The co-ordinated cyberattack launched against a number of super funds a fortnight ago exposed significant flaws in their security – among them, that two-factor authentication (2FA) is not standard across funds or mandatory for members among those funds that have implemented it.
2FA requires users of an app or system to provide two forms of identification to access it rather than just their password. It’s a basic security measure on most banking apps, government websites and even rewards programs like Flybuys.
But in the aftermath of the attack – which targeted AustralianSuper, Rest, Hostplus, Insignia and Australian Retirement Trust (ART) – all funds need to make sure that they’re offering 2FA and getting their members to adopt it, says Toby Murray, professor of cybersecurity in the University of Melbourne’s School of Computing and Information Systems.
“The people who were probably most impacted by this are super fund members that are at retirement age and therefore are able to make withdrawals or transfers from their accounts,” Murray tells Investment Magazine.
“Getting folks who are older to adopt these kinds of security technologies, of course that’s a challenge – or more challenging in comparison to younger members – but it’s really important, because they’re also more vulnerable to being scammed.
“There is a bit of a challenge there for the super funds, but it is on them to do this. If they’re going to offer online accounts where you can make withdrawals then they also have a responsibility to make sure members are able to protect those accounts as well.”
Aware Super has 2FA for all transactions but didn’t use it for logins to its member portal until fairly recently, though its implementation did pre-date the cyberattacks. 2FA is available to all members of ART and the fund has been running engagement campaigns since last year to get them to implement it. It is in late-stage discussions to make it mandatory but so far hasn’t, citing the wide variation in age and ability across its 2.4 million-strong member base. There has been an uptick in members using 2FA as a result of the cyberattack, and ART does have additional security requirements for most transactions, though changing investment options won’t trigger them.
Rest was also hit in the cyberattack and is working to tighten security in its aftermath.
“Multifactor authentication is already used when members register for the Rest App and our MemberAccess portal, as well as on a number of additional processes,” a Rest spokesperson told Investment Magazine. “We have an existing program underway to expand multifactor authentication to all logins.”
In the aftermath of the attack, funds have been cagey about their security arrangements, citing fears that cybercriminals might exploit any information they divulge. Ten AustralianSuper members lost a collective $750,000 as a result of the attack, where criminals used passwords sold on the dark web to access members’ accounts.
AustralianSuper currently doesn’t use 2FA for logging in to its mobile app, which can be unlocked with a pin or FaceID (it does require 2FA to set the app up). A spokesperson told Investment Magazine that the fund has multi-factor authentication in place “for the withdrawal of money where the request is initiated within the digital platforms” and said that there were other security controls in place to identify suspicious activity, but would not answer further questions on how scammers were still able to transact from member accounts with those protections in place.
“AustralianSuper requires two factor authentication… for a number of key interactions that members have with their accounts,” the spokesperson said.
“We are in the process of introducing one time pin for logins on the web portal, which we expect will occur within a month.”
Adoption of 2FA is patchy across different industries, Murray said, with companies tending to implement it as a reactive measure in the wake of an attack or breach.
“It’s expensive to adopt; it costs more money, and if you haven’t got members who are asking for it and the costs of security breaches are not being worn by the super funds, they don’t have a strong incentive to adopt these technologies,” Murray said.
“You see that in lots of other places as well – until an industry is forced to improve their security technologies, they often don’t go ahead and do it. It’s costly for them and they often don’t pay the cost of security breaches.”
But beyond 2FA, funds need to be investing more in threat detection to make sure they know when they’ve become the target of nefarious actors.
“This showed us that there’s probably a need for better automated fraud detection for the super funds as well – looking for patterns of malicious behaviour that indicate a larger-scale attack, which is what this one seemed to be – a co-ordinated attack against a number of funds,” Murray said.
“Individual members can’t do much about that, but a super fund with visibility over all accounts certainly can… In addition to that, encouraging members to write down their passwords so they’re not having to use the same password for their super account as they’re using for five other accounts. That’s quite sensible – a password written down in your house is quite secure at the end of the day.”
