Australian conveyancing attack highlights global risk of fraud

A case from Australia has highlighted the ongoing fraud threat which the conveyancing process is so vulnerable to.

Dani Venn – a former contestant from the Australian MasterChef – discovered that $250,000 had been stolen from the proceeds of sale from her family home when her conveyancers’ account was hacked by fraudsters.

This was while it was being settled on PEXA (Property Exchange Australia) – a new online transfer system, owned by state governments and banks within Australia.

Venn’s Conveyancer, Sargeants Knox Conveyancing, was completely unaware that the sale proceeds had been transferred to a fraudster’s bank account. This was a result of the hackers accessing the electronic property transfer account of the conveyancer and simply adding themselves as another user, changing Venn’s bank details with those connected to their own account.

The PEXA system has been criticized by conveyancers, who state that proof of identity or verification is not required by additional subscribers using their account on the platform. The aim is that it will replace the current paper system of title paper exchange, which has been used in Australia for over 150 years. Electronic certificates are expected to become mandatory in Victoria later this year.

In Venn’s case, the hackers managed to break into the email accounts of the firm, enabling them to see emails from PEXA and create new accounts.

In order to prevent the conveyancers from being alerted to the addition of these user accounts, the fraudsters intercepted correspondence from PEXA, putting the firm at risk of ‘ghost accounts’ being added without their knowledge.

PEXA has since stated that it was the email accounts of the conveyancers which had been hacked, rather than its own platform.

PEXA’s acting chief executive, James Ruddock said: “PEXA has robust fraud protections and strict authentication procedures built into its platform.”

The online transfer system said that the system’s electronic key and password protection meant that it was the responsibility of the conveyancer to check and sign off on every aspect of the transaction.

Since the theft took place, it’s emerged that Venn has been able to recover half of the stolen amount. Her bank froze $138,000 of the sale proceeds before it was transferred.

The remainder, however, is “missing and it’s not recoverable,” says Venn.

She went on to criticize the platform, stating: “If they think the system is safe, then why can’t they guarantee the process like banks do and give our money back unconditionally?”

In the wake of this case and similar ones involving PEXA, the platform has faced a backlash, with reports that almost 600 conveyancers have signed a petition to delay its rollout across Australia.

Sharing her thoughts on the platform was Jill Ludwell. The Australian Institute of Conveyancers Victoria Chief Executive questioned whether the system should be made mandatory in light of these cases, stating: “The industry has been assured repeatedly by PEXA that the platform is safe and secure. These fraud incidents have only been possible because of significant security vulnerabilities.”

As well as the question mark the case puts over the security of online platforms, it also highlights the global threat which fraud poses to conveyancers, with email being the main target.

Cases like this suggest that as long as emails are accessible to fraudsters, they can effectively be used as a gateway to break into a transaction, regardless of how secure external platforms or software is.

2 Responses

  1. I am a conveyancing lawyer in the jurisdiction where this theft occurred. And that’s all it is, a simple theft. I was made possible because the conveyancer’s email account was exposed and easily hacked into. Simple two-step verification would have prevented the email hacking and deprived the thief of the username and password so easily obtained via the conveyancer’s email.

    Once the thief had used the username and password to enter the PEXA system it was a simple matter of changing a destination account number, and then waiting for the conveyancer to return and to digitally “sign off” on the transaction. The conveyancer singed off without checking as to whether any of the destination account numbers had been altered, and so the thief was in luck.

    The true point of vulnerability in the PEXA system is the use of bank account numbers, which reduce the name of an account holder to a multi-digit code which cannot be read in the same way as we can read “John Alexander Smith”. Change a letter in a name, and it’s fairly obvious. Change a digit in a long bank account number and no-one can tell if it’s correct or not without checking each and every digit.

  2. I have no doubt that technologically driven security is necessary to reduce the human element exploited by “Friday Crime” and illustrated by Dreamvar.

    It appears that here crime was enabled by a central transfer platform being dependent on information provided by users’ systems.

    There would seem to be a need for such platforms to increasingly use artificial intelligence etc to identify the need for and require checks on information supplied by others

    Improper redirection of money is technological crime. Technology will always be a part of the conveyancing process. There is a need to increase, not stand still on the use of technology to enhance security.

Want to have your say? Leave a comment

Your email address will not be published. Required fields are marked *

Read more stories

Join nearly 5,000 other practitioners – sign up to our free newsletter

You’ll receive the latest updates, analysis, and best practice straight to your inbox.