Electronic property lodgement operator PEXA (Property Exchange Australia), owned by major banks and state governments, is the single system available for online property settlement that is set to become mandatory across all Australian states for all property sales.

Payment Redirection Fraud on the PEXA Platform

In response to the recent hacks carried out on the email accounts of conveyancers, including the attack which left MasterChef contestant Dani Venn and her family homeless when their funds to the bank account of hackers, PEXA, has introduced multi-factor authentication.

After gaining access to the settlement agent’s account, attackers made use of the ‘forgot password’ feature to access their account on the PEXA system. The attackers added a new user with administrative privileges to maintain access to PEXA, and changed the payment details on the PEXA platform to their own bank account. When PEXA generated the payment instructions, it was featuring the modified details.

Despite the changes, there was nothing to alert users at either end of the settlement transaction to the changes. It is this lack of notice to account holders of changes to the PEXA system that has raised eyebrows in the security business and led to management putting new measures in place.

PEXA Introduces New Security Measures

Multi-factor authentication (also known as two-factor authentication) has been introduced for PEXA users in an effort to prevent attackers from targeting the system without challenge. According to PEXA, multi-factor authentication is already standard practice for sensitive transactions:

There are two authentication methods at play when you withdraw cash from an ATM - you are required to provide both your card (something you have) and your PIN number (something you know).

From 15 September PEXA users must now choose to supply either an app code or a code received via SMS before attempts to change account details are authenticated by the system. PEXA chose a multi-factor authentication provider PingID, which provides a code generator app and delivers SMS based codes to user smartphones.

Criminals Will Adapt to the New Changes

Iron Bastion cybersecurity experts Gabor Szathmari and Nick Kavadias see a problem with offering the SMS option given how easy it is for hackers to hijack SMS messages.

Cybercriminals are well organised and multiskilled. Iron Bastion expects them to target conveyancers using SMS based codes instead of the code generator. Once everyone moves to the secure platform, criminals will change their method of operation. They have the skills to do SIM swapping.

To carry out SIM swapping, a bad actor only needs phone user’s last name and date of birth to effectively take over a phone number, porting it from the user’s mobile provider to their own. Once access to phone messages is established, an attacker can then use the six-digit code required for validation to the system to carry out the desired changes.

What Practitioners Should Do

To avoid this, Iron Bastion advises PEXA users to choose the app code generator option to avoid SMS based attacks. More broadly, Iron Bastion believes the use of code generators will supplant text message as an option for multi-factor authentication and should be used wherever multi-factor authentication is in use, eg. Office 365, G Suite, Dropbox, Gmail.

For a list of services supporting multi-factor authentication, visit https://twofactorauth.org and check whether your favourite online services support it. If they do, turn the multi-factor authentication functionality on now.

About Iron Bastion

Iron Bastion are Australia’s phishing and cybersecurity experts. We provide cybersecurity consulting with specialised solutions to combat phishing. Our team are qualified cybersecurity professionals, and all our staff and operations are based in Australia.

Contact us for a free cybersecurity consultation or sign up to our managed services today.