Op-Ed: Protecting superannuation accounts from rising cyber security risks

The Australian Prudential Regulation Authority (APRA) stated in 2023 that multifactor authentication (MFA) is “one of the most effective controls an organisation can implement”. Two years later, as fraud methods become more advanced and threats evolve, we must ask whether MFA alone can still safeguard Australians’ financial accounts against these increasingly sophisticated attackers. Australian organisations reported a 66 per cent year-on-year increase in fraud, with every dollar lost costing firms $3.68, according to the LexisNexis True Cost of Fraud Study.

MFA: A strong foundation, not an impenetrable barrier

MFA requires users to authenticate their identity with two or more credentials, making it an effective tool in reducing unauthorised access and adding friction to the login process. This extra layer of security significantly lowers the chances of credential compromise. However, it is not entirely infallible and can still be bypassed.

Modern fraud tactics like phishing, social engineering, and malware are finding ways to bypass MFA, especially with the use of AI. For example, fraudsters can clone the voice of their target and bypass voice authentication systems during the verification process.

VIEW ALL

However, criminals often do not need advanced technology or complex methods to gain unauthorised access. Many consumers still reuse passwords across multiple accounts, a practice that likely played a major role in the success of recent attacks on the sector.

Superannuation accounts and their typically larger balances are particularly vulnerable, as users rarely access them, making them appealing targets for fraudsters. Fraud often remains undetected until considerable damage occurs. This has led financial institutions to reconsider whether existing safeguards are sufficient to counter modern threats.

Calling for a more adaptive approaches

Forgetting passwords or getting locked out of accounts after failed login attempts frustrates many of us. These security measures aim to protect users, but repeated login requests or system blocks can feel overwhelming. With customer expectations growing, the superannuation industry faces the challenge of balancing robust security with a seamless user experience.

The balance between protecting customers and delivering a smooth user experience has become increasingly critical as financial institutions tackle rising customer expectations and more advanced fraud threats.

Applying MFA to every interaction could deter opportunistic attackers, but it may also lead to significant drawbacks. The added friction could drive abandonment, leaving consumers less likely to check their balances and unaware they have fallen victim to an attack.

A more nuanced and adaptive approach is required, using the risk level of each interaction to tailor authentication while detecting and stopping complex fraud in near real time without adding unnecessary friction.

Layers of protection

Financial institutions must prioritise establishing a robust risk framework to tackle these challenges.

Properly implemented, even basic velocity checks can effectively disrupt and deter credential stuffing attacks, which have recently impacted the industry. As criminals become more aware and technologically advanced, a multi-layered risk framework is vital. This approach ensures that if one defence line fails, others remain active to detect and counter suspicious activities. Key measures should include identity verification, device intelligence, behavioural intelligence and real-time risk scoring.

Each layer strengthens defences against fraudsters, allowing financial institutions to respond quickly to evolving threats while maintaining a seamless customer experience.

A multi-layered defence strategy begins with the first line of defence: risk assessment. Understanding the risk comes before understanding the user. Institutions assess contextual risk signals such as device reputation, IP geolocation, network patterns and login behaviours for each interaction. AI models analyse these signals in real time to assign a risk score, deciding whether extra authentication is necessary. Low-risk logins continue without disruption, while higher-risk attempts prompt additional security steps like one-time passcodes or further verification checks.

AI-powered identity verification serves as the second line of defence. It confirms the person behind the screen is genuine within seconds by using advanced document verification, liveness detection, and biometric matching. This layer compares identity details with public records and data from multiple providers to validate the existence of the identity.

The third line of defence centres on fraud assessment by analysing risks linked to the individual’s identity. It evaluates potential fraud stemming from their digital or physical identity and behaviour, aiding in better decision making. Using behavioural intelligence such as typing rhythm, device interaction and mouse movements, this layer creates a dynamic user profile. Any deviation from usual patterns may signal account takeover or bot activity.

The fourth line of defence focuses on adaptive identity authentication. It ensures the person is who they claim to be, safeguarding your organisation while delivering a smooth digital experience for customers. Additional identity authentication measures are dynamically applied in higher-risk scenarios to strengthen security.

Recent cyber attacks serve as a wake-up call for the superannuation industry to adopt a robust defence framework. APRA’s guidance on MFA implementation lays a solid foundation, but industry players must act proactively and work together to stay ahead of fraudsters.