FRESH

Hacker News

Home

Hackers strike Australia's largest pension funds in coordinated attacks

94 points by petethomas

by trollbridge

2 subcomments

Nearly every one of my clients have been invoice scammed. The amounts are typically five figures.
When we onboard a new customer, I send a packet with payment information including how to direct deposit. It has this information:
- Our routing/account number. We sweep the funds out of this account nearly instantly once the deposits are made. The bank account’s purpose is to accept direct deposits and nothing else. The account number we transmit over the phone so at least it’s less likely to end up sitting in a (compromised) e-mail box.
- Our mailing address, which is a PO Box.
- Some information on invoice scams, including an offer to review any suspicious requests free of charge. A customer takes us up on this every few months… so far we have yet to see one legitimate one.
- A warning to never, ever accept changes for our payment information or mailing address unless told to do so in person by an officer of the company, with a list of the current officers.
- If in doubt, mail a check to the PO Box instead of direct deposit.
- A warning not to trust information sent via email, fax, phone calls (voice changers are a real thing), or from an employee/officer other than the one they usually interact with, and such a change must be confirmed with a phone call to a different officer.
- A recommendation to also contact our local credit union (where we deposit payments from our customers) if they feel something is suspicious.
- We have an internal rule that any change to bank accounts requires a meeting of 3 officers, in person or over the Google Meet we normally use for video calls (no phone calls) with meeting minutes conducted for the change. The change must be unanimous and the change can’t be put in for 30 days unless an emergency. Emergencies must be coordinated with a responsible person at the bank, in person. (Sorry, but this means no fintech etc. type of banks.) We recommend our customers to do the same.
The biggest liability is that it would be hard for us to change bank accounts.
We get an attempt on an invoice scam or otherwise every few weeks. So far we haven’t lost a penny of company funds due to fraud.

by seb1204

4 subcomments

It irritates me to read that people have lost their pension. Surely this should read, the pension fund has lost their pension due to "it safely breach"? If a bank gets robbed they don't steal my money but the banks right?

by taberiand

2 subcomments

I suppose it depends if it's worse than reported currently, but it seems to me that with only 600 accounts losing an average of ~$800 each (and I'm going to go out on a limb and assume the users had poor password security), the fast detection and the immediate action to lock it down, there was a good and effective response by the companies attacked

by dbetteridge

0 subcomment

Tries to turn on mfa for my super-fund
Options (sms or email)
I wonder how this could have happened...

by IronCoder1

0 subcomment

This breach reinforces the importance of robust security measures, particularly for sensitive financial data. Pension funds must prioritize investing in state-of-the-art cybersecurity defenses and incident response plans. Transparent communication with affected individuals is crucial to maintain trust and mitigate potential harm. Swift action is needed to prevent future attacks.

by oldandboring

0 subcomment

https://archive.ph/6uANR

by damhsa

0 subcomment

the amount lost is insignificant compared to that lost to wage theft, inflation, rent, interest -- forms of capital expansion
https://en.wikisource.org/wiki/Manifesto_of_the_Communist_Pa...