6 days Ago By Tim Biggs
Superannuation accounts are incredibly attractive targets for hackers and scammers, with several trillion dollars in retirement savings sitting around behind the locks of a few different funds. Mature accounts even more so because they allow withdrawals and are regularly accessed by an older generation of holders who crooks might assume are not as savvy to scams. Last week, hundreds of thousands of dollars were stolen in a co-ordinated attack that has put the security practices of the sector under the microscope .
The attacks appear to have involved what security researchers call credential stuffing, which is a well-known technique that should be anticipated by funds, and is usually countered by multifactor authentication (MFA). That’s when you get texted a code or use a one-time authentication token to prove it’s really you when logging in or moving money. Large-scale hacks are increasingly automated, and are happening all the time.
Credit: Getty But while a lot of the focus has been on figuring out why these funds hadn’t deployed MFA like a bank would, there’s another key lesson to be found here. Credential stuffing only works if the crooks have the victim’s password, and that only happens if you’re using the same password across multiple services. Problems with passwords Troy Hunt, a security researcher and founder of breach-tracking service Have I Been Pwned , said super funds should have bank-like security, but account-holders also need to take just as much care with their basic digital hygiene for super as they do for banks.
“Yes, multifactor would help solve this problem. But the other thing that helps solve this problem is not reusing the same password everywhere. I think we’ve got to look at this and say security is one of these shared responsibilities,” Hunt said.
“It’s a real sort of matrix of different things that need to be done in order to protect information. And I guess we’d like to see that done with any online accounts of any importance whatsoever, let alone the one that actually holds your savings for your retirement. I mean, that’s just surely the most obvious thing to secure properly.
” Some of the country’s largest superannuation funds were hit by a co-ordinated cyberattack. Credit: Monique Westerman So what is credential stuffing? It is as it sounds: a blunt and unsophisticated attack in which hackers jam stolen keys into any available lock, hoping to get lucky. And the main reason it works so well is that it can be very highly automated, so that only one in a thousand potential victims needs to have slipped up in order for there to be decent returns.
But credential stuffing is also the perfect real-world illustration of why people are so often told not to reuse passwords. Imagine you sign up to an online service using a particular combination of email and password, and then that service is compromised. Your credentials may end up in a huge collection on the dark web with billions of others, sold fairly cheaply.
Now, that service may not have any important data about you. But, if you use that same password elsewhere, it could lead to significant trouble. Crooks will load those billions of credentials into an automated system that throws them rapid-fire at services that do have important info, such as financial services.
Those services should absolutely have protections against this. If they start getting thousands of different login requests from the same IP address, or several login attempts on the same account from different IP addresses, that should be flagged. Hunt and others have also created protocols that can check passwords to see if they’ve been caught up in a breach, and many companies use these so they can prompt users to change passwords before an attack occurs.
But an ironclad way to avoid being a victim of credential stuffing is to not reuse passwords, and particularly to have a unique password for any service that holds your money or sensitive data. There are many password managers that will keep all your unique passwords safe and encrypted, and some also integrate the technology that can tell you if one of your passwords has been found in data sold on the dark web, so you can change it. Gaps in security That said, security cannot be left to end users alone.
And the pressure on the sector to tighten up its practices is warranted. “Basic multi-factor authentication can stop attackers in their tracks, even if they have the correct password. Some super funds have this in place, but incredibly, not all of them do,” said David Sandell, chief executive of critical infrastructure threat analysis centre CI-ISAC.
“There have been plenty of examples of not implementing MFA leading to catastrophic results, such as the British Library attack of 2023. In 2025, that’s simply not good enough. There are also ways to proactively monitor whether customer passwords are weak, or have appeared in data breaches.
It would appear this also did not happen.” So, let’s imagine a future where all funds do offer MFA, and even require it. And let’s imagine they monitor for passwords detected in previous breaches.
This all adds a little bit of friction and annoyance for end users because they need to go through an extra step every time they log in, and it can also be a barrier for those without mobile phones. Answers to so-called MFA fatigue include passkeys stored on devices and biometrics such as Face ID and fingerprint, but these may not be available to all users. Still, it’s less annoying than losing your retirement savings.
So what happens then? Do these kinds of attacks go away? Obviously not. Crooks have developed and scaled tools that test systems to find weaknesses such as password resets or even to intercept emails and SMS messages to bypass MFA. Then, of course, there’s generative AI.
“Even well-secured systems can be vulnerable if attackers use advanced techniques like AI-driven bots that mimic human behaviour to bypass security checks. This is why both institutions and consumers need to take an active role in protecting their accounts,” said Mark Gorrie, Australia-Pacific managing director for security software company Norton. “These attacks are becoming more targeted with the availability of data to profile users on services used and other identity information.
AI can also help cybercriminals generate more convincing phishing emails and text messages, to trick people into revealing their credentials.” But Hunt said the rise of AI in cybersecurity wasn’t all bad. “The scope of AI is so broad that it’s going to be used more and more to look for things like vulnerabilities, or to imply certain things about the security posture of a service that would otherwise take us quite some time to figure out,” he said.
“We have AI as the good guys as well. So we should be able to be better than ever at identifying anomalous behaviour.” Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday.
Sign up here..
