Approx time to read: 3 minutes
Key Take Aways:
- Online fraud can be as simple as hacking into a change of password email. (In this case from the conveyancer managing the settlement of a house sale.)
- Two factor authentication (2FA) is an easy way to add an extra level of protection to user accounts.
- Setting up 2FA on a business email account like Google Apps or Office 365 is not difficult.
News broke on Friday that one Melbourne family are homeless after hackers intercepted Australia’s new online property transfer system (PEXA) and made off with $250,000 from the sale of their home.
And it was much easier to do than any layperson would assume, via a hacked email account.
Here’s what happened
The hackers broke into the family’s conveyancer’s email system, intercepted a change-in-password email sent from the PEXA platform, accessed the conveyancer’s PEXA account and added themselves in the PEXA system as another user.
From there the hackers were able to edit the settlement details on the property sale, and reroute the payment to their own account.
This highlights systemic failures in the login process for both PEXA and the conveyancer’s email – a failure with a very simple fix!
Two factor authentication is easy to set up on business email systems
Two factor authentication (2FA) is an easy way to add an extra level of protection to user accounts; and neither PEXA nor the conveyancer was using it as a requirement for access.
2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information.
For a business email account, such as Google Apps or Office 365, this would generally be an access token generated by an app on the user’s mobile phone.
In the case of the conveyancing company; 2FA would have meant that the hackers were unable to access their emails to intercept the password reset. So the whole sorry business would never have happened.
At the time of writing, the PEXA system also has no 2FA requirement for login; although they are working to improve security in the wake of this theft.
PEXA does, however, require 2FA to execute a transaction; so the conveyancer was remiss not only in having their email hacked but also in failing to confirm the account details on the transaction in question before they pushed the “go” button.
Don’t let email fraud kill your business
Both the bank and PEXA have washed their hands of any culpability in this case. It seems squarely to be sitting with the conveyancer, who was responsible both for the hack to their email and for failing to perform a final check on the transaction.
It remains to be seen whether their insurer will pay out; in the meantime the family at the centre of the theft is still down about $110,000 after their bank was able to freeze some of the funds before transfer.
If I had to guess, I’d say that the insurer will reject the conveyancer’s claim, meaning that the firm may ultimately be liable for the lost money and potential damages. But I’m no legal expert.
I’m the IT guy, so let me reiterate again – setting up 2FA on a business email account like Google Apps or Office 365 is not difficult.