Written by:
Bruce Phillips,
CISSP SVP & Chief Information Security Officer, West a WFG Company
Our industry is currently experiencing an increase in fraudulent schemes surrounding a sustained effort to alter wire instructions and divert funds. Criminal organizations are discovering the tremendous amount of funds being transacted in real estate. Awareness about these fraudster’s efforts is one tool you can use to prevent loss to your customers.
Another tool is informing you about the security methods available to protect data and funds in the first place.
We’ve received some questions about security and how some of this security stuff actually works.
One big question is about HOW the bad guys get in.
You’ll need to know these other common ways the bad guys get a foothold:
How: Through an unpatched browser or other software
Along with Phishing, criminals most often use websites they compromise to target known vulnerabilities in your web browser. Whenever you go to a website you’re taking the gamble that it’s not controlled by a malicious actor.
You may have an impression that just avoiding “shady” websites will protect you, and while that’s certainly safer behavior, it will not completely protect you. In recent years major websites such as CNN, eBay, Facebook, and major advertisers have all been hit; leading to their visitors being directly targeted when they were just checking the news or shopping. These attacks haven’t missed county recorder office websites and other online resources we use as a course of business.
These vulnerabilities are one good reason you must be diligent about patching and updating your computer. While we can fix the vulnerabilities we know about, there is constant research into more flaws, so we all have to keep patching.
There are also vulnerabilities that will never be fixed. For instance, software that’s reached its end of life, such as Windows XP, won’t ever have patches to fix known flaws. If you’re using software that’s not getting patches, you’re inadvertently leaving your doors unlocked.
How: Passwords have to be stronger than Superman.
Another way these criminals can get in is simple- they guess. They try the most common passwords against our user accounts. This doesn’t mean just try the top 10 passwords; they have whole databases of passwords. They buy and sell lists of Millions of people’s passwords, thousands of which seem to be common passwords.
These are the ones people may think are strong, but just happen to be so popular many people pick them.
“5up3rm4n” won’t keep your account safe any longer. Make sure you don’t choose a password that others also might think is cool or memorable.
Another question is “ When ARE we secure?”
Understanding how we keep the information we send to one another secure is rather important, we don’t want to rely on a handrail’s support when it isn’t there.
If a criminal gains access to your computer they can also monitor the email you send and receive, the files on your computer, even your typing. They can also access other internal systems, and see internal communications. Heed and raise any concerns to your IT Expert if you suspect any possibility of compromise.
“What IS secure?”
Many of the criminals we need to be concerned with aren’t acting alone. They might not live in the United States, but they may be working for a company doing a job that in their country simply isn’t illegal, or worse, isn’t prosecuted by those countries legal authorities. These criminals work together like any other company (sans the ethical standards we follow here!) That means the ones targeting Title and Closing businesses know how our business works, and they have the same tools we do. Just because some sensitive information happens to be picture text on a page in a PDF instead of Word document or email, doesn’t mean they can’t read or utilize that information towards their criminal ends. Any data you handle is just as much at risk regardless of its format. If you can read it, so can they; but with one powerful exception:
Encryption.
Just as the implementation of scientific and engineering principles allowed the USA to land on the moon, clear implementation of math has yielded something that is near-absolute. If something is encrypted in the right way it simply can’t be unscrambled unless you have the key.
Aside from keeping information under lock and key, encryption has a few more uses. It can also show that a document hasn’t been tampered with (or prove it has), or it can help prove that something is actually from the person or company that it says it is.
But it has its limits.
Encryption tools are used to protect emails you send to recipients, but only when you send them to the right people- it doesn’t protect against a mis-directed email address.
Encryption is available to protect our mobile devices, and computers when they check your email, when you log into your Title or Closing application, and other network traffic. But it can’t protect you if you are tricked into access a server that isn’t yours, whether that’s a website or a fileserver. Any link you get in email, IM, or even a text message on your phone might not lead somewhere safe.
Encryption also relies on who has the key( s).
These keys aren’t physical; each is just a small amount of data, like a password but a bit longer and has some math behind it. Almost all applications don’t make the user deal with the keys, but knowing who has the keys tells you who can read messages or prove who they are.
Web Servers generally have keys, called certificates, which let you know that the server is owned by who it says it is. These can let you know you aren’t dealing with an imposter. If you ever go to an application that has a “certificate error” or is “untrusted” you should be more than suspicious (even if it looks and acts exactly like it did yesterday!) Let your local IT Expert know and do not use that server until you’re satisfied that the error is fully explained.
Concerned about your agency’s information security? WFG can help! The WFG Blocks program is designed to help our agents take the time and cost out of the real estate transaction with a variety of service offerings intended to create a strong foundation for your company while helping you grow your business, increase sales, and protect your sensitive data. Our Information Security Block offers a variety of services, including a cybersecurity program review that will comprehensively assess the current state of your cybersecurity, identifying your strengths and weaknesses. For more information, please visit the WFG Blocks website at www.wfgblcocks.com or speak with your local Agency Sales Representative.