Wednesday, October 29, 2014

A lack of Infosec in the home buying process.

I often get a little edgy when people who are dealing with personal information throw around the word “secure.” Also when they say something is “100% safe” it tends to grate me as well. Nothing is secure. We’ve been trying to buy a house and during this process of applying for a mortgage and verifying income with lenders at multiple banks, it’s been a few months, I’ve noticed a few leaks or weak links in the chain of info that unnerve me in terms of my personal information security.

When we first started the process, the mortgage company asked for the usual: bank statements, tax returns, year-to-date profit-and-loss statements, IDs, and check stubs, everything to verify that we can afford the house we’re trying to buy. When I asked how do you want us to provide this information to you, their initial response was “e-mail.”

E-mail is NOT SAFE
Had the person I’m dealing with read their own email disclaimer that goes out on every email they send, they would have noticed that it states:
Do not use email to send us confidential information such as credit card numbers, PIN numbers, passwords, Social Security Numbers, Account numbers, or other important and confidential information.”

If you don’t want anyone to find out something, you definitely don’t send it through e-mail. There are typically at a minimum, 4 copies of an e-mail created for every message sent... sometimes 6.
  1. When you send the e-mail a copy is likely stored in your sent items folder, locally cached. Anyone can open this if they get ahold of your e-mail account, either by system compromise on your own terminal, but guessing your password and breaching your e-mail service provider’s system, or by getting into your e-mail through your mobile device (if you have your e-mail setup on the device). This also includes any other devices that have a copy of the e-mail or access to something like a IMAP server.
  2. The Internet is not a series of pipes. Connections to servers can take several different routes depending on the network load. In fact when you connect to your mail server, if it is offsite, there are multiple nodes on the network between your computer and the mail server itself that are rarely consistent. These nodes are not always "secure." Then the email travels from your mail server, hopefully after authentication, to your recipient’s mail server (between their networks), when it can then be stored and downloaded by your recipient to multiple devices wherever they are downloading the message. Work, Coffee Shops, Non-secure home networks, and schools on computers, tablets, Internet mail accounts, and cell phones.
  3. Not all e-mail uses SSL or TLS to connect. Some e-mail connections transmit e-mail information from point-to-point in clear text often referred to as plain text. This means anyone listening can read every word.
  4. PDF files are not inherently secure even though they require a special program to open them. While you can encrypt a PDF file by requiring a password, this is not the default. Go onto Google and do a search for any term followed by the text “filetype:pdf” and you will see thousands of results from clear text or plain text PDF files. Google knows what is in these files because their servers automatically read the PDFs and in some cases they will optically recognize the contents of the PDF to make a text version.
  5. If you provide a password to someone for the PDF, don’t send it in the same message with the PDF. In fact if you can send it a different way, either via text message or tell someone over the phone, you’re even better off. Then hope they don’t forward the message with the password to someone else, or worse decrypt the message and then forward it (as was done in our case by a county worker).

People still use fax machines?
In the `90s, fax machines were physical machines. While they might have had a buffer where a user could reprint faxes, they were essentially a modem hooked to a copy machine. You hit send and it scanned the image and sent a really low quality version over the phone line directly to another fax machine where it was almost immediately printed.

If the physical security of the fax machine was okay, you didn’t have to worry about someone tampering with the information. If the fax was sent to the wrong number, then all bets were off.

Today, fax machines are entirely different, sometimes they’re actually copy machines with a built-in computer and a hard drive. These messages can stay on these machines for a very long time. If the machines don’t have a custom password, meaning they use the default password, many of the faxes can be retrieved from the machines remotely if someone is savvy enough to go online and look for the manual for the machine itself.

If the fax machine is one of the new cheap all-in-one faxes that receives and transmits over Wifi, then the information will come into the machine, then it’s beamed as an image or an unencrypted file to the computer from the wireless fax printer to a computer. I say beamed, Wifi is not a direct connection either. Wifi transmits in all directions. If the network isn’t “secure,” anyone listening can again pull down this info with a simple network packet sifter. While it’s likely someone will not copy the fax from the airwaves when it comes in, it is a remote possibility if this entity is a potential target for information theft.

Then there is a likely possibility, an Internet fax. This is a web server somewhere, that receives the fax like the old fax machine, and then forwards an image of the fax to someone via unencrypted e-mail (usually). While some of these services can encrypt the image, they’ll likely use the same key for all encryptions for an account. If the user has to log into the service to download the image there is a better for security, but if the image is simply e-mailed sight-unseen, not only is this information stored in the end recipient’s e-mail, it may be stored on the Internet fax server as well: logs, cache files, buffers, and account folders. If the Internet fax service does any sort of OCR (optical character recognition) before creating the unencrypted file, the contents of the fax are again transmitted as clear text.

The "Secure" E-mail Alternative
My mortgage broker sent me a message through what she was calling a "secure e-mail service" which turned out to be a "secure" document exchange from a financial services company. Unfortunately she used "password" as the password. In this service I had no way of changing the password once I logged in.

Another possibility
Something else to consider with the rise of cloud services in information storage is that your personal information may not be in the control of the institutions which are part of the process. If they use cloud-based applications for information storage, all that can be hoped for is strong encryption and very strong passwords. Even these practices can be thwarted by bad habits.

Who gets a copy of the information? It seems like everyone known to man.
I was surprised at the number of individuals being copied on all of the back and forth communications with the Realtor: mortgage brokers, assistants, financial advisors, bosses, inspectors, banks, credit agencies, property owners; the list goes on. Any of these people who doesn’t have a “secure” system in place for any of the messages can become the weakest link in the chain. From a jail broken phone, to an unpatched copy of Windows 98 running on some back office computer, the list of potential vulnerabilities is enormous. What's worse is in my experience most of the government agencies on a local or state level lack the funds necessary to appropriately secure communications, much less look for breaches. For most of my clients I'm only called after a breach has occurred.

Why would someone target these places?
All of the entities I’ve mentioned deal in a lot of personal information. Anyone who wanted to get information on anyone in the process only has to do a little research to determine the infrastructure and shortcomings. Whether it’s intercepting a packet of information delivered by the Postal Service, or not shredding every non-pertinent piece of data, the 250 pages of detailed personal information that we’ve provided to date has been redistributed at least 6 times by my count, not including the copies my e-mail program makes itself. This doesn’t include versioning because of changed closing dates and updates to the applications.

It’s enough to make any information security professional’s head spin.

What can you do?

Get involved in Infosec as a career and change the system. Until then save enough money to pay cash. Once it's all said and done, call to lock your credit records and change all of your accounts. Also be sure to purge sensitive information from all locations where possible.