First American Financial Exposes 885 Million Mortgage Documents

Approximately 885 million digital documents have been exposed from mortgage deals that date back to 2003. First American Financial Corp is a provider of title insurance, as well as other services for the mortgage and real estate industries, and it allowed millions of records to be exposed according to one report.

The exposure is likely to put a variety of bank account statements and account numbers at risk, as well as Social Security numbers, tax records, wire transaction receipts, mortgage records, and driver’s license images. All of this information could be read through a web browser without getting authentication from anyone.

First American Financial Corp first learned of its designed defect on May 24 when one of the production applications made it possible for people to gain unauthorized access of its customer data. This information was provided to USA TODAY by the company in a written statement. It also said that privacy, security, and confidentiality are the top priorities for the company, and it is committed to protecting the information of its customers.

The statement also added that First American Financial Corp took action immediately to address the full situation and shut down the external access option for the application. It is currently evaluating the effects of the situation and if any issues were relating to customer information security. It also mentions that it hired an outsourced and unbiased forensic firm to ensure that there has been no unauthorized and meaningful access to its customer data.

Brian Krebs wrote the report and claims that he was contacted by Ben Shoval, a Washington state real estate professional, who said that he’d had no luck getting any response from the company about what he found out, which was that portions of its website had leaked hundreds of millions of customer records.

The initial report by Krebs claimed that Shoval learned that anyone that knew the URL for any valid document on the website could also view other documents by just modifying one or two digits in the link. Krebs then chose to confirm the findings of the real estate developer. He used to be a reporter for the Washington Post and was the first to report about another high-profile data breach because he determined that millions and millions of Facebook users had account passwords that were stored in plain-text format, which could be searched by over 20,000 Facebook employees.

Regardless of past reports, Kreb claims that this exposure issue is one of the worst he has seen because there are just so many individuals involved. Anyone who has ever gotten a document link by First American Financial Corp via email is likely to be a victim in this breach.

The chief data scientist from Rapid7 Labs, Bob Rudis, claims that this exposure is severe for First American, but it also highlights the need for a more comprehensive approach to securing the network and systems, especially for areas that house highly sensitive information.

He also says that anti-malware products, firewalls, and other security controls aren’t enough to reduce that unwanted exposure. Organizations need to think like a cyber-attacker to help them identify any areas of weakness before cybercriminals do it themselves.

The Director of Solution Engineering at CipherCloud, Tyler Owen, says that there has been a gross negligence by First American Financial Corp. He believes that everyone in the info security industry has become numb to these breaches and disclosures because they happen more and more frequently (about once a week). Regardless of the negative impacts and bad press for the company, organizations just aren’t putting enough emphasis on secure processes and data security.

The victims here are primarily the people who have had their data exposed because they have little to no recourse available to them.

The problem is that there is no information about who accessed the files over time, and no one has any concrete information about the misuse of the data because of the temporal exposure. It’s almost impossible to determine who leaked the information, who had access to it, who accessed it, and what they did with that ill-gotten information. If it were to, say, end up being sold on the dark web market, it might generate a lead, but nothing has surfaced so far.

If you believe you were part of the data breach, you should monitor your credit report and look for signs that someone has used your credit card without your permission. You can also freeze your credit report so that no new credit applications can be opened. Your financial organization is likely to have tools available to help you; utilize those tools to ensure that there is no activity on your accounts without your knowledge. It’s also helpful to listen for whatever information First American provides about the matter. That way, you’re well aware of something going amiss and can talk to the right people to seek restitution.

ROBERT SICILIANO CSP, is a #1 Best Selling author, CEO of Safr.Me, and the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Mortgage Scams plague Homeowners and Agents

There are things you should know before you purchase your next house—even if you foresee that being years away. Take note of what’s in this article—and keep the notes where you’ll never forget where they are.

3BA hacker could fool you into thinking he’s your agent and trick you into sending him money—which you’ll never get back. It’s so bad the FTC even sent an alert warning consumers that Real Estate Agents email accounts are getting hacked.

  • Let’s say your Realtor’s name is Bill Baker.
  • Bill Baker’s e-mail account gets hacked.
  • The hacker observes Baker’s correspondences with his clients—including you.
  • Ahhh, the hacker sees you have an upcoming closing.
  • The hacker, posing as Bill Baker, sends you an e-mail, complete with instructions on where to wire your closing funds.
  • You follow these instructions.
  • But there’s one last step: kissing your money goodbye, as it will disappear into an untraceable abyss overseas.
  • This scam can also target your escrow agent.

It’s obvious that one way to prevent this is to arrange a home purchase deal where there are zero closing costs.

The scam is prevalent, perhaps having occurred thousands of times. It was just a matter of time until scammers recognized the opportunity to target real estate agents and their clients.

The lax security defenses of the real estate industry haven’t helped. Unlike the entire financial industry who have encrypted communications, the real estate industry is a hodgepodge of free e-mail accounts and unprotected communications.

In addition:

  • Realtors, so often on the go and in a hurry, frequently use public Wi-Fi like at coffee houses.
  • Anyone involved in a real estate transaction can be hacked, such as lawyers.

Preventing the Scam

  • Eliminate e-mail as a correspondence conduit—at least as far as information on closings and other sensitive information.
  • On the other hand, you may value having “everything in writing,” and e-mail provides a permanent record. In that case, use encrypted email or some setup that requires additional login credentials to gain access to the communication.
  • For money-wiring instructions, request a phone call. And make this request over the phone so that the hacker doesn’t try to pose as your Realtor over the phone.
  • Any e-mailed money instructions should be confirmed by phone—with the Realtor and the bank to send the money to.
  • Get verification of the transfer ASAP. If you suspect a scam, have the receiving bank freeze any withdrawal attempt of the newly deposited funds—if you’ve reached the bank in time, that is.

Robert Siciliano personal and home security specialist to discussing burglar proofing your home on Fox Boston. Disclosures.

Mortgage Brokers put Client Data at risk

Your private information may not be safe with your own mortgage lender, even a small one, says cybersecurity firm HALOCK Security Labs. The leak may occur when data goes from applicant to lender.

4DSeventy percent of the 63 U.S. mortgage lenders that HALOCK investigated allowed applicants to send private and financial data (like tax documents) as e-mail attachments—over unencrypted e-mail. Seventy percent also promote faxing sensitive data—not nearly as secure as encryption.

While more than 40 percent provided a snail mail option, only 12 percent offered encryption. Several survey participants, when the subjects were asked why they didn’t offer a secure e-mail portal, replied it was an issue of what the applicant was “most comfortable with.” (Certainly, who’d be comfortable with a leak of their most private information?)

While lenders place customer comfort ahead of security, they fail to realize that customers have been steadily losing confidence in their banks’ commitment to privacy.

Another consideration is whose comfort is really at issue? In a study, one former mortgage lender stated that it was a time hassle to explain to customers about secure portals; unprotected e-mail was quick and convenient.

But it’s well-worth the time to hassle with this, says security expert Graham Cluley. Regular e-mail, by definition, is non-secure.

There’s no shortage of methods to send e-mail securely. It’s just that they’re underutilized by organizations. Decision makers want to make things easy for customers, but this doesn’t have to be at the expense of their security.

Security measures that are customer-friendly exist. Bank customers are more demanding than ever for security, even though they usually do not understand about encryption. What bank wants a weak link in the form of a gaping hole through which customer data can leak? An ounce of prevention (secure portal log-in) is worth a pound of cure (identity theft).

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How to Spot a Mortgage Scam

Mortgage fraud is when someone knowingly uses or facilitates the use of any deliberate misstatement, misrepresentation, or omission, knowing the same to contain a misstatement, misrepresentation, or omission, during the mortgage lending process with the intention that it be relied on by a mortgage lender, borrower, or any other party to the mortgage lending process.

In a press release by the Appraisal Institute the Financial Crimes Enforcement Network’s March 2012 Mortgage Loan Fraud Update, found that depository institutions submitted 19,934 Suspicious Activity Reports in the third quarter of 2011 pertaining specifically to mortgage loan fraud, a 20 percent increase over the previous year.

Law enforcement activities surrounding mortgage fraud across the U.S. have resulted in the arrest of thousands, according to reports. Some of the most devastating instances of mortgage fraud involve identity theft. Consumers not only have to be leery of questionable mortgage lenders, but also of others who might buy a home in their name.

30 yrs ago mortgages originated at a savings-and-loan from bankers who obeyed conservative lending rules. Sweeping changes in the finance world have created a system to helped raise homeownership to record levels, but  it also has led to far looser lending standards allowing fraud to proliferate.

Predatory lenders often go after Illegal immigrants, first time home buyers, unsophisticated buyers, low income buyers, poor people who are often used as straw buyers and the elderly who might have full equity and fall victim to deed fraud.

There are dozens of scams to be aware of:

Lenders offering financial incentives to find buyers

Lenders offering financial incentives to provide employment records

Lenders targeting poor neighborhoods

Double closings; borrowers signing multiple mortgages on the same property which settle quickly and prevent the lenders from discovering the fraud

In the event of possible foreclosure:

Contact lender to work out payments

Carefully review documents before signing

Signing any kind of deeds means you’re selling your home

Be aware of people contacting you offering bargain loans or easy credit

They key to increase your “mortgage intelligence”. The more you understand about the lending process the better informed you will be to prevent being scammed. And always do business with know reputable brands.

Robert Siciliano personal and home security specialist to Home Security Source discussing Real estate Agent safety on Inside Edition. Disclosures.