Why MFA on PEXA (Property Exchange Australia) leaves security concerns?

We published an article yesterday explaining why we see problems with the newly-introduced multi-factor authentication security measure on the PEXA electronic conveyancing platform.

As a response to the growing number of conveyancing scams, such as the highly-publicised case involving the former MasterChef contestant, PEXA decided to introduce 2FA to protect their user accounts from fraud. In this payment redirection fraud case, $250,000 of a property settlement was transferred to the criminal’s bank account, and the funds ended up in Thailand.

As far as we know, the criminals managed to access the conveyancer’s email account, and they used the password recovery feature on the PEXA platform to gain access to the PEXA account of the conveyancer. The criminals then silently changed the payment details at PEXA, so the wrong payment details were sent out at the next property transaction.

SIM Swapping Attacks Can Circumvent the New Security Measures

Multi-factor authentication (or two-factor authentication) was the right response to prevent the platform being abused. Also, the general public was also pushing for this feature on social media after the scam. As a result, MFA is now mandatory on every PEXA account from 15 September. PEXA chose PingID as a secure multi-factor authentication provider. As of today, PEXA users can choose between the one-time passcode sent to their mobile phone either via a text message or the PingID code generator app.

Although 2FA is a powerful security measure, the SMS option is leaving a sour taste in the mouth because it is an insecure channel to deliver codes. Text messages can be hijacked with an attack called ‘SIM swapping‘.

SIM swapping attacks are not unknown, and they are around for a while. For example, the user accounts of high-profile YouTube creators were also hijacked using the SIM swapping trick around 2016. As for Australia, unsuspecting Australians lost $5.8m in SIM swapping attacks in 2017.

SIM swapping attacks are around in the UK for a while. Criminals have been relying on this technique for a while in order to bypass two-factor authentication or retrieve SMS-based confirmation codes for bank transfers. In 2016, researchers demonstrated how easy it is to transfer someone’s mobile phone number to a new SIM card with social engineering techniques.

How SIM Swapping Attacks Work

What criminals do is they buy a SIM card from an obscure mobile phone service provider and have the victim’s phone number transferred to their SIM card. The criminals simply pretend to be their victim and request a phone number porting request through the mobile phone service provider’s website. In Australia, all you need to transfer a phone number to a new SIM card is someone’s last name and birth date. Needless to say, both details are public.

Once the phone number transfer is complete as part of the SIM swapping attack, the criminals can start receiving the SMS-based one-time codes to bypass the multi-factor authentication on PEXA. What makes it scary is that the victim does not receive any notification from the mobile phone provider whatsoever before or after the phone number transfer request. The victim’s phone goes offline once the transfer of the phone number is complete.

Criminals committing payment redirection fraud are multi-skilled organised criminals with plenty of resources to (a) perpetrate more complex scams (b) adapt to new situations. The cybercriminals are going to adjust to the new authentication challenges once everyone on the PEXA platform is enrolled to MFA, and they will start carrying out SIM swapping attacks to be able to hack into their victims’ PEXA accounts again.

So How Can You Protect Your Business from SIM Swapping Attacks?

First and foremost, I encourage everyone to choose the PingID code generator option on the PEXA platform as SMS based codes are susceptible to SIM swapping attacks.

On a broader scale, I suggest choosing code-generator apps over text messages on services where it is possible. e.g. Dropbox, Gmail. For a list of online services supporting 2FA, visit https://twofactorauth.org/ to check whether your favourite online service supports strong authentication.

Lastly, if you have not turned on two-factor authentication on your Office 365 or G Suite accounts, please do it now.

Read our more detailed coverage at https://blog.ironbastion.com.au/pexa-introduces-mfa-but-more-guidance-needed/

Gabor

Gabor Szathmari is a cybersecurity expert and digital privacy enthusiast. In his professional life, Gabor helps businesses, including many small and mid-size legal practices, with their cybersecurity challenges at Iron Bastion.