AustralianSuper has sped up plans to introduce wider multi-factor authentication (MFA) controls after a cyberattack saw half a million dollars drained from member accounts.
Last week, Australia’s multi-trillion dollar superannuation industry was victim to a widespread cyberattack targeting customer accounts.
Varying impacts were observed across the industry, but only Australia’s largest super fund, AustralianSuper, reported $500,000 had been lost across four member accounts.
With “suspicious activity” identified across 600 AustralianSuper accounts, the attack highlighted an apparent security shortcoming: AustralianSuper’s web login portal lacked the ability for members to set up MFA.
This effectively meant members were left without the option to use a secondary SMS code or authenticator app while logging in through the fund’s website, which is notable given the industry-wide attack was reportedly driven by stolen credentials.
A company spokesperson told Information Age it has since “accelerated” work that was already underway to “introduce wider MFA controls”.
“We are in the process of introducing two-factor authentication for logins on the web portal, which we expect will occur within a month,” they said.
Customers rebuffed
While AustralianSuper already supported MFA for logins through its mobile app, ABC News reported some customers were rebuffed when asking to set up MFA through the web portal.
Sydney-based horticulturalist Seth Rappe told the publication he asked AustralianSuper about MFA as recently as last month, only to be told via email: “No, we don’t offer that.”
“I thought it was pretty strange for a large company," he said.
"Then two, three weeks later, this cyberattack happened."
An AustralianSuper spokesperson emphasised the fund already requires MFA for “a number of key interactions that members have with their accounts”.
“We have MFA in place for the withdrawal of money where the request is initiated within the digital platforms,” they said.
“In addition to this there are other security controls that are in place to identify suspicious activity.”
They added the fund is further “enhancing a range of security processes” across all of its platforms.
MFA would have made a difference
The industry attacks appeared to involve an activity known as “credential stuffing”, where criminals collect stolen usernames and passwords from other breaches and attempt to use them across different platforms.
While AustralianSuper did not immediately disclose an attack method, it acknowledged Wednesday “cybercriminals may have used previously stolen identity information to attempt to access” up to 600 member accounts to commit fraud.
Jamieson O’Reilly, founder of Australian information security company Dvuln, said “based on the attack pattern observed, MFA would have reduced the number of successful credential stuffing attempts”.
“This wasn’t a zero-day exploit being used or a sophisticated breach,” said O’Reilly.
“From what has been made public, it appears that it was a basic credential replay or stuffing attack.
“MFA can help to break that chain, even better, when biometrics are involved.”
O’Reilly further observed that in May 2023, banking and superannuation regulator Australian Prudential Regulation Authority (APRA) warned gaps in MFA coverage could constitute a “material security control weakness” under CPS 234 – the regulator’s mandatory information security regulation.
“By any modern security standard, it’s a serious oversight,” O’Reilly said.
An AustralianSuper spokesperson said the fund is “providing remediation” to four members following the attack, while the “vast majority” of cases where flagged accounts had transferred out funds have since been “ruled as non-suspicious”.
“We have reported this incident to – and are actively working with – the relevant authorities on a coordinated response,” said AustralianSuper.
