National e-conveyancing platform PEXA has responded to the hacking scandal which made headlines earlier this week, saying that their platform was not compromised and that the econveyancing method continues to be safer than paper transactions.
As reported by Fairfax Media, Masterchef finalist Dani Venn and her family lost $250,000 from the proceeds of their home sale late last week when the funds were misdirected into a hackerโs account.
According to Fairfax, the breach occurred when the hackers were able to access the email account of the Victorian conveyancer used by Ms Venn, and use that account to reset the PEXA security information, adding themselves to the PEXA account.
PEXAโs acting CEO James Ruddock confirmed in a statement that an โunknown party gained unauthorised access to a practitioner’s email account.โ
โIn this instance, the party intercepted a change-in-password email sent from the PEXA platform to the subscriber, which in turn allowed this person to access the subscriber’s PEXA account,โ he said.
Following on from this, in a statement given to the media today, PEXA confirmed that Ms Vennโs funds were only misdirected because her conveyancer confirmed false bank account details on the PEXA system, using his digital key and password.
PEXA have said that they have taken further security steps to protect against this type of fraud happening in the future. PEXA confirmed to Elite Agent these include:
- Increased monitoring of PEXA Workspaces: PEXA has been monitoring all Workspaces for several activities including identifying unusual activity surrounding password resets, and new user creations and changes to BSB and account numbers. PEXA has been actively contacting practitioners to confirm any such activity is legitimate. No new instances of this fraud have been found and these continue to be isolated incidents.
- Creation of new users within existing accounts: As of this week, PEXA will only allow new users to be created to existing Subscriber accounts in an โinactiveโ status, and PEXA will be required to activate them.
- Workspace time stamps: As of this week, PEXA will add a feature to the system which highlights the date, time and specific user that last updated the settlement schedule. This will provide an additional method to validate the details prior to signing and will be displayed on the signing screen.
- Multi-factor verification: Over the next few weeks, PEXA will introduce additional two-factor authentication. All Subscribers will be required to confirm their identity through this additional verification layer when logging into PEXA.
โTo date, more than 1.2 million transactions have been successfully completed on PEXA. Instances of fraud and attempts of fraud have been incredibly low, in fact much lower than the paper process,โ said Mr Ruddock.
Mr Ruddock went on to confirm that the platform is aligned with international standards and continues to comply with the Model Operating Requirements as set by the e-conveyancing regulator, ARNECC.
The concern is that stories like Ms Vennโs will shake public belief in the econveyancing method. This is especially important now, as both Victoria and New South Wales move towards mandatory online transactions, and Australia converts from the Torrens title paper system to electronic certificates.
PEXA also recently moved to a $1 billion listing on the ASX, with support from leading banks.
Security is set to be the biggest concern for PEXA going forward. Mr Ruddock confirmed in a statement that the initial security upgrades are only the โfirst in a numberโ that will hit over the next few weeks.
The company has admitted that in recent times theyโve been alerted to two incidents in separate PEXA workspaces where unknown parties gained access to the practitioners email account. This shows, says PEXA, that the recommended checks at the practitioner level are not always occuring.
PEXA also confirmed they have offered Ms Venn a loan to cover the full amount remaining on her new property on an interest-free basis. However, they are very clear that they are not at fault for the loss of funds, and therefore not liable.