Many of you will be aware of the recent property fraud which involved a conveyancer and the purchase of property using PEXA (Property Exchange Australia). It was all over the media for about a week. For those who don’t know PEXA is Australia’s online property exchange network. It is a part of what is commonly known as eConveyancing. It is soon to be mandatory for property transfers in Australia.
About a week before this particular incident took place I read an article on Australasian Lawyer titled ‘Many lawyers and buyers unaware of property scams’. The article refers to a survey made by GlobalX. That survey found that 46% of law and conveyancing professionals surveyed were unaware of the latest phishing scams aimed at property buyers and investors. That is a scarily high percentage for a group that regularly deals with millions of dollars of their clients’ funds. This recent incident is an example of one such scam.
This incident has taken my interest, not just as a legal practitioner. What you may not know about me is that I have a background in software engineering. I worked for a number of years for one of Australia’s big four banks developing some of their systems. I have an understanding of how attacks such as this are conducted. The scary thing is that many such attacks are successful because of the human element, and not because of technological failings. We can be our own worst enemies. A simple example of this is the humble password. These are the 10 most common passwords of 2017:
Do you see anything wrong with those passwords? Consider your own passwords. How often have you chosen a password that can be found in a dictionary? This recent fraud was successful because an attacker compromised a conveyancer’s email account.
PEXA and electronic conveyancing
Each property transaction in PEXA takes place within a ‘workspace’ where all the parties to the transaction can cooperate to complete the transaction. As I understand the facts of this particular matter, approximately $250,000 in funds were fraudulently paid to an account added to the PEXA workspace by a person who was not a party to the transaction. In this case, the perpetrator gained access to the conveyancer’s email account without the conveyancer’s knowledge. The perpetrator then went to the PEXA website and selected the ‘forgot password’ link on the login page. Because the perpetrator already had access to the conveyancer’s email account, the perpetrator was able to reset the conveyancer’s PEXA password, then gain access to the conveyancer’s PEXA account and add a disbursement of funds to the perpetrator’s own bank account. The conveyancer had no idea that any of this had taken place.
At first thought, it seems as though there is little that the conveyancer could have done to prevent this. That is not the case. That is not to say that PEXA has done everything possible to ensure it has a secure platform. I do not know what happened after the conveyancer’s PEXA account had been compromised, however, there may have been some warning signs. Did the conveyancer try and login to their PEXA account, only to find that their password did not work? Did the conveyancer then merely reset their password rather than ask why the password had apparently changed? I don’t know the answer to these questions but, they are warning signs which may have been missed.
It is part of the process in setting up a PEXA workspace that participants in that workspace enter in account details for funds to be drawn from and for funds to be paid to. What was not made clear from the media coverage that I heard was that an authorised practitioner must sign off on those payment directions. An authorised practitioner does this with a digital signature that is stored on a USB stick that is connected to the practitioner’s computer. The digital signature is paired with a password. The payment directions cannot be signed off without the practitioner’s USB stick and password. In this particular case, it is likely that the conveyancer signed off on the payment directions without confirming the account numbers to which payments were to be made. The human element rears is ugly head again.
Systems such as PEXA are becoming mandatory. Unfortunately, as we progress down this technological road, there will be people who get left behind. Those people may struggle with technology. These systems are foreign to them, they prefer the way things used to be done, they have resisted employing new technologies and educating themselves on their use and risks. Unfortunately, among this group are the greatest risks for compromising these systems unless stricter security requirements are forced on them.
What can be done to increase security?
There are a number of things that can be done to increase security and reduce the risk to you as a buyer or seller of property. Some of those things can be done by you, some by your your lawyer or conveyancer, and some by PEXA or any similar platform.
What can you do?
The most important thing that you can do when buying or selling property is to question your conveyancer about their security processes and procedures. Do they accept your bank details by email? If they do, will they call you to confirm those bank details? If they will accept your bank details without, at the very least, calling to confirm that you provided those details, it is time to find someone else to do your conveyancing.
Other things to consider or ask include the following:
- Does your conveyancer use a public email service such as GMail, Hotmail, Yahoo, or live.com? While the services themselves are not necessarily insecure, their use for business may indicate an unsophisticated user. Be careful.
- How does your conveyancer secure their email? There are a number of elements that may indicate you need to be wary. If they don’t enforce strong passwords for email accounts, or share passwords to email accounts there is cause for concern. However, if they are using a system known as two-factor authentication or multi-factor authentication to secure their email accounts, you can breathe a little easier.
- Do they use a password manager? Use of a password manager to facilitate the use of strong passwords and to keep them secure indicates a more sophisticated user and most likely a better understanding of security risks.
Of course, your lawyer or conveyancer is not solely responsible for security. You should ensure that you take some steps to secure your own email accounts. There have been incidents of fraud facilitated through an attack on the clients’ email accounts. Using secure passwords and a password manager is a way every person can increase the security of their email accounts.
What can your lawyer or conveyancer do?
We have, in essence, already dealt with a number of steps that your lawyer or conveyancer can take to increase security. A shortlist of security steps for lawyers and conveyancers is as follows:
- Don’t take client bank details by email, or at least confirm them with the client if received by email.
- Enforce strong passwords for email and other accounts.
- Use multi-factor authentication where available and necessary.
- Use password managers to facilitate the use of strong passwords and keep them secure.
What about insurance?
During the course of last week, the question that I heard asked in the media was ‘Was your conveyancer insured for this?’ I don’t recall there being an adequate answer to that question. All lawyers practicing in NSW are required to be covered by a professional indemnity insurance policy provided by LawCover. All licensed conveyancers are similarly required to have professional indemnity insurance which covers them when performing work as a conveyancer.
LawCover has been very quick to contact lawyers practicing in NSW about this incident. LawCover has ensured us that the professional indemnity insurance provided by LawCover will provide cover in circumstances such as the incident referred to in this post. That should provide an element of comfort to buyers and sellers using a solicitor for their conveyancing. I don’t know whether licensed conveyancers have the same coverage, and their coverage may vary. If you are considering using a licensed conveyancer it is wise to ask them whether their professional indemnity insurance policy will cover such incidents as these.
David Killen is an intellectual property and commercial lawyer with a particular interest in helping start-ups and existing businesses protect and manage their intellectual property assets. Contact David today to discuss your needs.