Super in the spotlight
Easy online access is making super accounts more vulnerable to attacks from hackers.
Easy online access is making super accounts more vulnerable to attacks from hackers. For many superannuation fund members, the idea that their account might be at risk of the sort of data breach and identity theft that plagues banks and retailers first occurred to them when they read reports in Fairfax Media that a security consultant had exposed a flaw in a large super fund's online log-in system.The consultant demonstrated that when he logged into his account with First State Super, which has 770,000 members, the URL included his member ID number. By changing that number, he could access other people's account information.First State Super has fixed the problem but the situation raises the question of how many other funds have left their members' account details vulnerable?Don't ask the industry for an answer to that question its peak body, the Association of Superannuation Funds of Australia, says it has no research on data breaches and identity theft involving super funds. And nor does industry regulator the Australian Prudential Regulation Authority.DATA BREACHES MORE LIKELYA leading industry research group, Rice Warner Actuaries, says it has never been commissioned to look into the issue.The industry has tended to take a view that online security is not much of a problem for super funds. When the government introduced new anti-money-laundering and counterterrorism financing laws several years ago, the super and funds management industries argued for concessions from coverage on the grounds that criminals targeted transaction-based financial providers, such as banks, but had little interest in super funds and investment products.The principal of Rice Warner Actuaries, Michael Rice, says this is a naive view. "If you have access to a super account and enough of the member's personal details to pass yourself off as the member, you could change the address and phone details and start transacting as if you were the member."My view is that the security record of most super funds is pretty good but the way the industry deals with members is changing in ways that make data breaches and identity theft more likely."Funds want to get closer to their members, to get greater engagement, and the way they are doing that is by providing easy online access."You can go online and get your account details, change your address, change your investment strategy and change your insurance policy terms."In July, the attorney-general issued research that showed that almost one in six Australians had been a victim of identity theft or known someone who had been a victim in the previous six months. The majority of identity theft (58 per cent) occurred over the internet.WEAK ACCESS CONTROLSIn the six months to July, the Australian government's computer emergency response team alerted businesses to more than 250,000 pieces of stolen personal information - passwords, account details and other information.It advised them to take steps to protect their systems and their customers.Individuals can do several things to protect their personal details (see box). However, research suggests breaches are more likely to occur at the organisational level.The US telecommunications company Verizon publishes an annual global study, the Data Breach Investigations Report. Its 2011 report says: "Most breaches were a result of opportunistic attack, where the attackers took advantage of weak or absent access controls at an organisational level."The lesson from the Verizon report is that people need to check their account balances regularly, including their super, to see that no unauthorised activity has occurred.How to protect your online security- Use strong passwords, not your mum's maiden name, your pet's name or your birth date. Don't select the "remember my password" option.- Limit the amount of personal information you post on public sites. This information can be used by a criminal to develop a composite identity.- Never click a link or open an attachment from someone you don't know. Do not respond to suspicious emails or mail.- Carry only essential personal information with you.- Check your credit report to see if there has been any unauthorised activity.- Limit the credit you have on credit cards.- Avoid using public computers to access personal information.- Ensure no personal information remains on your computer hard drive before you sell or dispose of it. The same goes for mobile phones.Source: Australian Crime Commission