Posts

First American Financial Exposes 885 Million Mortgage Documents

Approximately 885 million digital documents have been exposed from mortgage deals that date back to 2003. First American Financial Corp is a provider of title insurance, as well as other services for the mortgage and real estate industries, and it allowed millions of records to be exposed according to one report.

The exposure is likely to put a variety of bank account statements and account numbers at risk, as well as Social Security numbers, tax records, wire transaction receipts, mortgage records, and driver’s license images. All of this information could be read through a web browser without getting authentication from anyone.

First American Financial Corp first learned of its designed defect on May 24 when one of the production applications made it possible for people to gain unauthorized access of its customer data. This information was provided to USA TODAY by the company in a written statement. It also said that privacy, security, and confidentiality are the top priorities for the company, and it is committed to protecting the information of its customers.

The statement also added that First American Financial Corp took action immediately to address the full situation and shut down the external access option for the application. It is currently evaluating the effects of the situation and if any issues were relating to customer information security. It also mentions that it hired an outsourced and unbiased forensic firm to ensure that there has been no unauthorized and meaningful access to its customer data.

Brian Krebs wrote the report and claims that he was contacted by Ben Shoval, a Washington state real estate professional, who said that he’d had no luck getting any response from the company about what he found out, which was that portions of its website had leaked hundreds of millions of customer records.

The initial report by Krebs claimed that Shoval learned that anyone that knew the URL for any valid document on the website could also view other documents by just modifying one or two digits in the link. Krebs then chose to confirm the findings of the real estate developer. He used to be a reporter for the Washington Post and was the first to report about another high-profile data breach because he determined that millions and millions of Facebook users had account passwords that were stored in plain-text format, which could be searched by over 20,000 Facebook employees.

Regardless of past reports, Kreb claims that this exposure issue is one of the worst he has seen because there are just so many individuals involved. Anyone who has ever gotten a document link by First American Financial Corp via email is likely to be a victim in this breach.

The chief data scientist from Rapid7 Labs, Bob Rudis, claims that this exposure is severe for First American, but it also highlights the need for a more comprehensive approach to securing the network and systems, especially for areas that house highly sensitive information.

He also says that anti-malware products, firewalls, and other security controls aren’t enough to reduce that unwanted exposure. Organizations need to think like a cyber-attacker to help them identify any areas of weakness before cybercriminals do it themselves.

The Director of Solution Engineering at CipherCloud, Tyler Owen, says that there has been a gross negligence by First American Financial Corp. He believes that everyone in the info security industry has become numb to these breaches and disclosures because they happen more and more frequently (about once a week). Regardless of the negative impacts and bad press for the company, organizations just aren’t putting enough emphasis on secure processes and data security.

The victims here are primarily the people who have had their data exposed because they have little to no recourse available to them.

The problem is that there is no information about who accessed the files over time, and no one has any concrete information about the misuse of the data because of the temporal exposure. It’s almost impossible to determine who leaked the information, who had access to it, who accessed it, and what they did with that ill-gotten information. If it were to, say, end up being sold on the dark web market, it might generate a lead, but nothing has surfaced so far.

If you believe you were part of the data breach, you should monitor your credit report and look for signs that someone has used your credit card without your permission. You can also freeze your credit report so that no new credit applications can be opened. Your financial organization is likely to have tools available to help you; utilize those tools to ensure that there is no activity on your accounts without your knowledge. It’s also helpful to listen for whatever information First American provides about the matter. That way, you’re well aware of something going amiss and can talk to the right people to seek restitution.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon.com author, CEO of Safr.Me, and the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Mortgage Scams plague Homeowners and Agents

There are things you should know before you purchase your next house—even if you foresee that being years away. Take note of what’s in this article—and keep the notes where you’ll never forget where they are.

3BA hacker could fool you into thinking he’s your agent and trick you into sending him money—which you’ll never get back. It’s so bad the FTC even sent an alert warning consumers that Real Estate Agents email accounts are getting hacked.

  • Let’s say your Realtor’s name is Bill Baker.
  • Bill Baker’s e-mail account gets hacked.
  • The hacker observes Baker’s correspondences with his clients—including you.
  • Ahhh, the hacker sees you have an upcoming closing.
  • The hacker, posing as Bill Baker, sends you an e-mail, complete with instructions on where to wire your closing funds.
  • You follow these instructions.
  • But there’s one last step: kissing your money goodbye, as it will disappear into an untraceable abyss overseas.
  • This scam can also target your escrow agent.

It’s obvious that one way to prevent this is to arrange a home purchase deal where there are zero closing costs.

The scam is prevalent, perhaps having occurred thousands of times. It was just a matter of time until scammers recognized the opportunity to target real estate agents and their clients.

The lax security defenses of the real estate industry haven’t helped. Unlike the entire financial industry who have encrypted communications, the real estate industry is a hodgepodge of free e-mail accounts and unprotected communications.

In addition:

  • Realtors, so often on the go and in a hurry, frequently use public Wi-Fi like at coffee houses.
  • Anyone involved in a real estate transaction can be hacked, such as lawyers.

Preventing the Scam

  • Eliminate e-mail as a correspondence conduit—at least as far as information on closings and other sensitive information.
  • On the other hand, you may value having “everything in writing,” and e-mail provides a permanent record. In that case, use encrypted email or some setup that requires additional login credentials to gain access to the communication.
  • For money-wiring instructions, request a phone call. And make this request over the phone so that the hacker doesn’t try to pose as your Realtor over the phone.
  • Any e-mailed money instructions should be confirmed by phone—with the Realtor and the bank to send the money to.
  • Get verification of the transfer ASAP. If you suspect a scam, have the receiving bank freeze any withdrawal attempt of the newly deposited funds—if you’ve reached the bank in time, that is.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Mortgage Brokers put Client Data at risk

Your private information may not be safe with your own mortgage lender, even a small one, says cybersecurity firm HALOCK Security Labs. The leak may occur when data goes from applicant to lender.

4DSeventy percent of the 63 U.S. mortgage lenders that HALOCK investigated allowed applicants to send private and financial data (like tax documents) as e-mail attachments—over unencrypted e-mail. Seventy percent also promote faxing sensitive data—not nearly as secure as encryption.

While more than 40 percent provided a snail mail option, only 12 percent offered encryption. Several survey participants, when the subjects were asked why they didn’t offer a secure e-mail portal, replied it was an issue of what the applicant was “most comfortable with.” (Certainly, who’d be comfortable with a leak of their most private information?)

While lenders place customer comfort ahead of security, they fail to realize that customers have been steadily losing confidence in their banks’ commitment to privacy.

Another consideration is whose comfort is really at issue? In a study, one former mortgage lender stated that it was a time hassle to explain to customers about secure portals; unprotected e-mail was quick and convenient.

But it’s well-worth the time to hassle with this, says security expert Graham Cluley. Regular e-mail, by definition, is non-secure.

There’s no shortage of methods to send e-mail securely. It’s just that they’re underutilized by organizations. Decision makers want to make things easy for customers, but this doesn’t have to be at the expense of their security.

Security measures that are customer-friendly exist. Bank customers are more demanding than ever for security, even though they usually do not understand about encryption. What bank wants a weak link in the form of a gaping hole through which customer data can leak? An ounce of prevention (secure portal log-in) is worth a pound of cure (identity theft).

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Identifying Devices can stop Mortgage Fraud

What is mortgage fraud? The act of intentionally facilitating the use of, or using, any misrepresentation, misstatement or omission in a deliberate manner, being aware of the same to contain such, during a mortgage lending process, with the aim that the mortgage lender, borrower or any other participant to the mortgage lending process relies upon it.

8DSometimes mortgage fraud involves identity theft. This means consumers must be leery of people who may purchase a house in their name. Today’s lending standards are much more lax than they were three decades ago, creating more opportunities for scams.

First time home buyers, low income buyers, naïve buyers and illegal immigrants are often targets of predatory lenders.

Be aware of lenders who:

  • Target poor neighborhoods
  • Offer financial incentives for providing employment records
  • Offer financial incentives to find purchasers
  • Practice double closings: The buyer signs several mortgages on the same home which quickly settle, thus preventing lenders from catching wind of the fraud.

“Demand for consumer financing in the U.S. is growing at more than 5 percent per year, challenging lenders to adapt to rapid customer acquisition and an ever-changing environment,” points out iovation Director of Business Development Steve Hanson. He adds: “Therefore it’s essential that lenders stay apprised of the latest industry developments and regulations so they can develop customized strategies that benefit their clients and business.”

A giant step in putting a plug in mortgage fraud is to identify the devices responsible for committing fraud.

With a combination of advanced device identification, real-time risk evaluation and shared device reputation, iovation provides protection from fraud to online businesses and their end users.

iovation’s device reputation databases is the largest in the world, protecting over 10 million transactions, halting an average of 200,000 fraudulent activities on a daily basis.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247