Message from Acting CEO | James Ruddock

JamesR · ‎22-06-2018

Hi Community,

PEXA has been alerted to an incident whereby an unknown party gained unauthorised access to a practitioner's email account where a change in password email, that was sent from the PEXA platform to the Subscriber, allowed this person to access the Subscriber's PEXA account. As a result, the destination account details in the settlement schedule were fraudulently changed. We want to assure you that the PEXA platform was not compromised. A practitioner's email account was compromised.

This in isolation isn't enough for a fraudulent payment to occur. Any payment instruction requires you to digitally sign (or re-sign) the financial settlement schedule confirming the account details that you have entered, allowing settlement to proceed. Please be conscious of checking the settlement schedule immediately prior to signing to ensure that the information you are signing off on is correct.

We are working closely with all parties, including the relevant authorities to assist in every possible way.

While attempts of this nature are not specific to e-Conveyancing, PEXA urges all practitioners to take steps to reduce the risk of fraud. This includes, among others, verbally confirming bank account details with clients, not using free public Wi-Fi and keeping security patches up to date.

The PEXA security team is currently undertaking detailed monitoring of all Workspace activity, checking for any similar scenarios where passwords have been re-set in close succession among a number of other things, which may be considered ‘unusual’ behaviour.

If we find any Workspaces or accounts that fall into this category, we will immediately call you to double check if you undertook the activity in question. PEXA is also in the process of adding additional security measures. We will continue to keep you updated.

The Law Institute of Victoria offers a practical guide covering cyber security which we would encourage you to read. In addition, The Queensland Law Society has also published a warning in relation to email scams.

PEXA will continue to provide its members with the latest in cyber security awareness tools and tips via our seminars, newsletters and bespoke security page on the PEXA website.

If you would like guidance on how to stay safe online, please visit the Online Security Group on the Community or the security page on our website. We also have an FAQ page.

Kind regards,

James Ruddock

Acting CEO, PEXA

Hadjifotis · ‎23-06-2018

Only a subscriber/owner should create a new user and then immediately be notified by text or email and then authorise/verify the new user. As it stands when a new user is created on your account the owner/subscriber is not notified instead an email is forwarded to the new user welcoming them to PEXA and the owner/subscriber is none the wiser and you have a fraudulent user who knows the PEXA system. How many of you check your user details every transaction. Had PEXA notified the owner of the new user being created these incidents would not have occurred. Have been trying to get PEXA to fix this major flaw since 31.5.2018. Until they do check your user details.

Hadjifotis · ‎23-06-2018

I was quite confused with James Ruddock's message. Have PEXA ever warned us to check our user details each day. Have PEXA made it clear that SAVED does not really mean saved and that some fraudulent user can jump in and change your destinations that you saved before you sign. We are led to believe we are working on a safe and secure platform.

JulieKhoo · ‎23-06-2018

Hi @Hadjifotis,

PEXA is urging its members to re-confirm financial line items to ensure that the payment directions are accurate. If you have digitally signed the Workspace and it was unsigned without your knowledge, we recommend that you check the financial line items again immediately prior to re-signing.

Julie

BHHK · ‎24-06-2018

I wrote this 10 years ago in the ECV environment:

It is worth noting I believe the approach taken by ECV to the financial settlement is flawed. One aspect of ECV which really concerned me and that was their approach to disbursement of settlement funds. I can understand their decision but I disagree with the approach and that was – settlement funds can be disbursed by EFT / direct credit to any bank account or bank accounts. That is, it is an open system of payments. As a principal in a law firm, I would be entrusting my staff to enter the BSB and account details for client accounts and third parties which could be any number of accounts for any transaction. Fraud aside, I don’t believe my staff would be comfortable of entering account details as it would involve a lot of time checking and re-checking. As a principal, I am not comfortable with such an approach.

So in such an environment, how should payments be tackled? The system of payments ought to be a closed system. Disbursements of funds should only be to subscriber trust accounts registered in the system. This means payments will be disbursed to the Vendor’s mortgagee and the Vendor’s representative’s trust account. Other incidental disbursements could be made to council, water & body corporates, registries & revenue office accounts registered in the system. A closed system I personally would be comfortable with as my staff would be. It is then the responsibility of the vendor’s representative to disburse the funds due to the Vendor in the manner the Vendor directs from their trust account either by cheque(s) or direct credit(s).

I understand the money markets and share industry use a closed system of payments where payments are only disbursed to registered subscribers of the respective systems. And that seems to work well and works seamlessly.

JamesR · ‎25-06-2018

Dear PEXA Community,

We know that buying a home is a significant emotional and financial investment. We also understand that when things don’t go to plan it can be one of the most stressful times in yours and your client’s lives. To have that transaction be the subject of fraud is abhorrent and the last thing anyone wants. Therefore, we fully understand the impact being felt by those that have been part of these isolated incidents.

When PEXA was alerted to a case of fraud late last week, we immediately increased our monitoring of potential unusual activity surrounding password resets, new user creations and changes to BSB and account numbers. We have also been actively contacting practitioners to confirm any such activity is legitimate. No new instances of this fraud have been found and these continue to be isolated incidents.

While the PEXA system itself wasn’t compromised, we have also begun work developing additional alerts and processes to further enhance security in the system. Over the next week, PEXA will make changes to the system which will only allow new users to be created in an inactive status meaning PEXA itself will need to enable them. In addition, we’ll be adding a feature to the system which highlights the date, time and specific user that last updated the settlement schedule. These are the first in a number of changes that are being rolled out across PEXA and we look forward to announcing a number of new initiatives over the next few weeks.

It’s important to note that funds cannot be misdirected unless you physically sign off on the fraudulent account details using your bespoke digital certificate and accompanying password so we encourage all members to check the details you’re signing off on prior to applying your digital certificate and password.

We will continue to monitor all workspaces and proactively contact you to ensure any changes on your workspaces are legitimate.

Thank you for your understanding at this time. If you do have any concerns, and need to speak to us, please contact the PEXA Support Centre on 1300 084 515, available 8.30am – 8.00pm AEST Monday to Friday.

Sincerely,

James Ruddock
Acting CEO, PEXA

BHHK · ‎25-06-2018

Further to my comment above about closed system of payments; there should be and should have been an assurance fee payable on every transaction to cover such events/losses from mistakes and fraud.

So far, I have not heard who is going to cover the Masterchef client's loss of $250,000++

Brett Hayton

Hayton Kosky

Procon · ‎25-06-2018

Hi @JamesR,

It's interesting you say that "When PEXA was alerted to a case of fraud late last week, we immediately increased our monitoring of potential unusual activity surrounding password resets, new user creations and changes to BSB and account numbers."

My problem with that statement is that last week was NOT the first occurrence. So what did you do prior to that when the first known incident happened end of May? Our office is in contact with the Practitioner this first occurred to.....

Anna Hardie (AnnaHardie) · ‎25-06-2018

Hi @BHHK re: a Closed Loop system of payments.
It is up to each Subscriber to decide how to manage this. Members can set up their PEXA profile to only allow payments to your trust account. But if you prefer to be able to transfer to any Australian BSB/Account, you can also have that option. Not all Subscribers operate a trust account and not all want to have the intermediary step of transferring funds to trust then paying them out again. If any members would like information about this, please private message me.