Proving human identity is essential to defending Australia’s financial services sector
The Australian financial services sector has been a prime target for cybercriminals for many years. As cyber threats become increasingly sophisticated, the need for robust identity verification measures becomes more urgent. The rapid evolution of cyberattacks, including phishing, social engineering and AI-driven scams, demands that the banks place renewed emphasis on verifying human identity and ensuring that only genuine account holders are authenticated.
Recent statistics from the Office of the Australian Information Commissioner (OAIC) for July to December 2024 show that phishing incidents accounted for 34 per cent of reported cyber events. Meanwhile, human error accounted for nearly 30 per cent of data breaches, highlighting the severity of the insider risk.
The intersection of human error and increasingly advanced cyber tactics emphasises the fundamental importance of strong identity verification in effective cyber resilience, and especially within the financial services sector. Despite their cyber maturity, financial services organisations in Australia remain highly attractive to both criminal groups and nation-state attackers, given the amount of sensitive and valuable data they possess.
According to the OAIC report, the financial services sector was the third-highest to report breaches in 2024. The significant economic role and vast stores of sensitive data make financial services companies particularly vulnerable.
Additionally, the industry is undergoing significant disruption from global, technological, supply chain and organisational changes, all of which contribute to elevated cyber risk. AI-enhanced phishing and deepfake attacks are among the most significant threats facing the sector. Cybercriminals now leverage AI tools to create convincing phishing messages, voice-based scams and even realistic video impersonations. As these attacks grow more sophisticated, identity verification technology must evolve to keep pace.
Regulatory compliance and scrutiny across banking and financial services
The Australian superannuation industry is the custodian of more than $4 trillion in member funds. The industry is systemically significant, and many millions of Australians rely on it to safeguard their retirement savings. The obligation of superannuation entities to ensure the safety and security of members' retirement savings and member data is non-negotiable, according to the Australian Prudential Regulation Authority (APRA).
The APRA has highlighted the importance of secure authentication in its cybersecurity guidelines. It recommends deploying strong multi-factor authentication (MFA) solutions that not only verify credentials but also confirm human identity with a high level of assurance. These guidelines set a clear expectation for financial services organisations to use methods that are resilient against modern cyber threats.
Failing to adopt stronger identity verification exposes institutions to regulatory scrutiny, financial losses and reputational damage. In the banking sector, where customer trust is paramount, the impacts of a breach are especially severe.
Moving on from legacy authentication to hardware-backed MFA
Legacy authentication methods such as passwords and SMS-based two-factor authentication are no longer sufficient in today's threat environment. Financial institutions are custodians of large volumes of personal and financial data, necessitating stronger protective measures. Phishing-resistant multi-factor authentication (MFA), including hardware security keys, is now a crucial requirement for the financial services sector.
Security keys represent a significant advancement in authentication, offering phishing-resistant protection. Unlike passwords or SMS codes, which can be intercepted, phished or stolen, hardware-based keys use cryptography to ensure only verified individuals can gain access. This approach addresses the traditional weak point of human susceptibility to deception.
Hardware-based MFA, such as security keys, offers several security advantages. These keys rely on public-key cryptography, an internationally recognised, highly secure method. Each device securely stores a unique cryptographic key pair, making it nearly impossible for attackers to replicate the authentication process, even if a user's credentials or devices are stolen.
Security keys also require a human to be present to perform the verification: a physical touch or a biometric check, such as a fingerprint, ensures a real person completes the authentication. This significantly reduces the risk of remote or automated attacks, which are becoming more prevalent in financially motivated cybercrime.
User experience and brand trust: Recommendations for a secure future
As competition intensifies, customer experience will be a key differentiator for financial institutions. Security controls must be user-friendly to encourage widespread adoption across all age groups. Strong phishing-resistant MFA solutions strike a balance between robust security and ease of use, enabling seamless integration into our daily lives.
Adopting advanced identity verification methods is not only about compliance and risk reduction; it also reinforces an institution's reputation for trustworthiness. In a climate where cybersecurity strongly influences consumer choices, this brand trust directly translates to better client retention. Australian financial institutions should review their authentication strategies and prioritise the adoption of phishing-resistant technologies. Alongside education on cybersecurity risks, investing in hardware authentication solutions is critical for eliminating human vulnerabilities in authentication.
By taking proactive measures, financial services organisations can significantly enhance their cyber resilience. Proving human identity through advanced MFA methods represents a vital investment in maintaining customer trust, regulatory compliance and organisational stability in an increasingly complex digital environment.