E-conveyancing platform Pexa has been forced to strengthen its security controls following a highly-publicised hack on a Melbourne family.
As reported in Information Age, the family had $250,000 taken from them after a an attacker managed to log in to the conveyancers Pexa account using the ‘forgot password’ prompts and redirected the money to another bank account.
The hacker was then able to digitally re-sign for the payment using a physical USB key and a unique PIN.
The family have since set up a GoFundMe page lambasting Pexa’s role in the incident.
“Pexa claim that they are not liable for a hacker compromising the workspace of a user’s account and that they have a two-step verification process,” said Dani Venn, who appeared on Channel 10’s MasterChef program in 2011.
“However, from our perspective it is alarming that our conveyancer did not receive any notification from the software that a new user had been created and passwords had been changed. There should be an alert not just via email but also via SMS like most financial software.”
For Pexa, the scrutiny comes just days before it becomes a mandatory part of property transactions in NSW.
From 1 July all standalone caveats, transfers, mortgages, discharge of mortgages and refinances in NSW must be lodged online using Pexa, before all transfers, mortgages and discharge of mortgages move online by July 2019.
Victoria and Western Australia are also set to introduce similar initiatives in October this year.
Pexa, which was established in 2010, lists the Victorian, NSW, Queensland and WA state governments as shareholders on its website, as well as Macquarie Group and the big four banks.
The website also shows controversial American credit reporting agency Equifax as a sponsor.
“When PEXA was alerted to a case of fraud late last week, we immediately increased our monitoring of potential unusual activity surrounding password resets, new user creations and changes to BSB and account numbers,” said acting CEO James Ruddock.
“We have also been actively contacting practitioners to confirm any such activity is legitimate. No new instances of this fraud have been found and these continue to be isolated incidents.”
Ruddock also highlighted upcoming changes to the software, which will help avoid a similar incident.
“PEXA will make changes to the system which will only allow new users to be created in an inactive status meaning PEXA itself will need to enable them. In addition, we’ll be adding a feature to the system which highlights the date, time and specific user that last updated the settlement schedule.”
Not an isolated incident
In a recent report on the impacts of e-conveyancing, Deloitte Access Economics found that moving towards an electronic system creates significant implications for fraud.
“In recent years, there have been a number of fraud cases where scammers have intercepted emails between conveyancers and vendors in order to redirect sale funds or sell a property without the vendor being aware,” the report states.
It gave the example of two South Australian home buyers who fell victim to a similar attack and lost nearly $1 million after scammers posed as conveyancers and changed the settlement bank details.
There was also an identity theft incident in the ACT in 2016 which resulted in a house being sold by a fraudster who had hacked the potential seller’s email account.