PEXA has completed the roll out of mandatory multifactor authentication for the 20,000 property industry practitioners that are registered to use its platform.
The electronic property exchange provider completed the MFA rollout in mid-September.
“We started to roll out to practitioners in blocs, giving them time to get used to the new technique and new capability, and then finally then said ‘Okay, it’s now mandatory for them to run through the MFA,’” PEXA group executive, technology, Trevor Nelson told Computerworld.
The MFA process does not apply to every PEXA user: Nelson said that accounts associated with bank employees are already subject to the stricter security models imposed by their employers.
PEXA in June revealed that it intended to accelerate the planned roll out of MFA to add another layer of security to the property exchange platform. That announcement followed a high-profile fraud case involving the theft of $250,000 from the settlement of a property.
In that case, PEXA said its platform was not hacked but a conveyancer’s account was compromised after somebody with access to the accountholder’s registered email address used it to conduct a password reset. The fraudster then changed the target bank account details associated with a transaction.
Although Australian banks have their own highly developed security capabilities, Nelson said that the practitioners who use PEXA are a heterogeneous group.
“We’re very focused on the practitioners because it’s a diverse group out there, ranging from large legal firms, large conveyancing firms, down to small individual practitioners, and you are only as strong as your weakest link in that chain,” he said.
“We’ve had quite a strong relationship with the banks for a number of years over their security posture and the way they treat security, but it’s really quite a different model for the practitioners and it varies a lot. So we thought it was imperative that we actually focused on them, to bridge that gap that we thought was there around their security posture, to try to strengthen security across our network.”
Nelson said that the deployment of MFA builds on an existing second layer of authentication already used by PEXA: Digital signing, which he said involves a “unique digital signature for every practitioner and every bank employee that actually signs either a lodgement document or a financial settlement.”
“That is a mandatory and cannot be worked around; it is a requirement that is unique to every person who has that accountability,” Nelson said.
PEXA’s implementation of MFA is based on Ping Identity. Nelson said that Ping’s identity offering had been part of PEXA’s technology stack for around three years, and the MFA rollout was based on enabling another capability offered by the product.
The second factor for login is typically based on codes delivered either via SMS or via a mobile app. “The third option which is less used but still available in particular situation is a desktop application. That’s for the unique situation where the practitioner’s firm doesn’t allow mobile phones in their premises,” Nelson said.
The unauthorised transfer of mobile phone numbers has been implicated in sophisticated cases of fraud overseas as well as in Australia, and the security of using SMS in 2FA has been questioned. “We’re going to enhance this capability over the next three to six months to remove that potential opportunity for people,” Nelson said.
“We’re going to add another layer of security into this and we’re partnering with a number of other companies in this particular space – we’re working through a number of solutions to basically remove that concern around mobile phone porting.”
The MFA rollout is one piece of a broader security program at PEXA, he added. Another key measure has been implementing anomaly detection across the platform. PEXA has an in-house solution dubbed ‘Eagle’ that scrutinises the behaviour of users.
“There’s a whole bunch of rules that we’re building up across our platform to determine unusual or suspicious behaviour,” Nelson said. If an anomaly is detected then PEXA contacts a practitioner.
“We basically give that practitioner a call and say, ‘Hey are you actually doing what we’re seeing you doing here’,” the PEXA executive said.
Nelson said he wasn’t able to comment on whether or not PEXA had detected fraudulent activity using Eagle, but said that practitioners had been appreciative of the calls, which in some cases were triggered by a user logging in from a different location or behaving in a slightly different manner than usual.
PEXA is also developing an app that will allow its members to ask for and receive bank details from their clients, which it believes will reduce the risk of inaccuracies as well as make it less likely that sensitive information is sent via email.
Another focus for the organisation is promoting a security conscious culture among the platform’s users.
“Security is everybody’s responsibility, so we are working very closely with the financial institutions, we are working very closely with the land registries, we’re working very closely with the various industry groups, e.g. the law society and the conveyancing society, to promote and, ensure that people are thinking about, security,” Nelson said.
PEXA has been running forums and roadshows focused on security, he added.
On the non-security side of things PEXA is looking at developing a new portal that will offer users access to the services of title search providers.