PEXA breach harms digital trust
PEXA hack: Conveyancing loss damages people's faith in govt digitisation
A high-profile breach of a digital property exchange service has sparked backlash against state governments’ moves to digitise essential services and could damage trust in these emerging technologies, privacy and digital experts have said.
It was revealed late last week that an unknown hacker had gained access to a Victorian conveyancer’s PEXA account, changing the details to their own Commonwealth Bank account and obtaining $250,000 from the settlement of a family’s property.
PEXA is Australia’s first e-conveyancing platform, allowing lawyers, conveyancers and financial institutions to lodge documents with land registries and complete financial settlements online.
The Commonwealth Bank has since been able to freeze $138,000 of the funds, but it is unlikely the remaining $112,000 will be recovered.
The incident illustrates the new dangers and risks involved with putting services such as this online and could damage the general population’s trust in such projects.
Australia is currently in the process of moving the 150 year-old Torrens title paper method of exchanging property to the online service. Using an electronic service to exchange property will be compulsory in Victoria from October and in New South Wales from July next year.
PEXA is presently the only player in the field and has been commonly regarded as world-leading and an exemplar for delivering important services digitally.
But the breach has put the risks associated with this on full display, IT security expert Troy Hunt said.
“This is partly something we expect as we digitise more and more processes. We have to acknowledge that we have different risks now. There’s an upside to that, but as easy as it is to do these things online now, it’s also becoming easier for criminals to gain access to your things,” Mr Hunt told InnovationAus.com.
Nearly 600 conveyancers have now signed a petition calling on state governments to delay the compulsory rollout of PEXA, with the Law Institute of Victoria claiming it is “not sufficiently robust”.
The breach could lead to significant reputational damage to PEXA and in the digitisation of government services in general, Electronic Frontiers Australia board member Justin Warren said.
“The big threat for PEXA is that security flaws could undermine trust in the system, and people won’t want to use it.
"If it’s a government mandated system that you have no choice but to use then that creates big political issues,” Mr Warren told InnovationAus.com.
“It’s a big story and if enough people start to feel that risk is too large, they’ll avoid using the system. If the crisis of confidence got large enough, you’d get the equivalent of a bank run in the conveyancing system which would be large-scale bad.”
According to PEXA, the hacker was able to gain access to the conveyancer’s email account and then intercepted a password reset email from PEXA. Through that email, the unknown party was able to fraudulently change the destination account to their own, which wasn’t identified by either party when the settlement was electronically signed.
Both PEXA and the conveyancer in question have been reluctant to accept blame for the incident. PEXA has been widely criticised for its lax security protocols and for not utilising two-factor authentication with its emails and password reset triggers.
“Multi-factor authentication is widely available now, so there is little reason not to have it turned on, particularly for a well-financed government-mandated system transferring large amounts of money around,” Mr Warren told InnovationAus.com.
Both the conveyancer and PEXA should have implemented two-factor authentication, Electronic Frontiers Australia board member Peter Tonoli added.
“If the conveyancer had it enabled on their email it would have been much, much harder for the criminals to use the password reset trick. PEXA could also have built 2FA into their system so you needed the 2FA code to successfully reset a password,” Mr Tonoli said.
The company has said that it is “in the process of adding additional security measures”.
It’s not the first time that PEXA’s security has been breached, with $1 million stolen from a Melbourne homeowner during the settlement period earlier this month.
Mr Hunt said the latest breach should be used to drive regulatory change to bring Australia in line with the EU’s new GDPR.
“I’d like to see much stronger regulatory powers around the protection of data. It’s going to be a bit of a hybrid in terms of how we solve this, and it’s not just about one thing. It’s going to take a lot more effort, and all we can do is kick the can down the road a bit. Adversaries will come from different directions - it’s a continual one-upmanship of defences versus attackers,” he said.
With state governments set to make electronic settlement compulsory in the coming months, the onus will fall on them to step in when money is lost, Mr Warren said.
“PEXA is in a worse position in a lot of ways because of the amounts of money at stake. Losing this kind of money when they’re trying to buy a house would ruin most people, and when it happens to someone who clearly didn’t intend to do the wrong thing, it feels very, very unfair in a way that people think governments should prevent from happening,” he said.
“The incentive alignments in any government-mandated system should be geared towards the onus being on the system operator to take on the risk of security breaches, rather than shifting the burden to individuals and users.”
The PEXA hack also reveals another issue with the digitisation of these services, with questions over who is ultimately responsible when individuals lose significant amounts of money.
“It’s hard because as a consumer you want to use services and expect them to do what you want and if anything goes wrong you’re not going to be out of pocket. There’s an ambiguity about what the root cause of it was,” Mr Hunt said.