In recent weeks, cyber attacks have targeted several major Australian superannuation funds, resulting in unauthorised access to member accounts and, in some cases, financial losses. If you haven’t already, now is the time to do an audit of your digital footprint and make sure you haven’t been compromised by this situation.
The important points to note and actions to take away from this cyber attack are:
- The attack method used is known as ‘credential stuffing’. This is when the technology infrastructure of the attacked organisation is not compromised in any way, but instead the criminals use stolen credentials, usually purchased on the dark web, to gain access to user accounts. The success of this method relies on users using the same password across multiple accounts - an unfortunately common occurrence!
REQUIRED ACTION: This highlights one of the simplest security tips we can all follow - do not reuse passwords across accounts and do not save passwords in your browser. If you use this technique for managing your online accounts, whether you have been affected by this superannuation fund cyber attack or not, now is the time to overhaul your habits and use unique passwords, stored securely, for each online login you have.
For help on how to securely manage all the passwords in your life, watch our Cyber Heroes video, Bombproof Passwords for all you need to know on passwords and password managers.
- The superannuation sector was an easy target because the industry has not yet adopted multi-factor authentication (MFA) across the board. MFA, also known as two-factor authentication (2FA), adds an entire second level of security to every account and is one of the most successful methods of protecting against hackers. MFA/2FA can still be sidestepped by savvy cyber criminals through phishing attacks, but this relies on leveraging human error - the technology itself is sound.
REQUIRED ACTION: If you don’t have MFA/2FA on your superannuation or any online accounts, check if it is available and set it up. If it is not available, check with the provider when it will become an option and/or consider moving to a provider that does offer this protection.
For help understanding 2FA it’s covered in our Digital ID video and also our Cybercrime Protection page.
- The key targets for cyber criminals once they have managed to access compromised passwords belonging to you are your email accounts (to control verification processes on any account changes they attempt to make) and also identity accounts, which can give authority to make changes to account structures. These ID accounts include things like Service NSW and MyGov.
REQUIRED ACTION: Again, unique and secure passwords + MFA are essential protections for all your accounts. Additionally, if you are worried your email may have already been compromised, it’s essential to understand the account settings from your email provider and be able to check these items:
- have any auto-forwards or other rules been set up?
- are there any devices logged into your account that you do not recognise?
On the plus side, with this recent breach of superannuation funds at least, these funds are generally insured, so any losses are expected to be covered. At the moment, it is mostly stress and inconvenience being experienced by the fund customers as many providers have had to freeze online portals, and some people’s fund balances are showing $0, while security is sorted out.
It would be well worth learning from the experience of this attack that these threats are very real and applying the lessons learned to all areas of your digital footprint.
ITBasecamp acknowledges the traditional owners and custodians of the country in this area and pay our respects to elders past, present and emerging. The South Coast of New South Wales where we live is Yuin country but indigenous people here come from a number of different groups including Brinja-Yuin, Budawang, Jerrinja, Murramarang, Walbunja, Wandandian and Wodi Wodi. We recognise their continuing connection and contribution to this land.