The fallout over a reported hack of the national e-conveyancing platform PEXA which led to a hacker stealing the money from a Melbourne family’s home sale is a powerful reminder of the need to ensure the security of passwords and login credentials.
PEXA was not hacked. The hacker had hacked the conveyancer. The hacker used the password reset facility of PEXA, hacked the conveyancer’s email to intercept the reset password email and then to try to cover their activity added another PEXA user account. They then accessed the PEXA platform to divert the funds to another account.
Using compromised credentials is nothing new – in fact the PEXA incident is an extension to the issue that hit several law firms last year.
In late December last year, hackers accessed the email systems of at least two Queensland law firms to alter banking details within the emails themselves to divert the funds to another account.
All this highlights the need for platforms to be secure by design. Service providers, such as PEXA should build robust security into their platforms from the ground up and continue to be vigilant to new security threats and techniques. Those using service provides should maintain the security of their login details and passwords, put checks and balances in place so they do not solely rely on details stored by service providers and conduct routine risk assessments on service providers.
The lesson from all this is to check all details of a transaction before committing to the transaction, remain vigilant and use a unique password for each account and re-set passwords often.
Service providers often use email addresses as part of login credentials and those email addresses are often used by individuals for other accounts. If the same email address and password combination is used for multiple accounts and one of those accounts is compromised then it is easy for hackers to reuse those credentials on other accounts. Often individuals will not know that their accounts have been compromised and so are not on notice to reset their passwords.
However, notifications of data breaches under the new data breach notification laws should assist individuals to identify if their accounts and login credentials have been compromised. Conveyancers using the e- system should also check their electronic records against their physical records to ensure the online account details match the physical records before completing the transactions.
Meanwhile PEXA has stated it will address gaps in its security controls that have been exploited by hackers to steal money from home sale transactions. Among the changes, PEXA will amend the system to only allow new users to be created in an inactive status meaning PEXA itself will need to enable them. It will mean a hacker – or any new user – can no longer set themselves up on an existing PEXA account without further verification. However, what form that verification will take is unknown.
Conveyancers using the e-conveyancing system should not just sit back and expect PEXA to fix any shortfalls within the conveyancer’s own systems. While security of the PEXA platform is being improved the conveyancer should also ensure their systems are safe and secure, and this means more rigorous attention to passwords and the protocols surrounding them.
Cyber security and the need to ensure password security has become a crucial issue in people’s daily lives especially with the rise of online and telephone banking and nature of transactions that occur without humans interacting on a face-to-face basis.
Nicole Murdoch, Director and Intellectual Property Practice Group Manager, Bennett & Philp Lawyers