You may already know of the unfortunate recent events, where a former MasterChef contestant’s electronic settlement was hacked. Dani Venn and her family were left $250,000 out-of-pocket and homeless as a result. Many clients have contacted me to ask: is Pexa safe to use for their settlement? These are my thoughts.
How did this happen?
The fraud occurred during an electronic settlement via Pexa, Australia’s online property exchange network. It is a privately owned system but it will be mandatory to use it for Victorian settlements by August 2019. Most transactions will be compulsory from 1 October 2018, and the majority of my own settlements already occur via Pexa. In a previous blog post, I explained how e-settlements work.
Pexa has significant security safeguards in place to ensure that only authorised individuals and firms can use the system. They must have their identity verified in person by a Pexa agent, and are issued with a personalised digital key.
From what I understand, the security breach began with the conveyancer’s email account. The hacker intercepted emails from Pexa and set up a new user account. This did not require the person to be verified in person, and the conveyancer was left completely unaware.
Once they had access to Pexa, the fraudulent user changed the vendor’s bank account details. Money owed to the vendor was instead diverted into the hacker’s account.
Who is responsible?
The hacker gained access to Pexa via the conveyancer’s email and not via the system itself. Obviously, there are deficiencies that Pexa must rectify, which enabled an unverified user to be added without the conveyancer’s knowledge.
Despite the email heist, there are other steps conveyancers should take to ensure funds go to the correct place. Before signing off with their digital key, the conveyancer must double check that all bank account details are correct. Without knowledge of the hack, they may have falsely assumed that the details had not changed since they were inputted.
Fortunately, in this case, the vendor’s bank was able to halt the transfer of some of the funds. I would hope that the Venns are fully reimbursed for the remainder by either the conveyancer’s or Pexa’s insurance*.
What security measures will be taken in the future?
At a basic level, anyone with an email account should make sure that their email is fully secure. This means changing passwords often and initiating multi-factor authorisation (so that you are notified if someone else tries to access your account). Bank account details should always be confirmed verbally and not just sent via email. Conveyancers are now more aware of ensuring that all Pexa users are valid, and being extra vigilant of double-checking all the details before signing.
Pexa has assured conveyancers that they will be making changes to the system in the near future to ensure additional security features. You can read an explanation of the existing security measures here and the new measures here.**
Unfortunately, no settlement system is infallible. Even in paper settlements things can go wrong. Given that Pexa is a new system, there were bound to be teething issues. However, it still came as an awful shock. You can be sure that both Pexa and conveyancers alike do not want to see a repeat of this occurring. We will be doing everything we can to safeguard client funds.
*In the end, Pexa agreed to refund the missing funds.
**Pexa has now also introduced a residential seller guarantee.
Aliza Taubman is the Principal Solicitor at Prime Property Lawyers
Thinking of buying or selling a property in VIC? Contact us for more information. Buyers get your first standard contact and section 32 reviewed for FREE!