#NSBCS.132 - The Password's Long Goodbye: Why 1 July Quietly Changed Authentication in Australia
Quick question: how many of the passwords protecting your organisation right now have already been stolen?
If that sounds dramatic, consider what's crossed our desks in just the past week. Credentials harvested from large numbers of exposed FortiGate devices are being used to seed follow-on intrusion activity, including ransomware. Device code phishing — a technique that walks users into handing attackers a valid session without ever typing a password on a fake page — has spiked this year, with multiple ready-made kits now circulating. The uncomfortable truth of 2026 is that the password, and even the SMS code that follows it, is no longer the lock on the door. It's the doormat the key is hiding under.
Which brings us to a date that passed with surprisingly little fanfare: 1 July 2026. From that day, FSC Standard No. 29 became mandatory for Australian superannuation funds, lifting expectations around multi-factor authentication across consumer-facing portals and critical systems. Combine that with the Essential Eight: since the November 2023 update, Maturity Level 2 has increased the emphasis on phishing-resistant MFA (not just ML3). The regulatory direction in Australia is unambiguous. "We have MFA" is no longer the finish line. The question boards and executives should now be asking is sharper: is our MFA phishing-resistant? (Think FIDO2/passkeys or hardware-bound keys — not SMS codes or approve/deny prompts.)
Because here is the part that still surprises people: a lot of MFA deployments still aren't phishing-resistant. SMS codes, email codes, and push approvals can all be captured or fatigued out of users in real time by adversary-in-the-middle kits — the same "scam-in-a-box" tooling that at one point saw thousands of myGov accounts suspended every month. If a human can read the code, a human can often be tricked into surrendering it.
Passkeys change the maths. Built on FIDO2 standards, a passkey is a cryptographic credential bound to the legitimate domain. It's unlocked by your device's biometric or PIN, not by something you can type into a fake page. There is no shared secret to phish, reuse, spray or leak — a fake login page simply has nothing reusable to steal. And this is no longer bleeding-edge technology. myGov's rollout went from 20,000 users in its first weeks to 170,000 shortly after. ubank has pushed passkeys to its customers, NAB's security chief has called passwords "terrible" and on the way out, and industry research this year found awareness among security professionals that passkeys are phishing-resistant jumped from 40% to 64% in twelve months. Yet roughly three quarters of organisations still run on legacy passwords day-to-day. That gap — between what we know and what we've deployed — is exactly where attackers live.
So what does taking no steps backward look like here? A few practical moves:
1. Map your identity estate. Identify which of your systems already support FIDO2/passkeys (Microsoft Entra ID, Google Workspace and most major SaaS platforms do). You likely have more coverage available than you think — it's just not switched on.
2. Start where the blast radius is biggest. Roll phishing-resistant MFA out to administrators, executives, finance and email first. These are the accounts adversary-in-the-middle kits are built to hunt.
3. Mind the fallback. A passkey protected by an SMS-recovery back door is only as strong as the SMS. Review recovery and helpdesk reset processes at the same time — attackers will simply target the weakest enrolled method.
4. Pair it with Conditional Access. As we covered back in #NSBCS.102, policies need to enforce what you think they enforce. Require phishing-resistant authentication strength for privileged roles rather than "any MFA".
5. Brief your people. User hesitancy remains the most-cited adoption barrier. A 15-minute explainer on what a passkey is (and what it means for their own accounts) turns resistance into advocacy.
Passwords had a fifty-year run. But when the regulator, the government's own front door, and the criminals have all moved on, staying put isn't standing firm — it's falling behind. No Steps Backward!
Article ReferencesFinancial Services Council, FSC Standard No. 29 (MFA mandatory for superannuation funds from 1 July 2026): https://www.cyberdaily.au/security/10874-passkeys-are-ready-to-meet-australias-evolving-mfa-standards-navigating-essential-eight-and-fsc-standard-no-29ACSC Essential Eight (phishing-resistant MFA at Maturity Level 2): https://www.govtechreview.com.au/content/gov-security/article/mygov-takes-a-stand-on-passwords-1348224786myGov passkey rollout and uptake figures: https://www.technologydecisions.com.au/content/security/article/australia-is-turning-a-corner-in-its-adoption-of-passkeys-124438343Australian passkey adoption, ubank and NAB commentary: https://www.biometricupdate.com/202412/passkey-adoption-by-australian-govt-banks-drives-wider-passwordless-authentication2026 State of Passwordless Identity Assurance statistics: https://jamcyber.com/blog/cyber-insights/april-2026-cyber-brief/Proofpoint DMARC analysis of Australian banks (1 July 2026): https://www.proofpoint.com/au/newsroom/press-releases/majority-australias-banks-leave-customers-vulnerable-email-fraudFortiGate credentials / INC and Lynx ransomware; device code phishing statistics: https://www.securityweek.com/ and https://thehackernews.com/DHS HSIN breach reporting: https://techcrunch.com/2026/07/02/us-government-says-it-got-hacked-again/
What we read this week
Exclusive: Client GPS Data Potentially Exposed in Alleged Teletrac Navman Breach (Cyber Daily, 7 July) - A hacker known as 'laserscript' claims to have exfiltrated live fleet telemetry data from Teletrac Navman, a GPS tracking provider with offices in Sydney and Melbourne, covering 2,988 customer organisations across Australia and New Zealand. The dataset reportedly includes over 670,000 position records captured during a 48-hour window on 27–28 June, plus driver emails, phone numbers, and more than 1,200 driver's licences. Claimed victims include KiwiRail, Gold Coast City Council, and BHP Newman Operations. Fleet and logistics operators using third-party telematics should review vendor breach notification clauses and monitor for driver-targeted phishing.
Patch Now! Active Exploitation of a Perfect 10 Adobe ColdFusion Vulnerability Is Underway (Cyber Daily, 7 July) - CVE-2026-48282, a maximum-severity path traversal flaw in Adobe ColdFusion disclosed on 30 June, was being actively exploited within two hours of technical details going public. Researchers observed unauthenticated attempts to read and write arbitrary files on exposed servers, with activity traced to an Indian IP address. CISA has since added it to its Known Exploited Vulnerabilities catalogue. Organisations running ColdFusion 2025.9, 2023.20, or earlier should patch immediately.
Australian Cyber Experts Warn of Third-Party Risk Surge (SecurityBrief Australia, 6 July) - BlueVoyant and Arctic Wolf are warning that Australian organisations face growing exposure from third-party vendors and hidden "cyber debt," pointing to recent breaches at the Queensland Department of Education and over 1,700 Victorian government schools, both linked to third-party providers. Research cited found only 30 per cent of Australian organisations have mature third-party risk management programs, while 99 per cent had experienced negative impacts from a supply chain breach in the past year. Experts recommend using the EOFY planning cycle to remove dormant access and revalidate vendor security controls.
Australians Face Scam Risk During Major Life Events (SecurityBrief Australia, 6 July) - New TrendLife research found 20 per cent of Australians had been scammed, or knew someone who had, during a major purchase or investment, with job interviews, tax and government benefit processes, and moving house also flagged as high-risk moments. Australians aged 18–34 proved most vulnerable despite greater digital fluency, with only 8 per cent verifying an organisation's legitimacy before sharing information, against 22 per cent overall. Nearly half of respondents share personal information with AI tools during these events, while only 22 per cent feel confident spotting an AI-generated scam.
Microsoft 365 Device-Code Phishing Campaign Hijacks Accounts via Collaboration Lures (The Hacker News, 8 July) - ZeroBEC has detailed a campaign dubbed DEBULL, active from late June into early July, using payment and shared-folder-themed lures that direct victims to a compromised rental website acting as a device-code orchestrator. Victims are pushed into Microsoft's own legitimate device login page, letting attackers hijack the resulting session token without ever needing a password. The tradecraft shares strong overlaps with Storm-2372, a technique Microsoft first documented in February 2025, and bypasses MFA entirely since the phishing page is Microsoft's genuine domain. Organisations should restrict or closely monitor device-code authentication flows and treat unsolicited device-code prompts as suspicious.

