Editor's Note: This article originally appeared in the November issue of MReport, click here to read the full issue.
Phishing. Malware. DoS. While these were once terms only IT professionals needed to know, in today’s increasingly digital world—where a company’s or a consumer’s most vital information can be comprised by simply clicking the wrong email link—we can no longer afford to be in the dark in regards to data threats.
In a July report, Identity Theft Resource Center (ITRC) found that the number of U.S. data breaches during the first half of 2017 reached 791. If data breaches keep happening at this same pace, we will experience 1,500 breaches by the close of the year—a 37 percent increase over 2016, ITRC reports.
While in 98 percent of cases it takes but a matter of seconds to minutes for data to be compromised (according to Verizon’s 2017 Data Breach Investigations Report), once it is released there is often no expiration date to it being used maliciously. When a credit card is
stolen, a consumer can shred the card, request a new number, or close the account entirely. However, when hackers gain access to personal identification info such as full legal names paired with Social Security numbers and dates of birth, a consumer can be impacted by the
repercussions for life.
“When it comes to data breaches such as Equifax, the threat doesn’t go away with time,” said Dan Jones, VP of Technology & Sales Support at Churchill Mortgage. “Literally in 10 years, someone could buy that list again and try to take out a mortgage or even attempt a HELOC in someone else’s name.”
“It’s quite possible that we are entering a new period of criminal fraud activity in this industry,” said Todd Hougaard, a Software Product Manager at Mortgage Cadence, an Accenture Company. “If we are forced to assume that bad actors now have sensitive financial information for most consumers and that these criminals are experts at manufacturing fake online identities based on this new information, what additional protections are going to be required?”
With little redress available once data has been breached, the adage “the best offense is a good defense” should become the motto of mortgage professionals today. Those who formulate today’s data-compromising strategies are savvy and those strategies are coming
from all directions. The only way to combat these strategies is to understand where the true threats lie.
Threat 1: Brute Force Access
Who do you picture when you think of a hacker? If it’s a mysterious figure half a world away furiously typing on a keyboard to find weak points in your network you: a) watch too much network TV and b) are thinking of a hacking style that most closely aligns with brute force
techniques to gain crucial financial information.
While hackers who employ brute force methods utilize a trial-and-error approach to decode encrypted data (such as logins), they do so using software that can try a variety of combinations light years faster than any human. These approaches are so fast that when PC Magazine tested one brute force code cracker—L0phtcrack, it found the program was able to access 85 percent of an office’s passwords within 20 minutes.
“With a login credential, thieves can gain access to all the data that is displayed on the website. They may also be able to access additional websites, as many consumers use the same login name (the most common is an email address) and password for multiple sites,”
said Craig Bechtle, EVP/COO at MortgageFlex.
Educating your employees on how to create strong passwords is one way to protect against brute force attacks. A strong password is one that is site specific, lacks identifying info that can be easily guessed, and contains a combination of uppercase and lowercase characters andmnumerals.
Another step to ensuring secure passwords is to require passwords to be changed frequently—though this protocol creates a delicate balance. “A common security mistake that companies make is that they implement rigorous password requirements, but do not guard against the ‘yellow sticky’ with a password on a user’s monitor,” said Eric Patrick, CTO at Quandis, Inc. If you require passwords to be changed too often, human nature—and the ‘yellow sticky’ tendency—soon takes over. In order to help ensure the passwords themselves aren’t in plain sight, consider obtaining a company subscription to programs such as LastPass, which not only stores passwords, but also helps auto generate new passwords.
To protect passwords on a larger scale, companies that take data security seriously should also ensure password hashing. Password hashing is a method by which passwords are transformed into another fixed length password or string. Hashing a password ensures that even if unauthorized parties access a company’s password database, they do
not receive plain-text versions of the passwords.
Threat 2: Malware
“Modern malware is very adept at stealing data,” said Jeremy Boyd, IT Director at DocMagic, Inc.
Malware is a type of software that damages or disables computers and computer systems and was connected to the recent Equifax hack after a flaw in the Apache Struts software the company used allowed hackers to install malware on the site that downloaded information when consumers visited Equifax’s website.
Though malware is insidious these days, the particular flaw in Equifax’s system could have been addressed by installing a patch that Apache Struts released in March. “The Equifax data compromise was due to their failure to install the security updates provided in a timely manner,” said the Apache Software Foundation in a statement.
“Security vulnerabilities in commonly used insecure or unpatched operating systems is another way attackers can gain access to sensitive data,” said Boyd.
Patrick agreed, adding that updating browsers is also an important aspect of system security. “Corporate IT departments that don’t keep up with browser updates are essentially ignoring the security fixes constantly being put into browser software by Microsoft, Google,
Apple, and Mozilla,” he noted.
A specific type of malware is ransomware—as the name implies, hackers’ leverage the data they stole for a ransom against the companies it belongs to. According to Verizon, 27 percent of breaches were discovered by third parties in their study, and in part this is because the hacker themselves reached out to the company to brag about the theft or attempt to secure a ransom.
Threat 3: Phishing
“The phishing environment is extraordinary,” said Chuck Bloodgood, CIO at FirstClose. “Data thieves can copy something as innocuous as a Facebook friend notice where the minute you click on that button they take you to a page that has been completely replicated to look exactly like what you would expect. However, as soon as you enter any data, they follow every single click you make.”
In addition to the type of phishing that Bloodgood describes—mocking reputable websites—phishing may also include creating emails that look like they are from a known sender so the receiver reveals personal information such as passwords, credit card numbers, and Social
“As more and more of the origination process is digitized, borrowers and originators are becoming bigger targets of email phishing scams as a means for gaining access to sensitive data,” added Boyd.
“The additional problem with sending sensitive data via email is that you won’t lose that message right away—it gets copied to many different devices and places that will live on forever,” said Jon Debonis, Head of Information Security at Blend.
“I think education to borrowers is a big key—it doesn’t just take the lender to be compromised for data breaches to occur. It’s important borrowers understand not to send documents via email, not to send money via wiring instructions if you haven’t called and talked to someone and verified that it’s real,” said Jones.
Threat 4: Privilege Misuse
While strangers typically execute the hacking techniques described above, companies also need to prepare themselves for data breaches that originate within their own companies. As Bloodgood neatly phrases it, never underestimate “simple malice.”
According to the Verizon’s data breach report, 25 percent of breaches involved internal actors, while 2 percent involved partners.
“Poor internal controls make it easy for dishonest employees, vendors, and even cleaning people to steal data,” said Bechtle.
While companies need to be aware that disgruntled or recently terminated employees may release data if proper exit protocols aren’t strictly followed, Bechtle also warns against employees being careless with data due to ignorance of the possible consequences.
“Some examples include leaving document files out in the open unsecured in your office, not masking sensitive data on computer screens, granting improper access to sensitive data to nonessential employees, and sharing data with third parties that do not have proper security controls in place,” said Bechtle.
Threat 5: Physical Theft and Loss
As Bechtle noted, at times stealing data is a crime of opportunity when hard-copy files with important financial information are left lying around. In this internet-heavy day and age, physical data threats are often overlooked (according to Verizon it only represents 8 percent of the tactics used to comprise data), but it only takes moments for thieves to snatch data that is provided in a physical source.
In addition to taking data that is in plain sight, would-be thieves who are granted access to your workstation also have opportunities to install key loggers or data skimmers, disable controls, and seek other ways to infiltrate your systems in person.
Like the other forms of data breaches described, education is once again crucial to cutting down on the most common types of physical data breaches that companies suffer.
“People are still the most difficult factor to control and the weakest link in the security chain. We must be diligent about training and testing our people, not just once or even periodically but on an ongoing basis,” said Hougaard.
Perhaps the only silver lining of being a victim of a physical data attack is that according to Verizon, these types of data breaches are often discovered much quicker—in minutes, hours, or days, rather than in months.
In addition to malicious examples, physical theft can also occur due to carelessness or loss on the part of the data owner.
“The majority of confirmed [physical] breaches involve lost documents (several with record-loss totals in the thousands). … This requires adjusting corporate culture to not print out sensitive data if not necessary for business operations, or tokenizing data when printing is
required. This will also help with disposal errors covered in another pattern,” the Verizon study advised.
Protecting Against the Unknown Threat
When it comes to “known unknowns,” we are aware that there will be data threats out there that you won’t see coming. Hackers are devising new ways every day to circumvent security blocks. Instead of preparing you to ward off a specific attack, the following tips will help ensure that you have a comprehensive, overall data protection plan for your company that can withstand the unexpected.
First and foremost, protecting your data against the initial threat of a hack isn’t enough. You also need to protect your data if a hack occurs to ensure that the hackers don’t obtain usable data.
“Companies tend to underinvest on encryption technologies. With solutions like crypto anchors and multifactor authentication, data can be more difficult to steal,” advised Debonis.
According to Boyd, a layered approach to security is always best. “The layers are applied from the inside out. At the application level, DocMagic utilizes OWASP secure coding best practices, code reviews, and security-focused QA testing. At the host layer, we apply OS hardening and patching, host-based IPS, Least Privileged ACL and Mandatory Access Controls, and File Integrity tracking. All logs are sent securely to a remote system for real-time monitoring and auditing. At the network layer, we utilize multiple VLANs and firewalls to segment traffic into dedicated security zones. All network devices are hardened to ensure secure communications. Traffic is controlled and monitored through the use of internal IDS systems. The edge of the network is protected by multiple firewalls and the use
of an IDS. Ultimately, we take every precaution to safeguard data and perform regular audits to ensure security.”
Companies should also run internal tests and audits regularly to catch unusual activity on their servers.
Another important piece of the puzzle is being able to verify the source of information and ensuring your data or others’ data has not been compromised. Promising new technologies such as blockchain are bringing new tools to the market to add another layer of protection
for companies, according to Jason Nadeau, EVP at Factom.
“Blockchain technology can help ensure that digital documents are original, unaltered, and within the control of the designated custodian,” explained Nadeau. Like Debonis, Nadeau also recommends utilizing cryptography. “The most practical way to do this is by using a cryptographic proof that is published to a blockchain with preserved metadata of the digital asset. A digital asset can be defined within the mortgage industry as a mortgage loan, real estate property, MSR, and foreclosed property, along with many other examples,” he
Patrick also advocates blockchain. “The really interesting long-term technical impact of the Equifax hack may be getting the financial industry to move away from the existing credit-reporting model toward a blockchain solution for credit data sharing. Platforms like JPMorgan’s Quorum are potential replacements for the existing credit-reporting infrastructure,” said Patrick.
“I look at my list of people who are accessing my network on a weekly basis,” said Bloodgood. “The only way hacks like Equifax would have been caught is by monitoring your network and looking for what are called data leaks. How is my data being transmitted? Is there something on my network that’s sending data that I don’t know about? That’s the thing that keeps every IT person up at night.”
Preparing for the Worst
Though responsible financial services companies should do all they can to prevent or stop a hack from occurring, you should have a plan in place on how a hack will be addressed from both logistical and public relations perspectives. According to the Federal Trade Commission, the immediate steps after a data breach should be:
- Securing physical areas: This can include locking the area and
- Stopping additional data loss: Impacted equipment should be taken
offline, but all evidence should be preserved. Your system should be
monitored for further activity.
- Removing improperly posted information from the web: After you have
cleaned up your internal processes, you should search for what
information was released publically and ask for its removal.
Further steps include informing key service providers, and then seeing what the break notification laws are in the states you conduct business in. Informing law enforcement (including your local police, the FBI, or the U.S. Secret Service, depending on the type of data breach) is crucial.
No Longer Walking on Eggshells
While it may seem somewhat inevitable that the next big data breech is just waiting to capture headlines, as we’ve seen from the experts collected here, the widespread nature of hacking attempts don’t have to equal immobility among mortgage professionals.
In regards to the Equifax breach, interim CEO Paulino do Rego Barros Jr., has said recently in public writings: “The entire Equifax team has been humbled by this incident. We are also highly motivated and extremely determined. We will get through this by doing the right things for consumers including considering consumers’ desire to control their personal financial data. No one thinks it makes sense for individuals to have to rely on a business–any business–to control access to their information. As part of our commitment to support
consumers, we have announced that by January 31st we will offer consumers a new service that will allow them to control access to their personal credit data. The service will be easy to use and available for free, for life. We hope our competitors will join us to give consumers the power to protect their credit data.”
As we have learned from high-profile data breaches, to ensure your people, processes, and protocols are prepared for both internal and external threats, prepare now.
“The trust of the consumer is paramount to running your business and it is up to all providers to use the proper technology to protect that asset,” advised Bechtle.