on 10-10-2018 02:52 PM - last edited on 28-02-2019 02:17 PM by JulieKhoo
The team at PEXA continues to explore techniques and technologies to align with the ever-changing security landscape. Below is an update on current security initiatives happening on the PEXA platform including our insights into a topical security concern – phone porting.
In September, multi-factor authentication (MFA) was rolled out to PEXA members. MFA requires the user to provide two or more types of evidence to verify their identity when logging in to an account or completing a transaction. This includes a password and unique authentication code which regularly changes. Members choose to receive an authentication code by SMS, the PingID mobile app, or the PingID desktop app.
MFA was added as another layer of authentication on top of digitally signing. Members with the relevant authority must digitally sign-off transactions with their unique [bespoke] digital signing token and PIN, confirming that all details are correct prior to the transfer of funds.
More than verification
Additionally, we initiated the following measures to boost the protection of members while transacting online:
A current concern from industry is the possibility of phone porting – a situation where a scammer uses your personal details to port your mobile number from one provider to another, therefore accessing further personal details.
With a suite of security measures in place to protect PEXA members and your clients, and lawyers and conveyancers continuing to practice their due diligence, the small percentage of members who have chosen to receive their authentication code via SMS should not be alarmed.
It is important to note that for phone porting to occur, the scammer would require several pieces of a user’s ID, as well as the ability to convince a service provider to transfer the SIM details from one telco to another. Therefore, not only would the scammer need to know the targeted user’s personal information, they would also need to know if that user has chosen SMS as the preferred method.
To assist in preventing this from happening, I advise members to remain vigilant of people calling, emailing and requesting personal details.
If you have any questions about this information, please don’t hesitate to reply below.
Head of PEXA Security
07-03-2019 12:48 PM - edited 25-03-2019 05:20 PM
Since it is known that phone calls are insecure. What if a PEXA VOIP phone was misappropriated.
When will PEXA Users be able to establish a secure (trusted) connection with support staff?
Now there is more support staff - Thankfully!
However we no longer easily get to know all the support staff by name, or voice recognition, anymore.
Suggest maybe a simple reverse 'codeword', could be chosen or a 'phrase' (perhaps on the Secret Notes section of user profile) or ask 'what is my current PingID number', to ask the PEXA support staff person (as the call center ask user secret Q&A) to establish trust in talking with a legit PEXA support staff in both directions?
Increase the functionality of the Help or Feedback to have or request a support call/conversation within the workspace...
3 weeks ago
Just a heads up...
3 weeks ago
Thank you for the heads up @DMc. It’s situations like this that reaffirm how much we, as an industry, need to make cyber security our top priority. Things like (and not limited to) making sure your operating systems are up to date, using MFA for emails, PEXA, banking and etc, using systems like PEXA Key or confirming bank account details by phone, go a long way to help us as an industry stay cyber safe. Bypassing MFA authentication is extremely difficult, and we have additional security controls in place to protect PEXA as well as our members. I would be happy to chat about this in more detail with you, just ping me here.
Thanks and best regards,