Community home
Menu
  • PEXA Certified Expand

    PEXA Certified

    This program will give you an introduction to PEXA, how it works and how it can help you transform your business processes.

    Discover More
    • Getting Business Ready
    • System Set Up
    • Transacting in PEXA
  • Help Centre Expand

    Help Centre

    Here you’ll find more than 230 help articles and videos to assist you.

    Discover More
    • Help Articles
    • Help Videos/PEXA TV
    • PEXA Interactive Demos
    • FAQs
    • Ask a Question
    • PEXA Certified
  • Ask a Question
  • Share your Experience
  • Raise an Idea
  • Blogs Expand

    Read the latest in our blogs.

    Keep up to date with the latest PEXA product releases, and read up on the property blog.

    Discover more
    • Community Blog
    • The Property Blog
    • Security Updates
    • PEXA Product Releases
    • Announcements | Outages etc
    • The Bank Blog
    • Workspaces
      Community
      Register
      Log in
    Apps menu
  • Register / Login

Community Home
Register / Login

PEXA Security Initiatives

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • Community
  • :
  • Security
  • :
  • Security Updates
  • :
  • PEXA Security Initiatives

PEXA Security Initiatives

Reply
Topic Options
  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • All forum topics
  • Previous Topic
  • Next Topic
cbrown
cbrown
Occasional Contributor
  • Mark as New
  • Bookmark
  • Subscribe
  • Subscribe to RSS Feed
  • Highlight
  • Print
  • Email to a Friend
  • Report Inappropriate Content

on ‎10-10-2018 02:52 PM - last edited on ‎28-02-2019 02:17 PM by Moderator JulieKhoo Moderator

on ‎10-10-2018 02:52 PM - last edited on ‎28-02-2019 02:17 PM by Moderator JulieKhoo Moderator

PEXA Security Initiatives

Hi Community,

 

The team at PEXA continues to explore techniques and technologies to align with the ever-changing security landscape. Below is an update on current security initiatives happening on the PEXA platform including our insights into a topical security concern – phone porting.


Multi-Factor Authentication

In September, multi-factor authentication (MFA) was rolled out to PEXA members. MFA requires the user to provide two or more types of evidence to verify their identity when logging in to an account or completing a transaction. This includes a password and unique authentication code which regularly changes. Members choose to receive an authentication code by SMS, the PingID mobile app, or the PingID desktop app.

 

MFA was added as another layer of authentication on top of digitally signing. Members with the relevant authority must digitally sign-off transactions with their unique [bespoke] digital signing token and PIN, confirming that all details are correct prior to the transfer of funds.

 

More than verification

Additionally, we initiated the following measures to boost the protection of members while transacting online: 

 

  • Increased monitoring of unusual activity surrounding password resets, new user creations and changes to BSB and account numbers. If such activity is detected by PEXA, a member of PEXA’s team will contact members to confirm that the activity is legitimate.
  • Machine learning algorithms to detect behavioural anomalies on a per user basis. If the behavioural pattern of a user changes, PEXA’s risk profiling mechanism is activated to trigger an alert. The member will then be promptly contacted by PEXA’s Security team.
  • Workspace time stamps and summary screen so that members can see when the Financial Settlement Schedule was last updated and by which user.


Phone porting

A current concern from industry is the possibility of phone porting – a situation where a scammer uses your personal details to port your mobile number from one provider to another, therefore accessing further personal details.

 

With a suite of security measures in place to protect PEXA members and your clients, and lawyers and conveyancers continuing to practice their due diligence, the small percentage of members who have chosen to receive their authentication code via SMS should not be alarmed.

It is important to note that for phone porting to occur, the scammer would require several pieces of a user’s ID, as well as the ability to convince a service provider to transfer the SIM details from one telco to another. Therefore, not only would the scammer need to know the targeted user’s personal information, they would also need to know if that user has chosen SMS as the preferred method.

 

To assist in preventing this from happening, I advise members to remain vigilant of people calling, emailing and requesting personal details.

If you have any questions about this information, please don’t hesitate to reply below.

 

Regards,

 

Craig Brown
Head of PEXA Security

  • Tags:
  • additional verification
  • AI
  • Cyber-hero
  • increased monitoring
  • Machine learning alogorithims
  • MFA
  • phone cloning
  • phone porting
12 Likes
Reply
  • All forum topics
  • Previous Topic
  • Next Topic
7 REPLIES 7
DMc
DMc Community Superuser
Community Superuser
  • Mark as New
  • Bookmark
  • Subscribe
  • Subscribe to RSS Feed
  • Highlight
  • Print
  • Email to a Friend
  • Report Inappropriate Content

‎07-03-2019 12:48 PM - edited ‎25-03-2019 05:20 PM

‎07-03-2019 12:48 PM - edited ‎25-03-2019 05:20 PM

Re: PEXA Security Initiatives

Since it is known that phone calls are insecure. What if a PEXA VOIP phone was misappropriated.

 

When will PEXA Users be able to establish a secure (trusted) connection with support staff?

 

Now there is more support staff - Thankfully!

 

However we no longer easily get to know all the support staff by name, or voice recognition, anymore. Smiley Sad

Suggest maybe a simple reverse 'codeword', could be chosen or a 'phrase' (perhaps on the Secret Notes section of user profile) or ask 'what is my current PingID number', to ask the PEXA support staff person (as the call center ask user secret Q&A) to establish trust in talking with a legit PEXA support staff in both directions?

 

Increase the functionality of the Help or Feedback to have or request a support call/conversation within the workspace...

Make every day count, keep smiling! Smiley Very Happy
  • Tags:
  • enhance security and trust
  • Even the ATO offer voice recognition.
  • Two way authentication
1 Like
Reply
DMc
DMc Community Superuser
Community Superuser
  • Mark as New
  • Bookmark
  • Subscribe
  • Subscribe to RSS Feed
  • Highlight
  • Print
  • Email to a Friend
  • Report Inappropriate Content

on ‎30-12-2019 08:42 PM

on ‎30-12-2019 08:42 PM

Re: PEXA Security Initiatives

Just a heads up...

https://www.gizchina.com/2019/12/29/security-hackers-successfully-hack-two-step-authentication/

Make every day count, keep smiling! Smiley Very Happy
  • Tags:
  • 2fa hacked
0 Likes
Reply
YairM
YairM Star Employee
Star Employee
  • Mark as New
  • Bookmark
  • Subscribe
  • Subscribe to RSS Feed
  • Highlight
  • Print
  • Email to a Friend
  • Report Inappropriate Content

on ‎31-12-2019 10:19 AM

on ‎31-12-2019 10:19 AM

Re: PEXA Security Initiatives

Thank you for the heads up @DMc. It’s situations like this that reaffirm how much we, as an industry, need to make cyber security our top priority. Things like (and not limited to) making sure your operating systems are up to date, using MFA for emails, PEXA, banking and etc, using systems like PEXA Key or confirming bank account details by phone, go a long way to help us as an industry stay cyber safe. Bypassing MFA authentication is extremely difficult, and we have additional security controls in place to protect PEXA as well as our members. I would be happy to chat about this in more detail with you, just ping me here.

 

Thanks and best regards,

Yair Mendelson

  • Tags:
  • >2FA
  • More-than-2-MFA
1 Like
Reply
DMc
DMc Community Superuser
Community Superuser
  • Mark as New
  • Bookmark
  • Subscribe
  • Subscribe to RSS Feed
  • Highlight
  • Print
  • Email to a Friend
  • Report Inappropriate Content

‎12-03-2020 05:45 PM - edited ‎12-03-2020 05:47 PM

‎12-03-2020 05:45 PM - edited ‎12-03-2020 05:47 PM

Re: PEXA Security Initiatives

Is this an intended test, to see if people would click on an emailed link? LOL

Spear-phish?Spear-phish?

Make every day count, keep smiling! Smiley Very Happy
0 Likes
Reply
DMc
DMc Community Superuser
Community Superuser
  • Mark as New
  • Bookmark
  • Subscribe
  • Subscribe to RSS Feed
  • Highlight
  • Print
  • Email to a Friend
  • Report Inappropriate Content

‎26-10-2020 01:51 PM - edited ‎26-10-2020 01:52 PM

‎26-10-2020 01:51 PM - edited ‎26-10-2020 01:52 PM

Re: PEXA Security Initiatives

Am curious, Is the aging Digital-Certificate Dongle being considered (up for revision) to something bit more robust, device compatible, & future-ready?

It would not hurt to have 2FA on your password manager, especially since so many aging sites are yet to go passwordless... Smiley Wink

https://www.yubico.com/au/product/yubikey-5-nfc/

 

Make every day count, keep smiling! Smiley Very Happy
0 Likes
Reply
BrettCS
BrettCS Star Employee
Star Employee
  • Mark as New
  • Bookmark
  • Subscribe
  • Subscribe to RSS Feed
  • Highlight
  • Print
  • Email to a Friend
  • Report Inappropriate Content

on ‎26-10-2020 02:50 PM

on ‎26-10-2020 02:50 PM

Re: PEXA Security Initiatives

Hello @DMc 

 

Thanks, great insights.

 

Yes, we are always looking at new technologies and ways to improve our solutions. This is very timely, as we are reviewing ways to improve the signing experience. The digital certificate dongle has been a great solution for many years, but as you indicated, technology is constantly evolving and there may be better, device compatible, ways to both authenticate and sign documents in a PEXA Workspace.

 

I'll send you a direct message, as I'd love to hear whether you are using FIDO2 device for authentication.

 

Thanks again,

Brett

 

 

0 Likes
Reply
DMc
DMc Community Superuser
Community Superuser
  • Mark as New
  • Bookmark
  • Subscribe
  • Subscribe to RSS Feed
  • Highlight
  • Print
  • Email to a Friend
  • Report Inappropriate Content

‎26-10-2020 03:34 PM - edited ‎26-10-2020 04:03 PM

‎26-10-2020 03:34 PM - edited ‎26-10-2020 04:03 PM

Re: PEXA Security Initiatives

@BrettCS 

 

How about we go even better! Smiley Very Happy

 

AFAIK, Yubico is the company behind the Yubikey which has been around now for 13 years. Yubico founded the industry consortium for FIDO2, the Passwordless Authentication standard.  It stands for Fast ID Online version 2. 

 

WebAuth is the standard within FIDO2 relating to Web Authentication.  This is what PEXA will be most interested in because PEXA's service is web-based.  

 

FIDO2 and WebAuthn are complex and implementation projects require a specialist team and typically require any months to deploy.  That team is then needed for the lifecycle of the system.

 

A short circuit to achieving this same outcome is deploying BankVault Passwordless.  This supports the WebAuthn standard.  Simple, low-cost deployment (in hours, not months) makes this 10-100x faster to deploy than competing solutions:

 - No change to backend infrastructure

 - No client software

 - No user setup (or Change Management)

 

It harnesses user mobile phones, saving costs, and the inconvenience of having to buy, setup, and always carry a dongle. 

Make every day count, keep smiling! Smiley Very Happy
0 Likes
Reply
PEXA

|

Facebook Twitter LinkedIn
  • Support
  • Privacy Policy
  • Terms of Service