What do we know about the cybersecurity breach against superannuation providers in Australia?
Last week, funds were stolen from a small number of superannuation accounts along with personal information stolen from many more. We’ll take a look at the attack and provide some feedback on how this could have been prevented or mitigated.
We are aware that stolen passwords were used to gain access to accounts. This is likely attributed to credential stuffing attacks, where account information is extracted from previous data breaches and tested against other systems (in this case, super providers in Australia). Additionally, email phishing campaigns frequently target users, tricking them into revealing their passwords, which feeds into a stockpile of credentials to attack.
This attack has resulted not only in funds being stolen but also in personal information being compromised. This indicates that those affected may be at risk of identity theft, which can have a devastating impact over a long period.
How can these attacks be mitigated?
It’s very difficult to force customers to use a unique password for each account, no matter how much user training you provide. So, mandating multi-factor authentication (MFA) such as a push notification or even an SMS code will make it vastly more difficult to make use of stolen credentials.
Providing standard ‘failed login’ messaging on login pages can assist in preventing bulk testing of passwords (or credential spraying). If the messaging on your login pages gives no clues to an attacker whether the password or the MFA challenge caused the failed login, it makes the attacker’s job significantly more difficult to identify accounts with compromised passwords.
Real-time notification of account activity provides awareness to users that an attack could be in progress. This should be paired with an approval or step-up process when high-risk activities take place on accounts.
Customers should not be able to perform tasks such as funds transfers or withdrawals without approving a push notification to their phone or entering a one-time PIN sent to them via SMS.
Preventing or limiting access to accounts when connecting from overseas or from known VPN endpoints will provide an additional mitigation control. Attacks are often not operating domestically, which means they are launching attacks from overseas. Identifying and blocking this traffic (or allowing access only after appropriate approvals) can increase security for customers.
The above techniques can be collectively pulled together to form a defense-in-depth strategy, where layer upon layer of controls help to prevent attacks regardless of how far the attack has progressed.
It’s clear now that superannuation providers need to step up their cybersecurity strategies. With large retirement savings at risk, consumers expect all financial-related institutions to implement the very strongest controls.
Assertiv is a specialized identity security services company based in Australia. We help organizations in the financial sector improve their cybersecurity strategies from advisory through to technical implementation. Reach out to discuss how to best help your customers stay secure and out of the news.