily-implemented code proxying attack, while the digital identity solution from Australia Post does not possess a fundamental requirement for accreditation.
Researchers have recommended the Australian government abandon its existing digital identity system and start again from scratch, highlighting again security flaws in two of the systems already accredited. Professor Vanessa Teague and Ben Frengley last year disclosed to the Australian Taxation Office (ATO) a weakness in its myGovID system. They found myGovID is subject to an easily implemented code proxying attack, which allows a malicious website to proxy a person’s myGovID login and re-use their authentication to log in to the victim’s account on any website of their choice. The pair said the ATO, in response, informed them of having no intentions to fix the flaw. The Digital Transformation Agency (DTA) is responsible for the Trusted Digital Identity Framework (TDIF), which is a high-level design for a federated authentication system. „The primary security goal of an authentication mechanism is to prevent malicious parties from logging in fraudulently to others‘ accounts. A secondary security goal is to maintain the privacy of the identity proof documents and biometric data used to establish identity,“ the researchers wrote [PDF]. „Neither the TDIF’s high-level design, nor its implementation by the ATO (myGovID) meet their intended security goals.
