TheMReport — News and strategies for the evolving mortgage marketplace.
Issue link: http://digital.themreport.com/i/328038
Th e M Rep o RT | 15 cover story By Tory Barringer I f you've somehow made it through the last few months without hearing about Heartbleed, now might be a good time to acquaint yourself. The security flaw—exposed in early April by Google Security and a team of engineers at cybersecu- rity firm Codenomicon—affected certain versions of OpenSSL, alto- gether impacting about two-thirds of active Internet servers today. Put simply, it left open a hole for attackers to pull user credentials and encryption keys themselves, leaving vast amounts of data po- tentially up for grabs. Heartbleed isn't the only secu- rity glitch to show up in the news lately. Mortgage tech followers might remember another incident in early April, when Ellie Mae made headlines following a system outage "consistent with an external malicious attack characteristic of a distributed denial of service (DDoS)"; in other words, the com- pany's network was flooded with enough information at one time to trigger an overload. (Days later, Ellie Mae revealed the downtime was caused not by attackers but rather by an un- expected jump in demand at the end of March. Despite the fact that no attack was made and no data breached, in the company's latest quarterly earnings report, CEO Sig Anderman revealed Ellie Mae has committed funds to bolstering its infrastructure, security included.) If there is a silver lining to sto- ries such as these, it would be the conversation that's ensued about security in the face of rapidly changing technology. As more mortgage firms become growingly dependent on automated solutions and electronic file management, national reports about issues like Heartbleed shine a spotlight on the importance of making sure those packages of borrower infor- mation—virtual treasure chests for hackers—stay private. Waiting for a Wake-Up Call W ho suffers most in the event of a data breach? Undoubtedly, there's a lot at stake for the average American whose financial details have been left un- protected, but there's just as much risk for the company that failed to do any protecting. Unfortunately, just as it is with consumers, too many organiza- tions are happy to push security concerns to the back burner until a highly publicized breach forces them to wake up. Allen Harper, EVP and chief hacker for cyberse- curity firm Tangible Security and author of Gray Hat Hacking: The Ethical Hacker's Handbook, calls these types of high-profile incidents "CNN-level events." "They just haven't experienced a CNN moment," Harper said. "Somebody's going to have to be made an example of, and they're all kind of hoping it's not them." Rather, he says, the mortgage industry—like many others—has adopted a largely "if it isn't broke, don't fix it" stance regarding secu- rity, whether it's because of costs or complications. A perfect demonstration of that mentality can be found in a re- cent investigation from HALOCK Security Labs, in which the security company found that 70 percent of lenders nationwide—in- cluding a majority of the coun- try's top lenders—allow mortgage applications to send their personal and financial information through unencrypted email channels or faxes. Asked why they don't offer a secure email portal to applications, many respondents reportedly said it was simply a Taking the Bait