Mortgage Software Solutions Blog

Business Data Security and Multi-Factor Authentication

 240_F_122590781_AfHycyjOI0sOqepiZ1DQVBYkZsH7qlRr.jpg Get an extra level of security with multi-factor authentication or MFA.

Each year, cybersecurity gets more complicated.

According to anti-virus developer Panda Security, the amount of malware created by cybercriminals is predicted to grow exponentially with each passing year.

Companies have to face the reality that a security breach has a serious impact on business.

To avoid the distress of company-wide damage control and a PR nightmare, it’s best to make sure security is in good shape.

Real Business Impact

For some businesses, consumer data handling is the main issue.

Financial institutions such as banks and mortgage companies are often targeted by hackers because they house the most personal information.

With major security failures like the Equifax breach of 2017 making international news, the finance industry’s cybersecurity worries are real.

More is at stake than information. A data breach can mean sales losses and a tarnished reputation that lasts for years.

From fines to fraud, there are monetary repercussions as well.

So what is the fastest way to tighten security on cloud-based and traditional networks?

Multi-Factor Authentication

Data breaches in single-factor authentication systems often exploit the system login credentials or passwords of users.

Multi-factor authentication or MFA is a group of security measures that go beyond the traditional password in order to correctly identify a person for system access.

MFA is becoming more prevalent in the financial industry. This kind of authentication was adopted by the Payment Card Industry Data Security Standard (PSI DSS) in February of 2017 and was listed as a standard for the mortgage industry in the State of New York in the same year.

Multiple factors mean heightened levels of information that only the user can provide.

These factors can be a number of different security measures. A “soft token” is when security software generates a one-time-use passcode sent to the user’s mobile device. This type of authentication can also be executed with a text message, phone call, or an email with a hyperlink.

Other factors run the gamut from predefined security questions to biometric identifiers like fingerprints or facial recognition software.

Only the correct user knows the information or is in the circumstance to receive the passcode, so using MFA means only the approved user is given access.

The Modern Office

Another issue with security is the modern office environment.

There are a growing number of remote workers. Employees want access to work-related applications from outside the office.

In this mobile workforce, employees are moving off of network-approved computers and onto personal or public machines. It’s up to the IT department to facilitate their work and make sure they go through a heightened level of security checks.

MFA is an authentication strategy that allows IT to deliver this level of remote access. It solves the problem of identifying recognized employees while maintaining a solid defense against intruders.

User Experience

The final consideration when implementing cybersecurity measures is user experience.

With higher scrutiny comes a higher level of annoyance by the employee at having to prove their authorization.

IT staffers need to balance security measures with user convenience.

One development that improves this balance is “adaptive” MFA. This security technology evaluates the risk factor of the user and then adapts the number of factors required for entry to the system.

An employee using a company-issued laptop at a café with an IP address across the street from headquarters is considered a low-risk access attempt. This situation does not require extra security measures.

On the other hand, if someone is trying to gain access on an unrecognized device in a location where the company doesn’t have an office (e.g. employee is attempting to do work on her tablet while vacationing in Bali) then the number of factors required will be at the maximum level. The employee jumps through some hoops, but with an understanding of why.


Data breaches are happening at the enterprise level at an alarming rate. A watchdog organization called Breach Level Index estimates that every second, an average of 57 records are stolen.

Employees are moving towards a more mobile work environment with wide geographic distribution.

For companies who handle consumer data, implementing MFA is simply one of the most effective ways to crack down on security violations and keep up with the modern workplace.

Businesses that use the MortgageWorkspace management software by ABT are protected by multi-factor authentication and a host of other cybersecurity measures. Contact us to learn more.

Topics: social networking safety phishing multi-factor authentication cloud storage mortgage business Compliance for Mortgage Companies Compliance Audit cloud-based data Housing Market Mortgage Lending

Lawmakers Crack Down on Consumer Data Breaches


New bill to increase cybersecurity oversight in the United States.

Guns are blazing in the US Congress.

In the wake of the major Equifax data breach that lasted from mid-May through July of 2017, US Senator Elizabeth Warren leads the charge in attempts to hold credit reporting agencies responsible for their own cybersecurity.

With a bill proposing to rope the Federal Trade Commission (FTC) into oversight and calling for investigation of the Equifax breach, Warren introduced the Data Breach Prevention and Compensation Act of 2018 to Congress on January 10, 2018.

What Prompted the Bill?

According to Equifax, hackers gained access to sensitive consumer data and maintained access over the course of two months in 2018.

The data that was compromised included names, Social Security numbers, birth dates, addresses, and driver’s license numbers. Victims of the data theft are US citizens as well as people in the UK and Canada. The hackers also stole credit card numbers for 209,000 people.

Though the breach is a significant blunder for the credit reporting agency, Equifax responded by suggesting that the public find out if their information was exposed and allowing victims open enrollment in one year of free credit monitoring services.

Victims and consumer protection agencies alike saw the Equifax response as lackluster and tone deaf.

With identity theft and credit scores hanging in the balance, the public was outraged.

Calling Out the Big Guns

Senator Warren responded on behalf of consumers with a flurry of letters to potential oversight agencies, the United States Government Accountability Office (GAO), and to the three major credit reporting agencies themselves.

In the letter to the GAO, Senator Warren notes that consumers have no control over how their information is collected and used by companies like Equifax. Though credit reporting agencies hold unique power over the management of consumer data, nobody is sure who oversees their mishandling of this sensitive information. Even more shocking is that Equifax seemed to experience no official repercussions due to the hack.

In the letters and the resulting bill, Warren requests clarification of supervisory bodies and demands accountability for the credit agencies in order to protect consumers from future breaches.

In her letters, Senator Warren calls on the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) to consider whether they have authority over credit agencies and could enforce stricter cybersecurity guidelines.

The bill also calls for a significant increase in oversight by the formation of a new oversight body in the FTC. An Office of Cybersecurity is proposed to establish standards for data security, supervise consumer information handling, enforce guidelines, and impose punishment against agencies that don’t comply.

At the heart of the legislation is the protection of data in an industry headed towards more computer- and web-based storage than ever before.

Real Penalties for Serious Breaches

Senator Warren is not alone. Senator Mark Warner from Virginia co-signed the resulting bill. The goal is that with official government oversight, future breaches would be avoided as a result of financial penalties.

Under the terms of the proposed bill, agencies would suffer a $100 fine for each consumer whose private information is compromised plus $50 for each secondary piece of information belonging to that person.

Equifax would have faced $1.5 billion in fines in this case.

In an industry where money talks, this kind of legislation should convince agencies who manage consumer data to get their act together preemptively before letting consumer data fall into the wrong hands.

Inadequate security and a response the equivalent of a company-wide shrug will no longer be tolerated.

Response by Financial Institutions

The push for legislation and further oversight by lawmakers means that banks, credit agencies, and other financial institutions will need to up their cybersecurity game.

To avoid getting hit with major fines and extensive media blowback, the finance industry will be forced to plan ahead and protect sensitive consumer data from hackers like the group that hit Equifax.

Has your banking institution taken steps towards increased security? Is your board of directors aware or concerned about this legislation? Is your company addressing cybersecurity weaknesses in your systems?

Reaching out to software security experts is the obvious ways to avoid getting hit with major fines or extensive media blowback. With help from tech folks, the finance industry can plan ahead and protect sensitive data from hackers like the group that hit Equifax.

 ABT’s cloud-based portal MortgageWorkSpace adds banking level security to email, servers, PC’s and mobile devices in the mortgage industry. Contact us to learn more.

Topics: cyber security financial data security multi-factor authentication Business Intelligence disaster recovery

7 Common Questions About Multi-Factor Authentication (MFA)

Multifactor_authentication_MFA_.jpgAs data security professionals, it's clear to us why mortgage companies should be using multi-factor authentication (MFA) in their businesses. Yet many mortgage firms are still resistant to adopting this technology for fear that it will only complicate processes and slow productivity. However, the benefits of this added security far outweighs the additional effort it requires.

Here are answers to seven of the most commonly asked questions about MFA that you should consider before ruling out multi-factor authentication for your mortgage business.

1. What is MFA?

Multi-factor authentication (MFA) combines two or more independent authentication factors. For example, suppose your website required your clients to enter something only they would know upon login (password), something they have (like a one-time smartphone authentication token provided by special software), and a biometric identifier (like a thumbprint). It is pretty hard for a mortgage cyber-attacker to have all three of those items, especially the biometric identifier.

2. That seems like overkill. What is the point of all that security?

The goal of MFA security systems is to create layers of authentication that defend against hackers trying to breach your system's defenses. If a hacker breaches one authentication layer, there are one or two more still holding the line. MFA makes breaches more complicated and time-consuming for hackers.

When you consider that a breach of your security system exposes your mortgage clients to identity theft and fraud, protecting them with a layered system of security only makes sense. Old-fashioned security measures are no match for today's cyber criminals.

3. Are there typical multi-factor authentication systems I should consider?

Yes. Some systems require swiping a card at login and entering a pin. Others require the username/password and then an additional one-time password that the system generates and sends to the client's phone. This system is popular with banking websites, and using such a system would benefit mortgage companies as well. Other authentication systems require the user ID, the user's fingerprint, and the answer to a security question. Still others require users to first download a virtual private network (VPN) that has a valid certificate and then log in to the VPN in order to access the network.

It’s best to discuss your unique situation and security needs with an IT professional to determine exactly what type of multi-factor authentication will work best for you.

4. So, mortgage companies are vulnerable to such full-scale hacker attacks?

Absolutely. As computer processing speeds have increased, the scale of attacks on financial institutions and other businesses has increased. In addition, there are new hacker tools that can crack password codes more easily than ever before.

The GPGPU, for example, is a general purpose graphics processing unit. GPGPUs can conduct calculations that would normally be done on a CPU at a higher rate: 500,000,000 passwords per second!

Another tool, known as rainbow tables, can crack 14-character passwords (even those with alphanumeric characters) in less than three minutes. It is not hard to see that one-layer password protection and even two-layer protection are no longer good enough.

5. I still don't get it. How does MFA work?

Multi-factor authentication throws a few roadblocks in the hacker's pathway. Location factors are one way for a security system to identify a person's identity. For example, work schedules and location can determine whether a user is who he says he is. Time is another example of a security layer. If a person uses his phone at a job in the US, it is physically impossible for him to use it again from Europe 15 minutes later. These are especially helpful in online bank fraud and, by extension, mortgage company fraud.

6. Sounds like something the mortgage industry should consider. Are there any legal or legislative considerations?

Yes. The Federal Financial Institutions Examination Council (FFIEC) issued a directive for multi-factor authentication in the banking sector. We believe that the mortgage industry and the regulators are moving toward a place where mortgage companies will be subject to the same information security standard as the banking industry, meaning mortgage companies will need to implement this technology to maintain security compliance.

7. How do I know what MFA layers would be good for my mortgage business?

You can read more about MFA. For instance, read this buyer's guide for MFA products.

If you want to talk more about MFA, or any other vulnerability management solutions, please contact us. MortgageWorkSpace®’s cloud interface is a convenient entry point to your company that will help you manage your secure information. This secure portal provides you access to your team (by group, branch office, and/or department), their security, their devices, and data. You can control and manage your entire workforce from one web-accessible point with rich features like single-sign on, multi-factor authentication, and user application logs. This way, you can be sure you are keeping track of every aspect of your security.

We look forward to helping you protect your clients' and your network's information security.

Learn More

Topics: MortgageWorkSpace multi-factor authentication