Cybersecurity firm raises concerns about lenders’ practices

A sold sign is posted in front of a home in San Francisco.
(Justin Sullivan / Getty Images)

If the ease with which hackers pilfered the financial information of millions of Target and Neiman Marcus customers has you worried about how easily your private data can be lifted from your mortgage company, wait until you hear what a major cybersecurity firm found out about lenders.

Here’s a hint: It isn’t good.

According to Halock Security Labs, mortgage companies big and small allow information-sharing practices that put your personal and financial data at grave risk.

Data security: The Housing Scene column in the March 2 Business section about how to ensure that personal mortgage information is safe from hackers said that Brian Koss is president of Mortgage Network. Koss is executive vice president. —

In its investigation of 63 lenders, the Schaumburg, Ill., firm discovered that 7 out of 10 allowed applicants to send their info over unencrypted email as attachments. Moreover, nearly the same percentage encouraged faxing sensitive data, which is somewhat less dangerous but still not as secure as encryption.


Only 40% of the lenders studied offered a postal mail option, and just 12% provided a secure email portal.

Asked why a secure email portal was not offered, several lenders said it was a matter of convenience, or what the customer was “most comfortable with.”

This comment from a survey respondent explains this insecure practice: “Oftentimes it was easier to have my clients send documents like W-2s through email because everyone has access to an email account. Most [lenders] don’t want to take the time to explain what a secure portal is and how to use it. Everyone understands email.”

Do you need to worry? Let Carlos Sa, head of information technology at the Mortgage Network, a lender with 40 offices on the East Coast, answer that question. He says he sees attacks on Mortgage Network’s systems on a regular basis.

“It’s not consistent,” Sa says. “It comes in waves, but they’re mostly very basic attacks.”

A lot of those attempts, according to Mortgage Network President Brian Koss, are not aimed at his company in particular. Rather, he says, hackers “are randomly looking for anyone who has any kind of [financial] data.”


Sa says security keeps taking an increasing part of the budget at the company, just as it has at many others. “A bigger portion every year,” he says.

Much of what’s spent on security is used to set up firewalls, which can be used to prevent malicious information from making its way into the system and prevent specific information from leaking — or being leeched — out. But firewalls can’t protect you or the system from malicious information attached to emails.

The Massachusetts company encrypts all of its laptops before they are shipped to its loan officers. Encryption is an algorithm that turns the message into unreadable cipher text. It won’t prevent hacking, but it reduces the likelihood that the hacker will be able to read the stolen data, rendering it useless.

Sa also tests the company’s computer systems on a regular basis.

“There’s always something in our logs that is interesting and odd,” he says. “People are trying any number of ways to hack our programs.”

So how can you be sure your most personal financial information won’t be snatched from your lender? Here are a few tips:

Brand awareness. If you are sending anything online, be sure you are dealing with brand names. Hackers follow the path of least resistance, and the big-name lenders tend to have the strongest security measures. Also, the lender’s security systems are only as good as those of its weakest contractor. And the big lenders tend to work with only the strongest vendors.


Look for e-signatures. If a company offers an electronic signature process, it shows a heightened level of security awareness and sophistication.

Avoid unencrypted email. Sending anything over the Internet invites trouble. But since regular emails can be hacked by anyone, use only password-encrypted email to send your information to your lender. “Common sense goes a long way,” Sa says. “People are too comfortable with regular email.”

Says security blogger Graham Cluley: “If [email] was invented today, no one would use it. It’s worth the extra effort to go through the paces of using a secure portal.”

Stay away from drop-boxes. Drop-box technologies are fine for most data exchanges, but you have no clue who has access. Keep your private stuff private using encrypted email.

HTTPS. When applying online or sending anything over the Internet, make sure the website itself is secure. Look to see if the URL begins with “https.” And as you go from page to page, make sure the frame and URL have not changed. In other words, make sure the “s” is still there. Otherwise, you could become a victim of a phisher looking to steal your data.

Finally, there’s this warning from Terry Kurzynski, a senior partner at Halock Security: “Any type of weak link in a system involving sensitive information exposes people to unnecessary risk. It takes months to recover from identify theft and minutes to log into a secure portal. Do the math.”


Distributed by Universal Uclick for United Feature Syndicate.