The savings of millions of people are still vulnerable to attack more than two months after scammers targeted the nation’s $4 trillion super pot, with major funds including the $300bn Australian Retirement Trust and peer Cbus so far failing to make security measures such as multi-factor authentication (MFA) mandatory for account logins.

ART, the nation’s second biggest super fund, said it was focused on “meeting members where they are” in terms of security measures, even after the fund was targeted in a co-ordinated attack by scammers attempting to steal its members’ super savings.

As ART and Cbus drag their heels, some funds, including AustralianSuper, have fast-tracked the rollout of additional measures to protect members.

Weeks after scammers looted $750,000 from a handful of AustralianSuper accounts, AustralianSuper on Wednesday con­firmed mandatory MFA was being rolled out in the coming weeks for all members with a registered mobile device.

“We have started the process of automatically enabling MFA at login to the portal and app to all accounts with a registered mobile number,” a spokesman said. “All members with a valid mobile number will have MFA turned on by the end of June 2025.”

MFA is a security measure that requires users to provide two or more forms of verification, such as a code sent to a phone or a fingerprint scan, making it much harder for scammers to access account information.

AustralianSuper, ART, Hostplus and Rest – which collectively manage almost $1 trillion on behalf of millions of Australians – were targeted in a co-ordinated attack in late March, along with Insignia-owned platform MLC Expand, as scammers attempted to gain access to member savings. Days later, attackers targeted peer Cbus in a similar fashion.

In one instance, a 74-year-old Queensland woman had $406,000 fraudulently wiped from her AustralianSuper account over a number of days. The fund later repaid her from member reserves.

In the March attack, the hackers gained access to the accounts via a process known as “credential stuffing”, which involves using stolen usernames and passwords – some from previous cyber attacks – that are already circulating on the dark web. The attackers exploit the fact that people often repeatedly use the same passwords for different accounts, but companies that adopt MFA can defend such strikes more effectively.

Super funds are not currently required to have mandatory MFA in place for member logins but the prudential regulator may yet step in and force the industry to add this layer of security protection in the wake of the recent attack. As far back as 2023, the Australian Prudential

Regulation Authority warned the industry it should adopt MFA to protect members.

As AustralianSuper rolls out MFA across its 3.5 million-strong membership, the fund is already preparing an alternative for members unhappy with the added friction. The fund plans to bring in “trusted device” functionality in the coming months. Once this is in place, members will no longer need to enter a PIN each time they log in.

Okta Threat Intelligence vice-president Brett Winterford said it was absolutely right for AustralianSuper to enrol all members in MFA but that it would be crucial for the fund to retain the authentication measure even for members that choose to enable “trusted device”, in cases where they log in from a new device or web browser.

“I would hope that in the background, the platform they use is capable of recognising when a member’s pattern of behaviour changes, and then prompts that member for MFA again at that point,” he said.

Along with AustralianSuper, other funds to act include Aware Super, which made MFA mandatory for member logins from April. Others, including UniSuper, Hostplus and HESTA, had mandatory login MFA in place before the attack.

Retail industry super fund Rest Super confirmed that MFA would be expanded to member logins in the coming days.

“We have a program under way to expand multi-factor authentication to all member access logins, which we expect to implement next week,” a spokesman said. “We have consistently prioritised cybersecurity investment over many years and continue to do so. We have a range of cyber security measures in place to protect members and are continuing to enhance these protections.”

A Cbus spokesman said the fund was working on a program of enhanced security measures, including MFA at log-in: “We’re looking at how we can accelerate these in the coming months.”

ART, the nation’s second-biggest super fund, said it was considering an opt-out MFA function. “We’re focused on meeting members where they are, when providing digital protections, including options like MFA, and are continuing to work through how best to introduce an opt-out MFA process while limiting the impacts on member experience,” a spokesman said.

But Super Consumers Australia chief executive Xavier O’Halloran said it was not good enough that some funds still were not mandating MFA for members.

“We got pretty lucky this time, with only seven people losing their money, but hackers are always getting smarter and have more sophisticated techniques,” he said. “Super funds need to be spending to stay on top of that.”

More Coverage

Super funds’ complacency allows cyber threat to fester, says Verizon

Jared Lynch

More related stories

Business

‘Don’t fix what ain’t broken’, FinServ lobby tells ASIC over private markets

The FSC has revealed its 101-page submission to ASIC’s review of private markets. As part of its review, ASIC must examine what is driving investors away from public markets, towards private options.

Read more

Companies

A 40-hour work week for Musk would be getting off lightly

The working week of chief executives is rarely defined, but big investors have taken aim at the Tesla boss for going missing.

Read more