For residents buying a house, “buyers and sellers beware” is the lesson from MasterChef finalist who is still suffering losses after a hackers gained access to the new electronic property transfer system Property Exchange Australia (PEXA). But the bigger message is to law firms and conveyancing firms who believe that cyber insurance or pointing fingers elsewhere is an appropriate response to cyber breaches.
Earlier this year the NSW Government announced that online property settlements will be compulsory in NSW by 1 July 2019. By the end of this year all property settlements must be managed online in Western Australia.
Former MasterChef contestant, Dani Venn, and her husband Chris Burgess were left homeless last week when $250,000 from the settlement of her recently sold Melbourne property was stolen by hackers who set up third party accounts to breach the fledgling electronic property transfer system Property Exchange Australia (PEXA). Whilst half the money has been recovered, she and her family could still be left without a home to live in.
Cryptoloc and Your Digital File founder, Jamie Wilson said, “the recent breaches are not isolated incidents they are clear warnings to our legal fraternity, our government, banks and PEXA that something is not right, there are vulnerabilities that need to be addressed to protect individuals from losing their homes.This time it’s one or two next time it will be hundreds.”
“Security safeguards are not hard to introduce, user verification, password security, restricted user access, encryption and third party education on security risks are critical and the bare minimum for systems that can access bank accounts”, said Mr Wilson
The theft has left the system’s operators scrambling to close down security flaws and deny accountability. Both PEXA and the CBA told Ms Venn they were not responsible or liable for the loss.
Unbeknown to Ms Venn and her conveyancer, Sargeants Knox Conveyancing, the proceeds of the sale were transferred to a fraudster’s bank account after hackers accessed the conveyancer’s electronic property transfer account and added themselves as another user.
The sophisticated criminals breached the new electronic property transfer system run by Property Exchange Australia (PEXA). The fraud appears to have temporarily delayed settlements on the PEXA system and may impact on the company’s mooted $1 billion plus listing on the stock exchange.
Cyber crimes in legal settlements and conveyancing is a growing trend. Namely due to a lot of small businesses that have vulnerabilities and provide great opportunity to cyber criminals. Wire fraud in real estate is one of the fastest growing cyber crimes in the US. The FBI reportedly received 301,580 complaints in 2017 and losses exceeded $1.4 billion, and in the real estate/rental sector alone, more than 9,600 victims lost over $56 million in the same year.
The type of fraud with the highest reported loss last year was Business Email Compromise (BEC)/Email Account Compromise (EAC), with losses totaling more than $675 million. According to the American Land Title Association, “In real estate transactions, fraudsters assume the identity of the title or real estate agent handling the sale. The criminals forge the person’s email and other details that appear specific and authentic. Next, posing as the real estate or title agent, the scammers send an email to the buyer, providing wire instructions to the criminal’s bank account, not the title agency’s legitimate account.”
On June 11, 2018, US federal authorities announced a major coordinated law enforcement effort to disrupt international BEC schemes designed to intercept and hijack wire transfers. Called Operation WireWire, the six-month sweep culminated in 74 arrests (42 in the United States). The operation resulted in the disruption and recovery of approximately $14 million in fraudulent wire transfers. But this doesn’t mean the individual threat is over.
Lack of confidence in Australia’s cyber security
With the increased requirements for individuals and firms to use the online property settlements, the confidence in Australia’s ability to keep information secure and free from attack is decreasing. The forced use of systems that have cyber vulnerabilities and the lack of accountability between banks, legal firms and the online platform is one that will keep us all guessing.
In Australia, earlier this year the NSW Government announced that online property settlements will be compulsory in NSW by 1 July 2019. By the end of this year all property settlements must be managed online in Western Australia. By no later than June 2019 they must all be managed online in NSW and Victoria, and Queensland is likely shortly to follow NSW and Victoria.
Online settlements are managed by PEXA (Property Exchange Australia), which has been operating this settlement process since 2015. PEXA was formed to deliver a single, national property contract settlement solution to the Australian Property Industry. Key shareholders include state governments and Australia’s five largest banks.
Australia is midway through converting from the 150-year-old Torrens title paper system of exchanging property, to electronic certificates.
Thousands of land titles are now transacted and exchanged on an electronic conveyancing platform operated by PEXA, a private company owned by state governments, the ANZ, CBA, NAB, Westpac, Macquarie Bank, private equity and property developer Paul Little.
The thefts are likely to put a cloud over the electronic exchange of property, which is set to become mandatory in Victoria in October, with NSW to follow suit next July.
Conveyancers, who handle the exchange of a property, say the PEXA system does not require additional subscribers using a conveyancer’s account to verify themselves or provide proof of identity. The hackers broke into the conveyancing firms’ email accounts, accessed their mail from PEXA and set up new user accounts. They then intercepted emails from PEXA that notify another account had been added, leaving the conveyancers vulnerable to ghost users who can change bank details during the settlement process, enabling them to fleece home owners.
“PEXA has robust fraud protections and strict authentication procedures built into its platform,” its acting chief executive James Ruddock said. Mr Ruddock said the PEXA platform was not hacked but practitioners’ email accounts were. A sophisticated fraud was then perpetrated against the practitioners who operate on the PEXA platform, he said. “These are isolated incidents and do not represent a wider or systemic risk to the PEXA platform.”
PEXA has been widely criticised for its lax security protocols and for not utilising two-factor authentication with its emails and password reset triggers.
Cryptoloc Technology is a global encryption company, providing cyber security and encryption solutions to highly regulated industries, technology suppliers and government. Cryptoloc Technology provides the methodology for the secure storage and sharing of data with internal and external parties to ensure data security. Increase your security and be secured by Cryptoloc Technology. Want to see the technology in action? Download a free Your Digital File account (secured by Cryptoloc) to securely store and share your sensitive information.