Return home icon Return to research icon

Syrax Operations · Research Dossiers

Research 01 — National Digital Safeguard Framework for ATO & myGov

Examining how digital identity proofs, session tokens, and verification workflows behave across interconnected systems, and where trust assumptions can break in low-trust environments.

Date

15 Dec 2025

Status

Completed

Focus

Digital Identity Surfaces

Disclaimer

This document is based on independent research, observation, and conceptual analysis only. No unauthorised access, probing, scanning, testing, or interaction with live systems was performed. All findings and scenarios discussed are derived from publicly observable behaviour, documented system design patterns, and hypothetical threat modelling for educational and defensive purposes.

Focus

A multi-layered security proposal to reduce identity fraud across ATO and myGov by strengthening identity verification, session trust, and protection around sensitive actions.

Problem Context


  • Recent incidents show that while login security can be strong, critical workflows like refunds, bank detail changes, and account recovery can still be abused using stolen credentials and low-activity timing.

Key Security Control Areas

  1. Identity & Device Proofing — Biometric verification for high-risk actions, device recognition with escalated checks for new devices, and mobile challenge confirmations through myGovID to prove real user presence.
  2. Session & Trust Enforcement — Tight session timeouts, automatic termination on IP/device changes, and mandatory reauthentication before sensitive transactions to limit hijacking impact.
  3. Fraud-Path Disruption — Mapping repeated claim/refund workflows to identify choke points and introducing targeted roadblocks (extra verification, time-based checks, deliberate delays) to break attacker automation.
  4. Time, Location & Payout Safeguards — Time-of-day risk scoring, geolocation-aware verification, and delayed payout approval for new or high-risk claims to provide an intervention window.
  5. Insider Risk Controls — Segmented internal access, high-fidelity activity logging, anomaly detection, and stronger contractor vetting to reduce misuse of privileged portals.

Closing Note

This proposal was developed as part of an ongoing learning process in understanding how large-scale digital identity systems fail in practice, not just in theory. Rather than focusing on single exploits, it examines how trust, timing, and workflow design can be abused at scale — and how small, well-placed controls can meaningfully reduce risk. The intent is to contribute practical, defensive ideas that improve system resilience while recognising the real-world behaviour of both users and attackers.

Return to Research Overview