Mortgage companies are a particularly desirable target for hackers and their schemes because they have money and data that hackers want. The average mortgage broker or lender collects and stores — even temporarily — the most intimate information about borrowers.
The industry, however, hasn’t traditionally done a good enough job protecting critical digital assets. There are numerous examples of this, but one recent case targeting mortgage brokerages stands out. Conspirators devised a criminal “fuzzing” scheme to steal money and to obtain identity information. The case, which was revealed in federal documents, should serve as a warning to all commercial mortgage brokers and lenders of the real danger of cybercrime.
he scam began simply enough in a room in Tijuana, Mexico, in 2011. Before it was all over, the conspirators stole several hundred thousand dollars and the sensitive personal information of thousands of people from California to Florida. The victimized companies did not know it was happening until the FBI contacted them.
Fuzzing is a form of security penetration testing in which an attacker sends multiple batches of random data to computers to see if they can cause the targeted system to crash or behave unexpectedly. After learning which data was actually processed by the web server or, more importantly, which data was able to cross a so-called “trust boundary,” the conspirators were able to not only get access to their target’s computers, but also to the sensitive data that was on those computers.
Once they got hold of the personal accounts, the conspirators could go to work. The group’s ringleader identified multiple victims’ brokerage accounts and took control of them by calling the companies and providing the victims’ personal information to change passwords and contact information. Then it was simply a matter of wiring funds — sometimes up to $30,000 at a time — from the victims’ accounts to accounts they controlled.
During the next three years, the conspirators were able to steal between $400,000 and $1 million from some 20,000 individual victims. They used the personal information they stole to commit identity fraud, set up credit cards in the victims’ names, and charge thousands of dollars of goods and services, some of which they then converted to cash to buy drugs.
Hackers have devised numerous ways to penetrate a company’s computer network and steal information. The National Association of Realtors and Federal Trade Commission, for example, have issued warnings on phishing scams, in which hackers break into the e-mail accounts of real estate agents or mortgage companies to learn about an impending closing date. Armed with the information, the hacker then contacts the buyer and tricks them into wiring funds under the ruse that the money will be used for the closing.
In 2017, a Chicago Tribune column cited the case of a Denver couple who planned to use more than $270,000 in proceeds from a home sale for a downpayment on a new house. Hackers, however, gained access to information about the sale and sent the couple an official notice with instructions on how to wire the downpayment. Their money disappeared and was never recovered.
The average mortgage company collects and stores the most intimate information about borrowers — information that is protected under the Fair Credit Reporting Act, but which can be used by hackers to impersonate victims for various reasons. These include the names, dates of birth, Social Security numbers, financial records and other information that spells out an individual’s borrowing and payment history. All of this data can be used by a criminal to commit fraud, or it can be sold to online underground marketplaces.
Websites and loan-origination systems — even presumably secure ones that are used for processing mortgage applications and collecting data — can be hacked, spoofed or redirected. They are targets of “man in the middle” attacks, in which an attacker eavesdrops on a communication between two parties and then impersonates one of the parties in the discussion to extract information or manipulate one of the parties. Databases of personal information can be hacked, accessed, altered or hijacked.
Fund transfers can be redirected, stolen or monitored — and that’s just by ordinary hackers. Hackers working for governments — so-called “nation state actors” — can use the personal information in these databases for espionage, manipulation or impersonation.
Data breaches almost always result in tremendous financial loss to commercial lending institutions and their clients. Given the size of the threat, however, the mortgage industry has not been doing a good enough job of protecting critical digital assets.
Under federal financial-services regulations, such as the Gramm-Leach-Bliley Act of 1999, and the state of New York’s recent cybersecurity rules, mortgage brokers and lenders are required to provide technical, administrative and physical security from unauthorized disclosure for a wide variety of information. Mortgage companies should take several steps to secure their data. Step one is to identify what data you have and where it is located. This includes information that is stored online and in physical files. Companies also need to know how the information is protected and who has responsibility for protecting it.
You also need to know what to do if there is a breach, and to have a plan in the event one occurs. That plan must be tested with simulations of real- world security incidents.
In the case of the Tijuana hack, each of the mortgage brokerages were vulnerable to fuzzing, but an automated penetration test by experienced security consultants would have revealed that vulnerability. The companies could have fixed the problem prior to its exploitation. So-called security “penetration tests” and “vulnerability assessments” that can detect network and application vulnerabilities are just a few tools that can help lenders and brokers measure their susceptibility to compromise from these types of attacks.
Commercial mortgage companies also should perform a comprehensive risk assessment that looks not only at the company’s security technologies and controls, but also at the resilience of their people and processes to such attacks. These studies should consider potential impacts to the business; how the staff is educated on security-awareness matters; and what exposures may exist as a result of dealing with third-party partners and other trusted vendors. By following this process, mortgage companies can best create a culture of security around the protection of sensitive data.
Security and security management is a continuous process. With the adoption of new applications, products, services and technologies, new vulnerabilities always arise. Newer technologies, such as the internet of things (IoT) and 5G network speed, which have connected the internet to a wide range of mobile devices, will make the challenge more difficult. In fact, in many cases, hackers have been able to access sensitive computer networks through connected, cloud-based network video cameras. So, it is critical that mortgage companies address every potential network access point.
• • •
Commercial mortgage companies need to plan, protect and prepare for a cyberattack. They not only need to implement appropriate technologies to secure their network, applications, systems and data, but they also need to employ expert personnel to help minimize the threat. The bottom line is, you need a comprehensive incident-response plan for when — not if — the hackers get in.