avatarTeri Radichel

Summarize

Cybersecurity for the Mortgage Industry — Part 3

Broken portals lead to business and cybersecurity risk

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Mortgage, Real Estate, Banking, and Legal Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Modern mortgage applications typically require potential customers to log into a portal, create a username and password, and submit information online. Typically the first part of the application is brief, followed up with supporting documentation. As explained in part 2 of this series on mortgage industry security, the amount of paperwork if you run a small business can be monumental. But in any case, applications typically require personal financial and tax information.

Having a secure portal is much better than sending documents by email, as I will explain. However, throughout the process of attempting to get a mortgage and buy and sell a house, almost every online portal I logged into had some type of bug or security problem. Some portals involved submitting applications and documents. Some of the portals were intended to send secure messages. Some were cumbersome. Some were completely unusable. In either case, staff resorted to insecure means of data transfer to get their jobs done as I explained in my explanation of insecure processes in the mortgage industry.

These portals were not run by small companies. I was applying at some of the largest mortgage lenders in the United States. In other cases, smaller organizations were using secure messaging or document products from Fortune 100 companies. It was clear that some of these portals had never been thoroughly tested either for functionality or with thorough security testing. I wasn’t even trying to test the security of these portals and I generated numerous errors without even intending to do so. I was only trying to get a loan or buy and sell a house. The problems with these mortgage application and messaging portals blocked me from doing so securely.

By the way, this problem is not specific to the mortgage industry. I’ve had issues with all types of portals including those used to get international visas, and even in one case when registering for a cybersecurity conference!

What went wrong, and in a few cases right, with the mortgage and real estate industry portals I used?

  • I had issues logging into one system and submitting an application. I am guessing the system had issues because I had previously received a mortgage from this company and was trying to set up a new account with a new email address. Perhaps it was linking my new and old accounts based on my personal information and getting confused. I have found similar issues while penetration testing financial applications in the past.
  • That same system deleted my application at one point. I logged in after submitted it at a later date and it was just gone. I had to start over and resubmit the application.
  • The person I was communicating with for the application in that portal was sending me emails outside this system. Another person called me about the application and stated that since there had been no further communication about my application, did I still want to proceed? Clearly, there is some sort of problem with that portal or process because I had just received an email about my application the day before.
  • Another bank where I put in an application had some kind of bug in the system that caused it to create about 15 partial applications. I had issues submitting an application, but I did not submit that many applications!
  • Any time the people helping me tried to create a way for me to upload a document in that system, it did not appear in my active, approved application. At first, I couldn’t find where they wanted me to submit the document or thought it did not exist.
  • Later out of curiosity, I searched through every application in that portal to see if any of them offered a way to upload a document. I found the document request associated with a partial application that was started but not submitted. It had no data associated with it. In order to upload the document, I would need to start the whole process over and reenter all my information for a supposedly already approved loan.
  • At some point in the process, I had two submitted applications where the bank was actively adding documents and information to both, even though I could add documents to neither. It was all very confusing and ultimately a train wreck as I explained in part two in this series on mortgage security.
  • When the portal did not work, the staff complained about it and asked me to email documents. I took them to the branch instead where a person scanned the document into some computer at the branch and then sent it in what they claimed was “secure internal email”. I mentioned some email security problems associated with that process in my last post. Not only that, is my document now on that computer at the branch as well?
  • Two systems were more related to real estate transaction security and providing a secure mechanism to get and send wire transfer instructions. Neither of these worked well enough or at all to be useful.
  • One system designed for secure communication was so cumbersome I couldn’t use it. It was not clear how to get the encrypted messages and I just gave up. I couldn’t easily figure out how to get the messages or send my own and I was in a rush to get my house sold and move. I ended up using email for messages that were not security-related and used the phone instead whenever possible.
  • More on that wire transfer process in my next post…
  • The other system I was supposed to use to get wire transfer instructions to purchase a new home simply didn’t work. It would send me a link and fail after a certain period of time, which is good because you want those links to expire. The problem was I didn’t know this and because the bank was delaying the transaction I was focused on resolving those issues and didn’t log in on time. The person I was working with sent me a new link but I still couldn’t get in once I got the new link. There was some kind of encryption issue with the system per the error message. Yes, I cleared my cookies, used a different browser, and even a different computer and network to try to get in.
  • That particular system is one that many organizations use for document management and communication is provided by a very large tech company I have provided could security services to in the past. I submitted a note to them with the error messages to explain their system wasn’t working properly. They contacted me back but I didn’t have time to follow up. As I explained in a prior post, helping companies resolve security issues is time-consuming and that’s typically something I get paid to do when I perform penetration testing or security assessments.
  • When I was selling my home I had to contact my existing mortgage processor to get the balance on my loan. The woman in customer service sent me a copy of the remaining balance on my mortgage. Only I got someone else’s information for a property in Kansas!? Luckily I requested a copy for myself as well and caught the mistake, otherwise, the company paying off the loan might have paid off someone else’s house if they weren’t paying attention.
  • When I received the incorrect document, I submitted a note as to what occurred to the security team via the instructions on their website. They contacted me, but again, I didn’t have time to follow up. Helping companies resolve security issues and test systems for security problems is my profession, not something I have time to do for free.
  • Besides those two cases, anywhere I had issues with a portal I reported it to the company involved, but I am not sure how useful it is to tell front-line staff about bugs and whether they realize when there are potential security implications as I wrote about in a separate post. I could spend my whole life helping companies fix bugs for free because I find them all the time. I just found a security bug by accident in an online chat portal of a company that makes financial software. I looked for information on their website as to where I could submit it and couldn’t find it in a reasonable amount of time, so I had to move on. Just today I was at a home store and one of the refrigerators had a certificate flaw as I posted on Twitter. The list goes on and on.
  • I did use a document management system during this process on which I have experience using and had reviewed in the past. I wouldn’t say it was a complete assessment, as that was not my job at the time, but I interviewed their CISO when I worked for a large bank when we were considering using it. I was impressed with the system architecture. I also know security people who work or formerly worked at that company and understand something about their security testing processes. I have reported security issues, through my contacts, regarding support processes which I suspect have been resolved.
  • Another real estate company was using a contract platform I had never heard of before and have not personally reviewed so not sure how secure it is. But I did not have issues using that system. Hopefully, whoever selected that portal performed a proper security assessment of the system prior to purchase. At least it worked so we did not have to use email!

So what is the risk when your portal just plain doesn’t work?

Speaking from experience, staff stop using it and they ask customers to send documents in an email instead or use some other less secure workaround. What’s wrong with that?

First of all, people get used to opening any document that comes to them in email. Phishing is the number one source of compromise that leads to some of the most devastating attacks such as ransomware. I can give you a lot of scary statistics about ransomware and how many companies have been impacted but for some examples check out my cybersecurity news blog where I post data breaches and attacks that occur each week.

In my cybersecurity news blog for June 12–18, I posted a story about how Microsoft took down a major business email compromise (BEC) operation. The attackers were able to get into emails with information about financial transactions. Then they send spoofed emails to trick people into wiring money to the wrong place. If you work in the industry you are likely familiar with this issue. My real estate agent said one of her clients lost $700,000 when tricked to wire money to the wrong place. I’ll write more about how to prevent that in the next post but sending sensitive information and documents in email is not a good idea!

How are the attackers getting into emails?

The way they did it in the Solar Winds breach was pretty tricky, but in some cases, they just find user names and passwords from past breaches and someone has reused those credentials in another system. In other cases, they use something called password spraying which I explain in my book on cybersecurity. Sometimes they get a person to …click on a document to get malware on their system or an invalid link. Even with MFA sometimes attackers can get access to email accounts. It depends on many factors I cover in my book. Email is just not the best source of document storage.

Once an attacker gets into an email account, they can access any documents stored in that account. If a person is working with a number of mortgage company applications, the attacker has access to any document in that person’s email account. Additionally, the attacker may be able to send emails impersonating that user to trick customers into sending data or money to the wrong place.

Challenges with distributed systems

Especially as more and more people are working remotely, it is hard to protect data distributed across many different locations with varying levels of security. Keeping documents in a secure portal when people are working remotely allows a security team to more easily secure and monitor those documents filled with sensitive data. They can monitor the network and logs as I explain in my book on Cybersecurity for Executives in the Age of Cloud.

I also explain in that book why endpoint security — or security systems installed on end-user laptops — is less effective in some cases. If attackers can get onto a system and get administrative credentials they can turn off any security controls on that system. They will be able to access any documents on that system as well. They can delete any logs that exist a security team may be using to detect their existence or what they have done.

How to fix the problems and reduce cybersecurity risk?

Let’s start with the last item where someone emailed me someone else’s document because that is the most obvious fix. When someone sends a document related to a financial account, they should not be manually pulling the document out and emailing it to anyone. The person should be logged into a system and looking at the account of the customer they are helping (excluding any data they don’t need to perform the operation). That person should have been able to click a button that only allows them to send my document to my email address associated with my account. There should be no way to send a document to the wrong email address!

______________________________

MAKE SURE THAT YOUR DOCUMENT AND MESSAGING PORTAL WORKS PROPERLY.

______________________________

Can I emphasize this more strongly? If your document portal does not work, your employees will take insecure actions to work around it to get their jobs done. They likely have angry customers complaining because things aren’t working and are taking too long. They may have internal supervisors pushing them to get their job done. They could have coworkers who are angry because they are waiting for documents or information to complete their own work. So the employee will tell the customer to email their document or send it in some other insecure fashion.

You have just defeated the purpose of the thousands or millions of dollars you spent to create that secure document management or communication system.

Test your system for functionality and security bugs. Test edge cases, cross-account access, multiple customers, privilege escalation, duplicate accounts, document upload processes, networking problems during checkout, happy paths, application programming interfaces, potential security vulnerabilities, and all the different logical problems that are created when customers and employees take strange paths through the system.

I used to build back-office banking systems, retail, tax, and e-commerce systems. I’ve done my own testing and worked with some very good quality assurance people. You need highly skilled, well-trained people to test systems to flesh out potential bugs. Often companies hire less skilled people for this purpose and the results speak for themselves.

Benefits of a secure document management and communication portal

If people are trained to only use the secure document portal related to a process you can get them out of the habit of clicking documents in email. A secure portal can verify the identity of individuals sending documents and check documents for malware. If people only use the secure portal for documents then they won’t be apt to click emails they think are coming from customers or other employees related to a transaction.

Secure document management and process portals for a specific process can ensure documents do not contain malware using a number of mechanisms to validate and transform documents. I mentioned that I reviewed a document management system. I talk about that in more detail in my cybersecurity class. I was very impressed with how they handled documents uploaded to their system to ensure they did not contain malware.

If your team doesn’t know how to build a secure document management system then leveraging a third-party secure portal from a company well-versed in handling documents securely is a great way to offset your risk. I wanted to use a third-party solution back then because I knew my team, tasked with building a document upload process for a financial institution, was not aware of the risks associated with that process. Neither were the architects pushing me to store documents, unencrypted, in an internal document store. None of them were trained in application security — or any type of security for that matter.

Ensure that whatever company and developers you use to build and deploy document upload processes understand the potential software vulnerabilities, how document upload systems can be attacked, and how to build a secure system that prevents those attacks.

Ask if third-party vendors can provide you a penetration test report. See if they have any certifications such as CSA Star or SOC 2 compliance. I’m not the biggest fan of SOC 2 compliance but at least it shows the company has made an effort to prove they have secure systems and processes. A security assessment such as those 2nd Sight Lab performs may involve asking them more details about their software development practices.

I often find issues with the document upload portion of websites when I perform penetration tests. It is one of the key areas where attackers can insert malicious code into systems. However, properly designed document upload processes can be more stringent than email systems. They know what types of documents should be uploaded and can perform more specific validations than an email system that generically allows any type of document.

A centralized document management system is easier for your security team to manage than employee laptops distributed potentially all over the city, country, or world. Of course, your security team will try to keep employee laptops secure. However, if you can maintain critical documents in a secure system with appropriate backups and monitoring that will be easier for the security team to focus on monitoring logs related to that system and employee access to it.

I think I read this in the book about Steve Jobs: People told him that customers would never pay for an individual song (iTunes). He responded by saying that if you made it easier than stealing music or purchasing it some other way, people would pay for it.

If you make your document management system easier to use than the alternative, people will use it.

I would tell my DevOps team when we were building the secure deployment pipeline I architected — if people are complaining about it and trying to get around it, we did it wrong. It needs to be fixed. I mentioned in my last post that you need a way for employees to provide feedback for this reason.

The other thing I explain in my security class is that if people understand the reason something exists, they will be more apt to accept it. For example, we all understand why our bags need to be scanned at the airport and it’s a hassle and takes longer but generally, we accept it. There’s a good reason for that process.

If you explain to your employees why the secure document portal exists, they may be more apt to use it.

A good way to help people understand why they need to follow certain security processes is to teach them cybersecurity fundamentals. They need to understand what can go wrong when workarounds and alternate means of sharing data exist. You can also reinforce security by having more people on your team who understand it keeping each other in check. Build a security mindset at your company by teaching people how to think about security.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2021

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Mortgage Lending
Cybersecurity
Application Security
Real Estate
Data Security
Recommended from ReadMedium
avatarAdam Goss
5 Cyber Kill Chain Challenges and How to Prevail

Explore the top five Cyber Kill Chain challenges you will face when using this model in the real world and how to overcome them.

12 min read
avatarTaimur Ijlal
Fiverr vs Upwork : Which Is The Best Platform For Cybersecurity Freelancers In 2024 ??

My (100% Subjective) Opinion On These Two Platform

6 min read
avatarThe Useful Tech
Why Apple Passwords Is The Only Password Manager You Need

Read This If You Are Still Paying For A Password Manager

7 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarVlad Yashin
Enhancing Zero Trust Security with AI

Long-form story about how AI helps fight hackers, fraudsters & data thieves.

6 min read
avatarJohnwege
The Bitcoin End Game is Here

4 min read