Share this article on:
Powered by MOMENTUMMEDIA
Breaking news and updates daily.
While recent credential stuffing attacks against Australian super funds only impact a small number of people, the security implications far outweigh the victim count.
Four Australians woke up to the grim reality of their retirement savings vanishing overnight in a cyber attack on multiple Australian superannuation providers in early April. Using stolen customer credentials, hackers drained nearly half a million dollars from their accounts. While investigators rush to uncover the full scale of the breach, the crime highlights the growing threats facing financial security in the digital age.
Is Australia’s $4.2 trillion in retirement capital safe from cyber threats? With 12.6 million superannuation members exposed in recent breaches, the risk remains significant. These urgent questions demand immediate answers.
The Australian Prudential Regulation Authority (APRA) stated in 2023 that multifactor authentication (MFA) is “one of the most effective controls an organisation can implement”. Two years later, as fraud methods become more advanced and threats evolve, we must ask whether MFA alone can still safeguard Australians’ financial accounts against these increasingly sophisticated attackers. Australian organisations reported a 66 per cent year-on-year increase in fraud, with every dollar lost costing firms $3.68, according to the LexisNexis True Cost of Fraud Study.
MFA: A strong foundation, not an impenetrable barrier
MFA requires users to authenticate their identity with two or more credentials, making it an effective tool in reducing unauthorised access and adding friction to the login process. This extra layer of security significantly lowers the chances of credential compromise. However, it is not entirely infallible and can still be bypassed.
Modern fraud tactics like phishing, social engineering, and malware are finding ways to bypass MFA, especially with the use of AI. For example, fraudsters can clone the voice of their target and bypass voice authentication systems during the verification process.
However, criminals often do not need advanced technology or complex methods to gain unauthorised access. Many consumers still reuse passwords across multiple accounts, a practice that likely played a major role in the success of recent attacks on the sector.
Superannuation accounts and their typically larger balances are particularly vulnerable, as users rarely access them, making them appealing targets for fraudsters. Fraud often remains undetected until considerable damage occurs. This has led financial institutions to reconsider whether existing safeguards are sufficient to counter modern threats.
Calling for a more adaptive approaches
Forgetting passwords or getting locked out of accounts after failed login attempts frustrates many of us. These security measures aim to protect users, but repeated login requests or system blocks can feel overwhelming. With customer expectations growing, the superannuation industry faces the challenge of balancing robust security with a seamless user experience.
The balance between protecting customers and delivering a smooth user experience has become increasingly critical as financial institutions tackle rising customer expectations and more advanced fraud threats.
Applying MFA to every interaction could deter opportunistic attackers, but it may also lead to significant drawbacks. The added friction could drive abandonment, leaving consumers less likely to check their balances and unaware they have fallen victim to an attack.
A more nuanced and adaptive approach is required, using the risk level of each interaction to tailor authentication while detecting and stopping complex fraud in near real time without adding unnecessary friction.
Layers of protection
Financial institutions must prioritise establishing a robust risk framework to tackle these challenges.
Properly implemented, even basic velocity checks can effectively disrupt and deter credential stuffing attacks, which have recently impacted the industry. As criminals become more aware and technologically advanced, a multi-layered risk framework is vital. This approach ensures that if one defence line fails, others remain active to detect and counter suspicious activities. Key measures should include identity verification, device intelligence, behavioural intelligence and real-time risk scoring.
Each layer strengthens defences against fraudsters, allowing financial institutions to respond quickly to evolving threats while maintaining a seamless customer experience.
A multi-layered defence strategy begins with the first line of defence: risk assessment. Understanding the risk comes before understanding the user. Institutions assess contextual risk signals such as device reputation, IP geolocation, network patterns and login behaviours for each interaction. AI models analyse these signals in real time to assign a risk score, deciding whether extra authentication is necessary. Low-risk logins continue without disruption, while higher-risk attempts prompt additional security steps like one-time passcodes or further verification checks.
AI-powered identity verification serves as the second line of defence. It confirms the person behind the screen is genuine within seconds by using advanced document verification, liveness detection, and biometric matching. This layer compares identity details with public records and data from multiple providers to validate the existence of the identity.
The third line of defence centres on fraud assessment by analysing risks linked to the individual’s identity. It evaluates potential fraud stemming from their digital or physical identity and behaviour, aiding in better decision making. Using behavioural intelligence such as typing rhythm, device interaction and mouse movements, this layer creates a dynamic user profile. Any deviation from usual patterns may signal account takeover or bot activity.
The fourth line of defence focuses on adaptive identity authentication. It ensures the person is who they claim to be, safeguarding your organisation while delivering a smooth digital experience for customers. Additional identity authentication measures are dynamically applied in higher-risk scenarios to strengthen security.
Recent cyber attacks serve as a wake-up call for the superannuation industry to adopt a robust defence framework. APRA’s guidance on MFA implementation lays a solid foundation, but industry players must act proactively and work together to stay ahead of fraudsters.
Be the first to hear the latest developments in the cyber industry.