"Look cybersecurity is a real issue. There's a cyber-attack in Australia every six minutes."
That was Prime Minister Anthony Albanese talking about the cyber-attacks targeting Australian superannuation funds earlier this month.
User accounts from super funds including Hostplus, Rest, AustralianSuper, Insignia Financial and Australian Retirement Trust were targeted using previously stolen passwords.
In the days that followed the announcement, many have wondered what changes will follow.
The Minister for Cybersecurity, Tony Burke, was asked about the issue by Sky News.
"Every business in Australia needs to be upgrading its security. And any time that any business is attacked then you need to make sure you are upgrading. And the co-ordinator is happy with the work that is happening with the super funds in terms of the upgrades that will be happening as a result of this specific attack."
Paul Haskell-Dowland is a professor of cybersecurity practice and the Associate Dean for computing and security in the School of Science at Edith Cowan University.
"The reality is that cyber criminals are in no way motivated by a particular sector or industry. They are entirely motivated by opportunity and cash value. And unfortunately, or fortunately, the super sector in Australia is a highly profitable one sitting on very substantial financial funds and is therefore a most significant target for cyber criminals. And much like many other industries has fallen prey or fallen foul of being a little behind the times with some of the cybersecurity practices."
He says the lack of multifactor authentication, a process that often requires the user to approve their login or action from another device, was unusual.
"So, what we've seen over the recent years is a move towards MFA, multifactor authentication, through the use of SMS codes being sent to you or code sent to your email address or indeed the use of authenticator apps which help to improve security. But unfortunately, a number of super funds do not use such technologies, and until recently were even telling their user base that it was not possible to use such technologies."
Toby Murray, a professor of Computing and Information Systems at the University of Melbourne, says the cyber-attack was reminder of the importance of multifactor authentication.
“It’s not super clear whether the accounts involved in this hack of the super funds, whether they had multifactor authentication. One tends to assume they didn't, otherwise they wouldn't have been able to have been broken into so easily. And further information there would certainly be useful from the companies involved. But it certainly seems as if they didn't.”
Katrina Ellis, Deputy CEO of consumer protection group Super Consumers Australia, says that the superfunds have been warned of these risks.
"It's been an area that Super Consumers Australia has been calling out for at least two years. The regulators have been calling it out for at least two years, and the super industry lags behind other financial industries and has really gone very slowly on putting in adequate security protections."
She says the funds have given several reasons for not offering the option.
"The main one being our members don't like it. So yeah, it is clunky when you log into something, and it sends you a code and you have to put the code in. But I think the has moved on and we've all got used to using that. Perhaps two years ago it was a bit more of a novelty, but the fact that the attack happened last week and it's two years on since the regulator wrote to the super funds arguing that multifactor authentication was a very effective way of keeping accounts safe and they still didn't have it in place."
She says that some funds have now introduced the option, but that it shouldn't have taken a cyber-attack to put them in place.
"Well ,I don't think the superfunds should be waiting for the law to tell them what to do. There is a lot of information, guidance from the government, from the National Cybersecurity Centre on what are the basic protections that every company in Australia should have against cybersecurity. So it's not as if the super funds don't know what's the right thing to do.”
Both professors agree that while there are minimal options available to users, people can turn on security settings like multifactor authentication, increase the strength of their passwords, use password managers, and consider changing providers if cybersecurity doesn't seem to be a priority.
Professor Haskell-Dowland acknowledges that managing passwords can be difficult.
"We are not hardwired to memorize long complex passwords, which is usually the solution to ensuring that you have a level of security when you're logging into a system. So fundamentally, we need to get better at doing it, but of course we're also facing many, many more systems that we're having to access. So ultimately, we are human, and if we don't have the ability to memorise these things, we end up writing them down or we end up reusing them."
Professor Murray says super funds have difficult, but important, problems to solve.
"An obvious lesson from this is that the super industry needs to be doing more to be protecting people's online super accounts, especially because it is often the case that the super accounts that are the most vulnerable where you can make withdrawals from those super accounts are the ones that are for older people that have reached retirement age, and because they're being used by older people, perhaps those users are less tech savvy, are more prone to being scammed and so on."
