Looking back on 2016, mortgage bankers endured hundreds of “cryptoLocker” and similar ransomware attacks; millions of dollars of losses from phishing-oriented exploits that redirected corporate funds to criminals; and hundreds of cases of “inside jobs” of stolen proprietary information, including pipeline and prospect data. One of the most spectacular incidents that has come to light – so far – resulted in a $25 million verdict against Guaranteed Rate Mortgage for the alleged theft of five gigabytes of data by nine former employees of a competitor hired by Guaranteed Rate.
There is one common thread to almost every cyber incident: The breach was unintentionally or intentionally caused by employees of the lender. Consider the first of many “tales from the trenches” of mortgage banking.
An employee with a laptop inserted an infected USB thumb drive file, causing complete laptop compromise. The hacker inserted a keystroke logger and other malware to obtain complete network compromise, including access to the loan origination system (LOS) application and customer data files, and then leveraged the laptop as a gateway into other bank systems in a federally insured bank.
Why standard cybersecurity fails
As a lender, you may be thinking, “Can’t happen to us. We use anti-virus software.” Anti-virus software recognizes signatures of known threats. Hackers simply write code that hasn’t been widely distributed, insert it on the USB thumb drive and bypass anti-virus detection.
A mortgage branch manager was granted administrative “superuser” access as a substitute for a properly configured LOS persona. Loan officers of record were changed, permitting unregistered loan officers access to the system, some of which were not current employees. This blossomed into under-the-table cash payments for commissions, Nationwide Mortgage Licensing System exceptions and a complete breach of the lender’s LOS. The branch left in a group walkover to another lender and took mortgage leads, pipeline data and personally identifiable information (PII) with it.
Lenders rely on technical tools such as firewalls and security hardware to protect against breaches – but an employee invites the hacker in by falling prey to a phishing email. Clicking on the invitation often bypasses the firewall and security hardware. This is failure of basic internal protocol controls – the procedures that employees are supposed to follow but often fail to do so. The recent Democratic National Committee and U.S. Office of Personnel Management hacks illustrate how phishing emails could lead to claims of nationwide political consequences or the theft of classified data of 22 million U.S. military and civilian personnel with security clearances. These incidents and countless others were caused by an employee clicking on a malicious link in a phishing email.
The Honorable Tom Ridge, former Secretary of the U.S. Department of Homeland Security, has said, “Sometimes, a phishing exercise is very attractive, and before you know it, somebody has access to your system. Or, there’s a candy drop; you might get a thumb drive with a note on it, with something attractive to you, and you plug it into your system. The greatest vulnerability is insiders, employees and former employees, [and] vendors and former vendors.”
Regulatory requirements and risk
The safeguards rule of the Gramm-Leach-Bliley Act requires lenders to utilize the best security approach that is both readily available and cost-effective. This requirement applies to banks and mortgage bankers. Information security is often the purview of the IT department. CEOs and senior production executives focus on great customer service and making profitable loans. But information security should be one of the key priorities of the CEO and chief production executive. It is not just about firewalls and technical systems. It’s a business strategy that must be embedded throughout the mortgage banking operation.
Vulnerabilities and dangers
Almost all lenders being hacked have had penetration testing performed with chief information officers or other IT personnel who reassured company executives that all was well. Unfortunately, this results in a false sense of security. Mortgage lenders typically utilize branches and loan officers in remote locations. The LOS is a treasure trove of PII: credit reports, Social Security numbers, employment histories and lists of assets. Everything a criminal – or an ethically impaired loan officer or branch manager – might want.
Most LOS are provided as “software as a service,” meaning the LOS provider hosts the system and provides overall system security. The lender’s system administrator maintains access to controls but oftentimes permits excessive system privileges due to poorly defined LOS roles and responsibilities. Excessive user privileges are often at the heart of PII loss.
In a recent case, inadequate controls over a lender’s loan pipeline of leads and loans in process resulted in duplication of this information by a branch manager and loan officers. They moved this data to a competitor upon their resignation from the lender.
In another case, a lender belatedly found out that a just-hired top loan officer transferred the entire contents (several gigabytes) of her former employer’s laptop to the new lender. Of course, this included PII and other proprietary information of the former lender. This was a lawsuit just waiting to happen.
Information security is not focused just on a lender’s technical systems. It’s the procedures used to monitor what is happening to the lender’s LOS and data. This includes monitoring what data is imported or exfiltrated, as well as tracking who executes these procedures.
A loan officer clicked on a “spoofed” Wi-Fi connection sitting in a nationally known coffee shop. The “spoofed” network had a familiar name available in the coffee shop. The hacker then got control of the loan officer’s email and proceeded to steal PII over an extended time. The PII was used to redirect wire proceeds to a hacker-controlled bank account by convincing the lender’s closing department that the closing agent bank account had changed. The closing department employee was fooled by detailed knowledge of an upcoming closing obtained by hacking the loan officer’s email account.
Each of these incidents resulted in material risk to the lender and compromise of the lender’s systems.
Some lenders misconfigure the LOS and unknowingly put themselves and their clients’ data at risk. Other lenders may have a properly configured LOS, but a poor level of security awareness among users may undermine the effectiveness of the controls. Sometimes “good people do bad things” and circumvent the established security policies and protections in place. “Bad apple” employees may intentionally circumvent controls.
Mortgage lenders are increasingly integrating their LOS with third-party systems. Each link is a possible weakness in their security and a potential door through which a hacker can enter. For instance, an interface between an LOS and a customer relationship management system (CRM) was recently hacked, and customer data exchanged between the LOS and CRM systems was exfiltrated by a hacker.
In another case, an unsecured copy of LOS customer data was maintained in a reporting database by a lender for creation of reports. This speeds reporting and reduces the workload on the LOS. It also creates risks. Employees planning to leave the company exfiltrated data by accessing this reporting database. The CEO of the company was surprised to find this internally created weak link because he thought the LOS vendor’s security was impressive and effective. The LOS security was excellent, but an unencrypted and unsecured reporting database on the company network undid the LOS customer data protections.
Stopping 90% of breach security incidents
The conundrum for lenders is balancing ease of use and effective security. A lender can achieve outstanding security but have a system so locked down that employees find it difficult to do their jobs. Or a lender can have a very easy-to-use system but ineffective security. Is there a “sweet spot” that provides enough ease of use with effective security?
Chief information officers and chief information security officers often speak in terms of a “security stack”: the various layers of perimeter and network security designed to prevent data breaches and hacker exploits, such as ransomware, etc. This is an admirable approach as far as it goes, but it ignores the fact that 90% of the breaches and hacker exploits start with phishing or social engineering. Humans remain the most vulnerable link to a lender’s information security.
Mortgage lenders have field loan officers and off-site employees constantly handling customer data. Multiple offices, combined with these mobile employees, compound the security problem. The security stack is a good start. Lenders’ information security effectiveness can be greatly increased with two additions to the typical security stack: hardening employees against social engineering and active endpoint monitoring of every endpoint within the lender. Combined with the traditional security stack, these two additions can meaningfully increase information security.
Social engineering defenses
Hardening employees to social engineering is a combination of training, testing and adjustments. In a typical social engineering test, 50% of a lender’s employees click on a phishing email. Ten percent to 20% click on an attachment or grant permission to enable macros or other highly dangerous behavior. Five percent of the employees are “serial” clickers, meaning they click on just about everything.
After individual Web-based training spread over 30 days, the click rates are reduced by 75% or more, and the highly dangerous behaviors are reduced by 80% to 90%. There are usually a few “serial clickers” identified, and their security permissions (or probability of continued employment) can be reduced to offset their susceptibility to phishing and clicking.
Continued testing is essential, as phishing email “bait” is constantly evolving. Effective testing involves sending five to seven customized phishing emails per month to all employees. Third-party providers can make this task easily and cost-efficiently outsourced. Training can be added or modified if employees become susceptible to certain types of phish.
Testing, training and monitoring is good governance. A client recently leveraged its anti-phishing program to great effect with a state regulator with a reputation for being very aggressive on information security matters. The testing system can be automated for greater efficiency.
The addition of social engineering training for employees typically reduces susceptibility to social engineering exploits, such as phishing email, infected USB storage devices and suspicious websites that contain infected links.
The active monitoring of all endpoints (laptops, desktops, servers, and certain infrastructure hardware, such as routers, etc.) can rapidly identify a security incident and allow for immediate response and remediation. An incident could be an employee clicking on a phishing email that inserts malicious code onto his or her laptop or desktop. The endpoint monitoring agent quickly identifies a new but “known bad” or “unknown” process. The monitoring agent reports the incident to the security operations center (SOC). The incident is classified, and if the new code is malicious, the SOC can instruct the agent to isolate the user’s hardware from further interaction with the lender’s network, eliminate the code from the memory and storage of the computer, or both.
Endpoint monitoring agents are particularly important to shield the lender from threats introduced by third-party vendors. The lender’s use of third parties to interact with its LOS increases the chance that vendors can be a path to introduce malware into a lender’s systems. Endpoint monitoring can effectively monitor, identify, respond to and remediate security incidents, including those incidents introduced by a vendor.
Going beyond information security
The addition of social engineering training and testing and endpoint monitoring agents to a lender’s security stack can substantially increase a lender’s information security effectiveness. Perhaps surprisingly, the social engineering training and testing is best done outside of the lender’s information security department. This function can report to the chief operating officer or risk management function in a lender. The endpoint agents are necessarily operationalized by the information technology function, but the SOC reporting should go to both IT and risk management to ensure a broad-based response to any agent-detected threat.
Finally, realize that as a lender, you have been breached or will be breached. Make a New Year’s resolution to improve your security and meet the state and federal information security requirements imposed on lenders. The typical third-party-administered social engineering training/testing program and third-party endpoint agent monitoring runs about $10 to $15 per month per employee. This is a reasonable investment to multiply the power and protection of a lender’s security stack by a factor of 10. This approach also substantially contributes to meeting state and federal information security requirements imposed on lenders.
James M. Deitch, CPA, CMB, is CEO and co-founder of Teraverde, a national consulting firm serving the banking and financial industries. A mortgage banking industry thought leader, author and speaker, with extensive sales, operating and capital markets experience, Deitch has served as CEO of mortgage lenders and banks, including two de novo banks, over a period of 25 years. In addition, he has authored about a dozen articles on information security and has released a book, “Hacked. Screwed. Gone.” He can be reached at firstname.lastname@example.org.