National e-conveyancing platform PEXA will fill gaps in its security controls that have been exploited by hackers to fleece millions of dollars from home sale transactions.
In a new statement, acting CEO James Ruddock said the platform - run by major banks and state governments - will immediately deploy a new set of controls.
“We have begun work developing additional alerts and processes to further enhance security in the system,” Ruddock said.
“Over the next week, PEXA will make changes to the system which will only allow new users to be created in an inactive status meaning PEXA itself will need to enable them.
“In addition, we’ll be adding a feature to the system which highlights the date, time and specific user that last updated the settlement schedule.”
The changes came after a Melbourne family lost $250,000 from the sale of their home.
Hackers gained access to a conveyancer’s email account, reset the password, and then set themselves up as an additional user on the conveyancer’s PEXA account.
From there they were able to edit the settlement details on the property sale, rerouting the payment to their own account.
The edits were not detected by the conveyancer before the payment was digitally re-signed using a physical USB key and unique PIN.
The case highlighted weaknesses both in the way PEXA’s infrastructure has been set up, and in the conveyancer running their own checks..
PEXA is now acting to shore-up the part of the transaction it handles.
Its first round of changes will mean a hacker - or any new user - can no longer set themselves up on an existing PEXA account without further verification.
This appears to be a manual check in the first instance, although Australian Institute of Conveyancers’ NSW division suggested that formal two-factor authentication (2FA) is in the works.
The changes will also make it easier for the conveyancer to assure themselves over who has accessed a client’s file.
“These are the first in a number of changes that are being rolled out across PEXA and we look forward to announcing a number of new initiatives over the next short while,” Ruddock said.
iTnews reported last week that PEXA’s security team was monitoring its network for similar patterns to the $250,000 fraud.
Ruddock said the team had been looking closely at “password resets, new user creations and changes to BSB and account numbers”, and “actively contacting practitioners to confirm any such activity is legitimate.”
'Isolated cases'
Ruddock said that “no new instances of this fraud [type] have been found” since Friday.
He said that similar fraud reports through the platform “continue to be isolated incidents.”
Fairfax reported that in addition to the Melbourne family losing $250,000, a similar incident three weeks earlier resulted in “more than $1 million fleeced” from another person during settlement.
PEXA itself notes another similar fraud occurred back in February, quoting from a NSW law society newsletter.
"In one instance the criminal has hacked into one of the party’s computers and has been monitoring the emails between the solicitor and the other party,” PEXA said, quoting the newsletter which has since been removed.
“The other party sent its final instructions as to the bank account details where the payment of $250,000 was to go to by attaching a PDF of the instructions to the email.
“However, the hacker amended the PDF with their own bank account details and stated this was the account where the funds were to go.
“Accordingly, the solicitor referred instructions to PEXA to pay the $250,000 to the wrong bank account.”
PEXA quoted from the newsletter that the money was paid into the hacker’s account, but that “luckily, the other party was eagerly awaiting the funds and contacted the solicitor immediately and the bank was notified, and the funds were saved."
Hackers targeting email
The susceptibility of conveyancing to email fraud and intercepted payments has been known for several years, and all cases seem to rely on compromising an email account.
In late December last year, hackers phished the email accounts of at least two Queensland law firms.
Once inside, they were able to reroute transactions, and appeared to particularly favour conveyancing transactions, likely due to the size of the amounts involved.
The hackers approached the firms under the pretext of requiring conveyancing services, and then phished account credentials by faking a secure document exchange.
A few months earlier, hackers compromised the email accounts of South Australian conveyancers, sending emails from them seeking large amounts of money. Two people lost a combined $900,000.
"The cyber scammers are intercepting emails and changing the bank account details that go to the client," Australian Institute of Conveyancers SA CEO Rebecca Hayes was quoted by ABC as saying.
Deloitte Australia said in May that there have been “a number of fraud cases [in recent years] where scammers have intercepted emails between conveyancers and vendors in order to redirect sale funds or sell a property without the vendor being aware.”
It noted the move of most parts of Australia “from a paper based system to an electronic settlement and lodgement process”, which is chiefly enabled by PEXA.
However, while Deloitte said that digitisation “helps to mitigate some of risks for fraud”, it is “also creating new issues for practitioners to consider.”
Legal academics from QUT and the University of Tasmania opined in mid-2016 that fraud prevention in the PEXA environment was largely down to the vigilance of participants.
“The risk of a person accessing the computer system fraudulently and altering multiple records is palpable,” they said.
One of the academics, QUT’s Rouhshi Low, is the co-author of an even earlier 2014 paper that examined the security controls present in the PEXA ecosystem.
Stronger security controls were wanted
PEXA’s ability to reduce the risk of settlement fraud was noted in a December statement by the Western Australian division of the Institute of Conveyancers.
“With a rise in the occurrence of email and computer-based fraud in Australia, we have significant concerns around the lack of account verification in PEXA,” the division said.
“In a paper settlement, we would physically walk a bank cheque to a branch, and deposit it at a teller. The teller cross-checks the name of the account with the name on the cheque.
“If our client’s emails had been intercepted, and a fraudulent account given to us, we would usually be alerted at the point of deposit that the account name does not match the cheque.
“Furthermore, if a fraud is identified in the day or two following a paper settlement, there is a window of time for the cheque to be stopped and the fraud prevented.
With electronic settlements’ almost-instant funds transfer, these two fraud-minimisation strategies are lost.”
The Western Australian division said it had “long requested that the banks and PEXA invest into the development of an account verification system that … cross-checks not just the BSB and account number, but also the account name for recipients of funds.”
PEXA said Friday that it was up to the conveyancer or solicitor to run those checks themselves before digitally signing for a transaction to proceed.
It - and others - have also previously argued these kind of checks were simply good practice given the large sums of money involved in home sales.
The conveyancer involved in last Friday’s case has made an insurance application to cover the fraud incident, according to Fairfax.
That still leaves the family involved unable to pay for another house that they had already bought.
iTnews understands the vendor of that property has extended the settlement period to give the affected family more time, given the circumstances.
However, that is having a flow-on effect on the vendor's own bridging finance arrangements, which will now need to remain in place for longer than anticipated.
It is also understood that the vendor is not organising settlement on a new property of their own, thus limiting the scope of Friday’s incident.
However, given people often sell one property to buy another - and may use bridging finance to meet their short-term cash obligations while awaiting settlement - a single instance of transaction fraud could have a long tail of impact.
Still safer than paper?
For its part, PEXA argues that e-conveyancing is a much safer way of settling home transactions, and offers less chance of fraud than paper processes did.
“To date, over 1.2 million transactions have been successfully completed on PEXA,” it said.
“Instances of fraud and attempts of fraud have been incredibly low, in fact much lower than the paper process.”
This is not entirely unsupported. For example, the NSW government said [pdf] that “since 2013, the NSW Registrar General paid around $2.1 million for errors made in paper transactions, and $7.3 million for fraud.”
“In comparison, during the same period, not one single payment has been made on any of the 360,345 electronic lodgments.
“This is a credit to ARNECC [the Australian Registrars' National Electronic Conveyancing Council] and PEXA.”
