Lax processes
Vamos said criminals will siphon superannuation into self-managed funds or apply for hardship payments.
“Criminals steal identities and falsify hardship documents to get early payments.”
Identity rules around self-managed funds and hardship payments are relatively weak. Bank accounts receiving the stolen funds are not checked against existing records and can be in multiple names.
In October 2011, security researcher Patrick Webster highlighted just how immature security standards in the super industry were – disclosing the ability to access electronic superannuation notices of any First State Superannuation customer by changing numerical values in URLs used to issue statements to clients.
First State initially threatened legal action against Webster, but withdrew its claim after public pressure generated from news coverage of the incident.
Thankfully, changes are in the works.
The Federal Government has mandated that superannuation funds toughen identity requirements by year’s end, and the Australian Tax Office has already refused to pay into accounts owned by more than one holder, Vamos said.
Security boffins employed by superannuation funds have formed an informal and secretive community to exchange confidential information about the latest “tricks” used by criminals.
For its part, ASFA had issued warnings to superannuation funds about the security implications of issuing statements.
Dyson pointed out that the scam is uncommon, but is emerging and the public should be aware of the threat.
“Check your super details and look for changes,” he advised.
