Make Aus banks & financial orgs add optional time-based one-time passwords for all logins
Make Aus banks & financial orgs add optional time-based one-time passwords for all logins
The issue
Recent Infostealer malware-based attacks have shown that most Australian banks (including all of the "big four" banks) and many superannuation funds are still vulnerable to credential-stuffing attacks, because they are still lacking an option to enable multi-factor authentication for every type of login. Over 31,000 Australian bank customers so far are known to have had their banking passwords traded online, and the banks are still not protecting their banking login systems from having further account details and other personal details stolen using stolen passwords. Similarly, many superannuation funds were recently attacked, and hackers were able to steal over $500,000, which would have been prevented via multi-factor authentication.
Until an option to enable multi-factor authentication for every type of login becomes mandated via legislation for all Australian financial institutions that support logins, including banks, superannuation funds, MyTax in MyGov, credit-reporting agencies, brokers, share registries, similar breaches and consequent identity theft and fraud will continue to occur. Many banks and superannuation funds only use multi-factor authentication to initiate transactions/withdrawals, but don't also support an option to enable it for all logins too.
Once a hacker has stolen sufficient personal information about someone, they can also exploit the lack of multi-factor authentication protections in Australian credit-reporting authorities. Equifax, Experian and Illion still do not use enabling multi-factor authentication in a person's account for the purpose of preventing hackers from creating additional accounts impersonating them. This enables hackers to download their credit report and steal other personal information about them, even if the person has placed bans on their credit report. Hackers are still able to download their credit report even though there are bans placed on the person's report, because even though bans are in place, the person is allowed to download their credit report for free once every 3 months, even if bans are in place. So, if they can successfully impersonate them and create an additional account using a different email address, the hacker can download the credit report for free once every 3 months. Although some credit reporting authorities do support enabling multi-factor authentication, the way they are implemented currently does nothing to prevent hackers from creating additional accounts impersonating them, signing up using different email addresses.
This petition is primarily aimed at financial institutions, but the problem is also prevalent for Australian insurance logins, including health insurance logins, which contain a treasure trove of personal and medical information that can be further exploited by hackers.
Existing "Solutions" are Insecure
Verification codes sent by SMS or push notification or email are not end-to-end encrypted and can be intercepted and read by hackers, and hackers are able to port phone numbers to steal phone numbers in some cases.
The Proposed Solution
An excellent form of multi-factor authentication that does not require sending codes is Time-Based One-Time Passwords (TOTP). I propose mandating (via legislation) the ability to enable multi-factor authentication for all types of login for Australian financial institutions via (at least) TOTP via any 3rd-party Authenticator app according to existing standards. Also, at all times while TOTP is currently enabled, (by default anyway) do not allow the use of SMS/push notifications/email for authentication. Almost every popular website in the world already supports enabling TOTP for all logins via 3rd party Authenticator apps, so why don't Australian institutions such as banks? Another benefit of TOTP over SMS/push notifications/email is that it is more versatile because the one-time code does not need to be sent (just generated automatically on the person's device), so TOTP can be used even if the person doesn't have access to a working mobile phone number or access to their email, e.g. in an emergency when traveling abroad in a remote area that only has a land line call to talk to a bank helpdesk, they can use the Authenticator app on their mobile phone without internet access. An even more secure mechanism is Yubikeys, but baby steps...
Links:
https://www.abc.net.au/news/2025-04-04/superannuation-cyber-attack-rest-afsa/105137820
3
The issue
Recent Infostealer malware-based attacks have shown that most Australian banks (including all of the "big four" banks) and many superannuation funds are still vulnerable to credential-stuffing attacks, because they are still lacking an option to enable multi-factor authentication for every type of login. Over 31,000 Australian bank customers so far are known to have had their banking passwords traded online, and the banks are still not protecting their banking login systems from having further account details and other personal details stolen using stolen passwords. Similarly, many superannuation funds were recently attacked, and hackers were able to steal over $500,000, which would have been prevented via multi-factor authentication.
Until an option to enable multi-factor authentication for every type of login becomes mandated via legislation for all Australian financial institutions that support logins, including banks, superannuation funds, MyTax in MyGov, credit-reporting agencies, brokers, share registries, similar breaches and consequent identity theft and fraud will continue to occur. Many banks and superannuation funds only use multi-factor authentication to initiate transactions/withdrawals, but don't also support an option to enable it for all logins too.
Once a hacker has stolen sufficient personal information about someone, they can also exploit the lack of multi-factor authentication protections in Australian credit-reporting authorities. Equifax, Experian and Illion still do not use enabling multi-factor authentication in a person's account for the purpose of preventing hackers from creating additional accounts impersonating them. This enables hackers to download their credit report and steal other personal information about them, even if the person has placed bans on their credit report. Hackers are still able to download their credit report even though there are bans placed on the person's report, because even though bans are in place, the person is allowed to download their credit report for free once every 3 months, even if bans are in place. So, if they can successfully impersonate them and create an additional account using a different email address, the hacker can download the credit report for free once every 3 months. Although some credit reporting authorities do support enabling multi-factor authentication, the way they are implemented currently does nothing to prevent hackers from creating additional accounts impersonating them, signing up using different email addresses.
This petition is primarily aimed at financial institutions, but the problem is also prevalent for Australian insurance logins, including health insurance logins, which contain a treasure trove of personal and medical information that can be further exploited by hackers.
Existing "Solutions" are Insecure
Verification codes sent by SMS or push notification or email are not end-to-end encrypted and can be intercepted and read by hackers, and hackers are able to port phone numbers to steal phone numbers in some cases.
The Proposed Solution
An excellent form of multi-factor authentication that does not require sending codes is Time-Based One-Time Passwords (TOTP). I propose mandating (via legislation) the ability to enable multi-factor authentication for all types of login for Australian financial institutions via (at least) TOTP via any 3rd-party Authenticator app according to existing standards. Also, at all times while TOTP is currently enabled, (by default anyway) do not allow the use of SMS/push notifications/email for authentication. Almost every popular website in the world already supports enabling TOTP for all logins via 3rd party Authenticator apps, so why don't Australian institutions such as banks? Another benefit of TOTP over SMS/push notifications/email is that it is more versatile because the one-time code does not need to be sent (just generated automatically on the person's device), so TOTP can be used even if the person doesn't have access to a working mobile phone number or access to their email, e.g. in an emergency when traveling abroad in a remote area that only has a land line call to talk to a bank helpdesk, they can use the Authenticator app on their mobile phone without internet access. An even more secure mechanism is Yubikeys, but baby steps...
Links:
https://www.abc.net.au/news/2025-04-04/superannuation-cyber-attack-rest-afsa/105137820
3
Petition Updates
Share this petition
Petition created on 5 May 2025