Looks like there's been a decent cyber attack at Australian Super - so far, 4 members have confirmed losing up to $500k total.
I've just checked and I can't login or see my balance.
Other funds impacted include:
Rest, Host Plus, Insignia and Australian Retirement
Yeah- I'm not having any luck at all. I imagine 3.5 million Australians are all trying to log in at the same time
After that successfull attempt, I've been failing every since.
It's all "Looks like we're having trouble loading your account details".
Welp, hopefully no one here or anyone we know losses any funds~
how often do you need to check on your super - like literally every 5 minutes?
especially when every other member is trying to check theirs
Does the super company reimbursed the possibily stolen funds?
OzBargained…
"Press the balance amount to see details", been doing that all the time, they don't normally shows up in first load.
Can't imagine that the poor people that have been hacked would actually lose their super. Surely the fund would return the stolen amounts..
will be interesting, apparently it is credential stuffing so those poor people are the central cause of the lost money in the first place because they reused passwords that were compromised.
Oops
Bullshit. Should have had 2FA years ago. Can't blame bloomers on this. Who have no literacy. Total đź’© show. Government hasn't done anything either.
Api compromised passwords, reset passwords after 12 months. How the f can they have their money drained and moved so easily?
Any lawyer could successfully argue they didnt do enough.
Australian Super doesn't have it as I was able to login with user name and pass.
Billions under management. Ridiculous.
I contacted them about this last year, they said 2FA was in the works. A bit too late though it seems.
I agree they absolutely should have had 2FA years ago and that makes the super funds a contributing factor to the disaster for those people, that however does not excuse their incredibly poor security practises, people that do this are the same people that would hand over the 2FA to a scammer anyway.
*starts sweating*
*checks password manager*
*sees unique password*
Phew!
personally I would never put financial passwords in a password manager, single point of failure/compromise. But it is at least better than reusing passwords.
For me password managers for stuff that doesn't matter, forums, web sites etc.
banks, super etc all seperate complex passphrases that I can remember
seperate offline keypass for some of the stuff not as important as finances but more important than forums etc.
Security Keys or at least MFA whereever I can.
@gromit: It is, but it'd be a hard grab.
Not stored in cloud, so would need to compromise my device/s, in which case I'm screwed anyway.
Password database also has a very good password and 2FA.
Personally I think having significantly more "secure" passwords offsets the risk in using a manager.
Would love to use easily memorable passphrases for my more important logins, but unfortunately many institutions have unintelligent password requirements (max characters, specific character requirements, etc) that can make that difficult: "was it the first S that I swapped to a $…". #RelevantXKCD
I wonder if they can sue them … for negligent
I would hope the super funds wouldn't go that far, I would think those that have lost their money have already been punished enough for their negligence.
Australia really needs to lift their Cybersecurity game.
and AUSTRALIANS. it is truly unfathomable that people reuse passwords for financial stuff like banks and super.
Agreed on password reuse being bad, but many banks only allow insecure MFA through SMS too. Data breaches only result in a slap on the wrist, so there's no incentive for them to take Cybersecurity seriously.
Gov should fine them billions used money help replace money lost to cyber crime. i know my dad try see balance for 2 days he try calling them all day Friday no (profanity) work on weekend there dad only just just retire this past year shelf funded for good retirement.
No. Australians need to manage the security of their accounts better. You know how many dumb people have their name and date of birth IN THEIR EMAIL ADDRESS. Also, turn on 2FA.
Also, turn on 2FA.
That's hard to do when Australian Super doesn't let you.
Australian financial institutions when you ask for 2FA, "Sorry, you say you want two tractors?"
My Mum was worried about this since it was on the news. Instructing her to check her balance means waiting for the postman to bring the letter in July.
Don't worry, the postman will check for her.
If she doesnt have login capabilities to check then no password can be compromised from reused passwords.
If hacking occured in her case it would definitely be her supers security at fault not her.
I definitely agree.
Hostplus message in-app:
"We're currently performing scheduled maintenance. We apologise for the inconvenience. Please try again later"
so far, 4 members have confirmed
Yeah bro definitely the only ones affected its not too early to say, they have all the information about the attack, all affected members have already been contacted
You must be a noob to quote those stats.
and then
Think about it, either all members lose everything or no member lost anything.
I think you're making a lot of assumptions about how the attack was performed… or don't understand how many different methods of cyber attacks exist. This ironically, would make you the noob
It was a credential stuffing attack, basically they target whoever is dumb enough to reuse passwords.
So what did they actually do? Roll over funds? Cash out? I'm curious how the transactions wouldn't be easily traceable.
being traceable doesn't get the money back. like all scams I imagine the first thing they did was transfer the money offshore or into crypto.
@gromit: Most scams don't deposit money into an Australian bank account.
If that happened, they should know exactly who did it.
If I'm wrong, and we're letting scammers open bank accounts, we need to tighten the application and verification process.
As for "knowing who did it doesn't get the money back", for that kind of money I'd expect they would make an international case of it, assuming the account holders are foreign.
@SlickMick: yes they often DO deposit into Australian bank accounts. However those bank accounts are often just for forwarding and are owned by clueless Australians that also have fallen victim to the scammers on the promise of commissions. once forwarded from the Australian bank accounts it is very easy to launder the money through tumbling services and crypto to hide the trail.
e.g. have a read https://en.wikipedia.org/wiki/Cryptocurrency_tumbler
Too many businesses don't take cyber security serious enough and don't allocate the necessary funds to make themselves secure. The lack of awareness from staff is a big issue too. Particularly when they're left untrained to identify phishing and other attack vectors.
It's only a matter of time.
Members could have been phished. Can’t blame businesses for that.
Agreed - but with financial transactions of this size, the business should force 2fa or some other security token system on users
2FA can also be phished.
@askbargain: If that business gets compromised and it's found that they're not enforcing 2FA then they're going to be more liable. Anyone with a little bit of smarts knows that businesses should take reasonable steps to protect their customer's data. Trying to dismiss that is idiotic.
businesses should take reasonable steps to protect their customer's data
except when customers are phished, it is beyond the business's control
@askbargain: Odd part to quote out of context. Since we're working with that… a business shouldn't take reasonable steps to protect their customer's data if the customer is phished is basically what you're saying there.
A business should take reasonable steps to protect customer's data and help prevent them from being phished.
@askbargain: A business can take steps to prevent phishing. Both around the security of the account and how money is withdrawn. I dunno why you're so keen on defending against that idea. It's almost as if you're enjoying people with high super losing it all.
@Clear: More like it’s impossible to stop phishing without giving hardware tokens to everyone.
https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mail…
What should Mailchimp do?
@askbargain: Hardware tokens aren't the only method of providing passkey authentication. It can be implemented through other means such as your phone's face ID or fingerprint reader.
@askbargain: Yes I did. You suggested hardware tokens and I provided the software alternative. Both help prevent phishing.
By the way Australian Super wasn't protecting their members accounts with any form of MFA. They could have done more.
@askbargain: I presume you're talking about spear phishing, but from the negs it seems that some don't understand how good these crims are at it.
@askbargain: You can use Phishing resistant 2FA. e.g. a security key, but sadly very few financial institutions support it or only support it for business accounts.
Yes in this instance it's looking like user account passwords were stolen. However what I said is still true regardless. It's unacceptable for a business of any size to not take security seriously and it's a major problem in Australia.
Devs in Australia are terrible at the systems thinking needed to provide effective security.
An example from my non-technical mum:
Her banking app won't let her log in.
As far as I can tell, the bank updated the app, resetting the easy sign on prefs like pin or fingerprint. It didn't tell her that is what happened, just the number she has used to log in suddenly isn't working.
Another example, a bank again, has a customer number, a username and another number that is like a password, used for auth. The app, website and phone banking aren't consistent in what is a reference number and a customer number and a customer ID, so it is confusing which are secret and which are not.
Add in the regular "redesign" of apps, sites etc. that make it harder for occasional users to know if the site is legit or a phish.
Every Dev seems to assume their users are IT experts who study their apps and sites and meticulously read every email. Instead of distracted, below average IT capability who only use their services when they can't avoid it.
@mskeggs: I work for a software company, so understand saying this is the Devs fault is massive oversimplification, but too often there is nobody smart enough elsewhere in the organisation to understand these issues.
@mskeggs: It really isn't about developers - it's not even an oversimplification.
The primary factor that I've seen across organisations is that this sort of security is not always valued, and the risks are not managed by management. Too many managers are happy saving money until an incident and then it's too late. With security you have to be proactive and that costs money.
Developers in businesses by and large work on what they are told to. If they aren't working on security it's because management doesn't want them to. If AusSuper had 2FA in the works for ages, as other posts here said, then that's on them.
Even to the extent developers have flaws around security, it should not be highly relevant. If management are doing their job, then there will be processes in place to do code review, penetration testing, vulnerability scanning, risk management and so on. Security is achieved through layers working together. And if that isn't happening it's on management and the general regulatory regime they operate under.
It was only a few years ago Westpac progressed on from six digit PINs. I have a westpac acct and found it comical.
I remember 10 years ago coming across EFTPOS terminals that couldn't handle more than 4. Thankfully they all seem to be gone now.
And how many people had their account hacked as a result? Probably none. A password is just one layer of security.
From what I understand, they have hit the super funds hard with usernames and passwords to get in.
Once in they check if the member was in pension phase and then they elected for lump sum payments.
Be interesting to see what secondary security they have in regards to processing those transactions.
I thought super withdrawals took weeks or months? How long ago was this breach?
I'm also interested in where funds can be withdrawn to - I'd have thought this would be very tracible?
(Obviously I'd suck as a hacker.)
A common tactic of the hackers is paying gullible Australians to use their bank accounts for "businesses", They get the money deposited into an Australian Bank Account and then immediately transfer that overseas and then into Crypto where their is zero methods of reversing that except actually capturing the person and getting them to turn over their crypt keys. So the while it is traceable the trail basically ends with a idiot that let hackers use their account and maybe a Crypto address that you can't put a name or address to that will then be tumbled through an exchange to disolve what is left of the trail.
Wife’s balance went from $500Kplus to $Zero. Was a shit feeling for a bit there. Australian Super.
We need something like ConnectID but not only for banks. It should be used for all sensitive information.
Can it be hacked or used for malicious activities. Yes, but it is more secure than the current system.
In Europe, some countries use system that is called BankID with great success.
You want to login to your mobile phone service provider for instance, you use BankID.
Just my opinion..
May be some of the little old ladies that have been waiting 12-18 months to get their decesead husbands' super balances from the nice super funds should be referred to the nasty hackers to get their money released instantly!
Still cant login, no communication from the fund. Where is the CEO?
Where is the CEO?
Is that you Luigi?
/S
Just tried logging in just a moment ago and the login portal still appears to be down.
I was able to log in at 7.30pm. Earlier attempt at 7pm wasn't successful though. Keep trying if you're concerned. Just be aware the first time I tried I got a message saying basically don't worry, your balance may show NIL but that is an IT issue and your funds are secure. All the same I was relieved to see my balance appear when I did finally get in. It was down a bit but I blame Trump not hackers for that.
I couldn't login last night. Working today all be it that the pages are slow to refresh.
The problem here i with these industry funds, is if they are fined by APRA/ASIC for failures in their systems. Or if they actually need to refund money to members who lost money. It is actually all the members that pay for it not the superfund. These superfund’s don’t have assets behind them they create reserves from taking from members returns and uses those to pay for these things.
Fines and lost money compensations should come from the big salaries and bonuses that the fund's executives and directors receive. Then you can be sure that they would care. Instead the pain will be spread around the super fund members without them even knowing. And even if some members knew, there is absolutely nothing they can do.
Superannuation is a scam.
If I can't withdraw funds from my super account how can a dodgy person do it?
I think the people financially impacted were those in the “draw down” phase - eg, who could withdrawal
It isn't a withdrawal, usually it's a transfer to another superannuation fund, e.g. fake SMSF and then they cash out because there is no oversight.
Sadly, I have seen it happen to a few people…
Surely this is tracable?
Nah it's BS he's making that up.
Literally no-one under the retirement age was impacted. Just 3.5 million (profanity) in a panic together overloading the login system.
all financial or bank transactions are traceable quite easily provided other factors like law, regulation and financial policy especially when it comes to cross countries allow. it is harder if it gets to blockchain especially the private ones.
I have more questions now. Names don't need to match? Wouldn't it presume identity theft to have already occurred for the account to be created. Don't other SMSF have similar withdrawal rules?
why the hell did i learn this from a bargain website first
Do you read or watch sensationalised and highly opinionated tabloid journalism (who self-describe their outlets as 'mainstream media' and their offerings as 'the news')? If not, that's why.
Yes, and because the superannuation funds own the corporations that give you the news, of course they try to keep a lid in it as much as possible.
Editorial bias? Never! /s
Couldn't log in on the day the news broke and disappointingly it only just said error couldn't log in, so I genuinely got worried I was compromised and someone changed my password. Then when I couldn't run through the password reset process I figured they were doing stuff so I can't tell. Not even a banner on their main site like other organisations did post-compromise.
Only later on the maintenance page came up. And still there now so I still can't go and verify my account/balance.
You shouldn't be worried at all if you're not at the stage where you can withdraw super.
Given it's "old news" it's not like just cos I can't log in doesn't mean they didn't do it before if that's what you mean
No dramas with Ing Super Acc…except dropped a few Gs thanks to Trumpy.
After all this was announced and the company stated they were onto it - a lady I was with this morning found $35000 taken from her account late yesterday. That is actually left her account after they were supposedly taking action. So I would suggest people check at least daily as these thieves were still taking $ at will late yesterday.
Surely if you have 2FA setup the account is secure unless they do some elaborate phone number porting scheme connected to the account?
That's fine if the super fund has 2FA (and it is enforced). Australian Super doesn't have it at all, according to the comments I have read elsewhere.
It does not help that transferring superannuation is a relatively straightforward process, typically requiring only the completion of a form. Notably, most superannuation funds do not make direct contact with the individual to confirm authorisation.
Takes forever for super transactions to go through. This must have been going on for weeks or months before they found out.
Exactly, that's what they hid in the media release…
Attempted login via website - No Go
Updated and logged in via App - Got in!
See's $0 in super balance amount
Begins sweating
Presses on balance amount to see full details
Correct balance appears
breathes sigh