Australia’s overdue digital IDs will help fight online fraud

Powered By

Australia’s new digital ID systems will reduce the amount of identity documents stored in IT systems targeted in cyber attacks. But improving security hinges on people embracing digital IDs.

Australia’s digital ID bill, recently passed in the Senate, will likely usher in far more convenient ways of logging into online services and solve a problem the Optus and Medibank breaches revealed: that Australian organisations collect too many identity documents and store them unencrypted.

Digital IDs could solve this, but so far the security benefits of an Australia-governed system of digital IDs have been clouded by a popular “allergy to a national ID”, says Stephen Wilson, managing director of consultancy Lockstep. The popular view might be a hangover from fears that the 1980s ‘Australia Card’ national ID proposal was a blueprint for mass surveillance. 

“The presumption that the digital ID bill somehow centralises identification and gives the digital ID issuer an ‘eye in the sky’ over all transactions is a misconception, often based on misunderstanding ‘digital ID’ as a singular ID,” says Wilson.  

Misconceptions like these could stifle adoption of digital IDs and delay their benefits. Yet, 10.5 million Australians have signed up for myGovID since the Australian Taxation Office (ATO) released the app in 2019, which suggests many Australians trust a government-issued digital ID that currently is Australia’s most widely adopted digital ID — but one that’s limited to accessing government services. 

De-risking Australia’s 100-point ID check 

A working national framework for digital IDs in the private sector might have limited hackers’ access to copies of passports, driver’s licences and Medicare cards that make up the 100-point ID checks that certain operators retain to comply with anti-fraud and anti-money laundering laws.

“The Optus and Medibank attacks might have looked significantly different had digital IDs been implemented,” says Jamieson O’Reilly, CEO of Australian cybersecurity firm DVuln. “Personal information wouldn’t be housed in central databases. Instead, individuals’ data would be stored securely on their device, making mass data theft much less feasible.” 

The Digital ID Bill 2023 enables the private sector to participate in the Australian Government Digital ID System (AGDIS), which underpins MyGovID and supports 130 online government services. The bill retains Australia’s existing blend of IDs that make up the 100-point check for validating an identity when people open a new bank, betting and telephone account. 

“Excessive personal data collection is reduced, most online identity theft and impersonation will be defeated, and over time it makes raw ID data useless to data thieves. Also, the rules of use for existing IDs are conserved, minimising disturbance to identification processes,” says Wilson.  

Maintaining high standards under Australia’s Trusted Digital Identity Framework (TDIF), the accrediting part of AGDIS, will be critical to ensuring the security of the overall digital ID system as it grows even as the government wants to promote adoption.

TDIF-accredited ID providers include the ATO, Australia Post and Mastercard. Services Australia, BPAY and Connect ID owner AP+ and Mastercard are accredited ID exchanges. The ACCC will regulate digital IDs, which could soon include IDs for health insurance accounts, medical providers, students, and employees. 

Diverse digital IDs: A choice between resilience or uptake?

Australia’s proposed multiplicity of digital IDs is a vastly different design from that of other nations with high digital ID adoption. Many digital IDs might impede rapid adoption whereas people can easily follow a single ID’s steps for signing in to many different services. But many IDs could also be more resilient to cyber attacks than the centralised bank-controlled digital IDs in Norway, Denmark and Sweden.

The bank-owned firm behind Sweden’s BankID issued its first digital ID in 2001. In-person verification at a branch when establishing a BankID is preferred. In 2022, over 99% of the population aged between 18 and 65 had a BankID and they use the app to log in to almost everything online – bank accounts, doctor appointments, all government services, utilities, insurers. They also e-sign contracts. More than 6,000 online services use BankID. It’s what Australia’s digital ID integration could look like soon with thousands of “receiving parties” instead of 130. 

But BankID’s huge success has one big weakness: if BankID suffers a catastrophic failure, almost no-one could log in to most critical services. 

“A cyber attack that shuts down BankID could have a major impact on several parts of Swedish society – not just payment services,” the nation’s finance sector regulator Finansinspektionen observed recently. Now the central bank, Riksbank, is exploring a government-issued digital ID, but that will take years to create.  

It’s not an ideal situation for companies that seek resilience. 

Max Landborn, head of engineering at Swedish payments startup Zaver, which is accredited to use BankID to authenticate users, says it is required to use BankID for all customer identification because it is strong authentication. But if BankID goes down, there is no other way customers can login to Zaver. 

“BankID has contributed to Sweden becoming one of the world’s most digitalised societies but there’s basically no viable backup for BankID in Sweden. BankID wants to ensure we do not only use BankID for initial authentication, and then later let users authenticate through username and password directly with us. There are some arguments for this, however, ideally, we could use BankID as the primary means of logging in and have a backup, like a username and password,” he says.

Landborn believes the most resilient digital ID system would be one that’s decentralized along the lines of blockchain but with restricted participation to prevent well-resourced nation-state attackers. 

Are digital ID providers critical infrastructure? 

Australia will confront different problems as digital IDs are adopted. Dvuln’s O’Reilly says hackers will “follow the data” and target digital ID apps. 

“Attackers will be looking for ways to exploit vulnerabilities in the digital licence applications themselves and leveraging more sophisticated social engineering attacks,” he says. 

Phil Goldie, managing director of Okta Australia, a global Identity security company, says Australia’s digital ID providers should be treated as critical infrastructure, which face stricter incident reporting and risk management requirements.

“It’s not for me to appoint them, but yes, they would be critical infrastructure. Certainly, the trend we’re seeing with customers is that many companies are now either within that definition or assume they’re going to be brought over the next short time.”