on
10-10-2018
02:52 PM
- last edited on
28-02-2019
02:17 PM
by
JulieKhoo
on
10-10-2018
02:52 PM
- last edited on
28-02-2019
02:17 PM
by
JulieKhoo
Hi Community,
The team at PEXA continues to explore techniques and technologies to align with the ever-changing security landscape. Below is an update on current security initiatives happening on the PEXA platform including our insights into a topical security concern – phone porting.
Multi-Factor Authentication
In September, multi-factor authentication (MFA) was rolled out to PEXA members. MFA requires the user to provide two or more types of evidence to verify their identity when logging in to an account or completing a transaction. This includes a password and unique authentication code which regularly changes. Members choose to receive an authentication code by SMS, the PingID mobile app, or the PingID desktop app.
MFA was added as another layer of authentication on top of digitally signing. Members with the relevant authority must digitally sign-off transactions with their unique [bespoke] digital signing token and PIN, confirming that all details are correct prior to the transfer of funds.
More than verification
Additionally, we initiated the following measures to boost the protection of members while transacting online:
Phone porting
A current concern from industry is the possibility of phone porting – a situation where a scammer uses your personal details to port your mobile number from one provider to another, therefore accessing further personal details.
With a suite of security measures in place to protect PEXA members and your clients, and lawyers and conveyancers continuing to practice their due diligence, the small percentage of members who have chosen to receive their authentication code via SMS should not be alarmed.
It is important to note that for phone porting to occur, the scammer would require several pieces of a user’s ID, as well as the ability to convince a service provider to transfer the SIM details from one telco to another. Therefore, not only would the scammer need to know the targeted user’s personal information, they would also need to know if that user has chosen SMS as the preferred method.
To assist in preventing this from happening, I advise members to remain vigilant of people calling, emailing and requesting personal details.
If you have any questions about this information, please don’t hesitate to reply below.
Regards,
Craig Brown
Head of PEXA Security
07-03-2019 12:48 PM - edited 25-03-2019 05:20 PM
07-03-2019 12:48 PM - edited 25-03-2019 05:20 PM
Since it is known that phone calls are insecure. What if a PEXA VOIP phone was misappropriated.
When will PEXA Users be able to establish a secure (trusted) connection with support staff?
Now there is more support staff - Thankfully!
However we no longer easily get to know all the support staff by name, or voice recognition, anymore.
Suggest maybe a simple reverse 'codeword', could be chosen or a 'phrase' (perhaps on the Secret Notes section of user profile) or ask 'what is my current PingID number', to ask the PEXA support staff person (as the call center ask user secret Q&A) to establish trust in talking with a legit PEXA support staff in both directions?
Increase the functionality of the Help or Feedback to have or request a support call/conversation within the workspace...
on 30-12-2019 08:42 PM
on 30-12-2019 08:42 PM
Just a heads up...
https://www.gizchina.com/2019/12/29/security-hackers-successfully-hack-two-step-authentication/
on 31-12-2019 10:19 AM
on 31-12-2019 10:19 AM
Thank you for the heads up @DMc. It’s situations like this that reaffirm how much we, as an industry, need to make cyber security our top priority. Things like (and not limited to) making sure your operating systems are up to date, using MFA for emails, PEXA, banking and etc, using systems like PEXA Key or confirming bank account details by phone, go a long way to help us as an industry stay cyber safe. Bypassing MFA authentication is extremely difficult, and we have additional security controls in place to protect PEXA as well as our members. I would be happy to chat about this in more detail with you, just ping me here.
Thanks and best regards,
Yair Mendelson
12-03-2020 05:45 PM - edited 12-03-2020 05:47 PM
12-03-2020 05:45 PM - edited 12-03-2020 05:47 PM
Is this an intended test, to see if people would click on an emailed link? LOL
Spear-phish?
26-10-2020 01:51 PM - edited 26-10-2020 01:52 PM
26-10-2020 01:51 PM - edited 26-10-2020 01:52 PM
Am curious, Is the aging Digital-Certificate Dongle being considered (up for revision) to something bit more robust, device compatible, & future-ready?
It would not hurt to have 2FA on your password manager, especially since so many aging sites are yet to go passwordless...
https://www.yubico.com/au/product/yubikey-5-nfc/
on 26-10-2020 02:50 PM
on 26-10-2020 02:50 PM
Hello @DMc
Thanks, great insights.
Yes, we are always looking at new technologies and ways to improve our solutions. This is very timely, as we are reviewing ways to improve the signing experience. The digital certificate dongle has been a great solution for many years, but as you indicated, technology is constantly evolving and there may be better, device compatible, ways to both authenticate and sign documents in a PEXA Workspace.
I'll send you a direct message, as I'd love to hear whether you are using FIDO2 device for authentication.
Thanks again,
Brett
26-10-2020 03:34 PM - edited 26-10-2020 04:03 PM
26-10-2020 03:34 PM - edited 26-10-2020 04:03 PM
How about we go even better!
AFAIK, Yubico is the company behind the Yubikey which has been around now for 13 years. Yubico founded the industry consortium for FIDO2, the Passwordless Authentication standard. It stands for Fast ID Online version 2.
WebAuth is the standard within FIDO2 relating to Web Authentication. This is what PEXA will be most interested in because PEXA's service is web-based.
FIDO2 and WebAuthn are complex and implementation projects require a specialist team and typically require any months to deploy. That team is then needed for the lifecycle of the system.
A short circuit to achieving this same outcome is deploying BankVault Passwordless. This supports the WebAuthn standard. Simple, low-cost deployment (in hours, not months) makes this 10-100x faster to deploy than competing solutions:
- No change to backend infrastructure
- No client software
- No user setup (or Change Management)
It harnesses user mobile phones, saving costs, and the inconvenience of having to buy, setup, and always carry a dongle.