Are You Vulnerable to This Hacking Attack?

By Dominic Fahey

Can you spot the imposter?  Don’t feel bad if you cannot, many Democratic National Committee (DNC) employees couldn’t either.

Fake signage

Whether you believe the Democratic National Committee (DNC) was hacked by Russians or a four-hundred pound guy from New Jersey, there is little dispute in the Information Security community on the methodology used. The cybercriminals did not discover a previously unknown flaw in the Microsoft Windows operating system; they exploited the weakest link in the cybersecurity chain – the person behind the keyboard. In a modern twist on a classic confidence scam, hackers were able to fool DNC employees to hand over the keys to the digital kingdom – their passwords.

The cybercriminals sent phishing emails to thousands of DNC employees purporting to be from their email service provider, Google, claiming that the employee’s email had been compromised and that they should reset his/her password. When an unsuspecting DNC employee is conned into believing his email has been compromised, he clicks on the link in the email and is sent to a website that appears to be Google but is actually controlled by the criminals. The counterfeit email and websites were very good forgeries. As with many things digital, it is not difficult to produce an exact copy of Google’s logo, font and password reset webpage. 

Google’s standard sign-in page is located at https://accounts.google.com. In this case, the hacker registered a similarly spelled domain – https://accounts-google.com. (Figure 2) Notice the subtle difference in the ‘.’ and ‘-’ after ‘https://accounts’. This minor change makes all the difference in cyberspace. Also, note the hacker’s use of the encrypted hypertext transfer protocol (HTTPS).  HTTPS is a standard on the Internet to encrypt communication between parties like banks, retailers and their customers. The problem is that, while the communication between a server and the web browser may be encrypted, HTTPS does not ensure the veracity of the identity of the server. That is to say, just because the server appears to be related to Google, HTTPS does not ensure that it is. 


Furthering the con, the mark’s email address is prepopulated in the email address field on the spoofed password reset page. Upon entering his password and clicking reset, the mark is redirected to the actual Google password reset page none the wiser that his password was stored by the hacker in the background. 

With a DNC employee’s username and password, the hackers were able to download every email ever sent or received by the individual. Unfortunately, it appears a number of DNC employees fell prey to this scam. 

Other People’s Money

Real estate industry participants including settlement service providers, attorneys, real estate agents, homebuyers and sellers are vulnerable to similar attacks. Hackers have discovered that once they get access to real estate industry members’ email credentials, they may be successful in convincing real estate transaction parties to divert funds sent via the US Federal Reserve Banks’ Fedwire (AKA wire transfer) system with forged wire instructions. 


Sadly, Information Security experts warned of this exact phishing attack against Google users as early as 2014. Had the DNC read Symantec’s warning, they may have taken steps to protect their employees. 

Practically any unsuspecting email user could become a victim of a similar phishing technique.  Google is not particularly vulnerable, this could happen to the likes of Microsoft, Apple, AOL or Comcast users. Below are some steps you can take to prevent:

  • Train your associates to have healthy skepticism regarding any incoming emails, especially those with shortened URLs/links or a call to action to type in a username and/or password.
  • Enable two-factor authentication (2FA) on every account that offers it.
  • Never re-use passwords between sites, especially sites with confidential information like your email or financial service providers.

Shortened URL/Links

URL/Link shortening services came into existence in the early 2000’s to make it easier for people to deal with long links on the WWW such as http://www.njlta.org/wp-content/uploads/2017/03/78584-Advocate_Spring_Digital2017.pdf.  One such popular service is Bitly. When clicking on a registered link, such as http://bit.ly/2ppAFV7, users are redirected to the last copy of the New Jersey Land Title Association's Advocate. While shortened links have advantages, they can also be used by fraudsters to hide attacks. For example, a user cannot easily determine if the shortened link will redirect them to the official Google website or the imposter; such was the case in the DNC email hack. 

Two-Factor Authentication

Single-factor authentication grants access based on a password alone. If your password is stolen, a fraudster could be granted access. Verizon’s 2016 Data Breach Investigations Report found that “sixty-three percent (63%) of confirmed data breaches involve using weak, default or stolen passwords.” Two-factor authentication (2FA) gives an extra layer of security by requiring a second mechanism to prove identity in addition to a password. This second factor could be a number sent to your cell phone or a generated on a hardware token or an app on your mobile device. 

You may be utilizing 2FA in your everyday life and not realize it. That PIN number you use with your debit or ATM card, or that RSA SecurID hardware token you utilize to sign into your banking website – both are examples of two factors for authentication.

Security experts recommend enabling 2FA on all services that offer it.  Many online providers including Google, Apple, Microsoft and Yahoo offer 2FA. Had the DNC enabled 2FA on their Google email service, it is possible that WikiLeaks would not have had anything to publish. For more information, on enabling 2FA on your accounts, check out the site https://www.turnon2fa.com/

Password Reuse

Did you ever register for a Myspace account?  Did you happen to use your “regular password” and have long since forgotten about the site?  Well your password reuse may come back to haunt you. In 2016, over 300 million usernames and passwords for Myspace were discovered on a hacker forum. It would not be difficult for hackers to test those usernames and password combinations with the popular providers like Google, Apple and Microsoft to see if any are successful. 

If remembering complex and unique passwords for every site is the last thing you want to do, take a look at a password manager such as Dashlane or LastPass. But if you do, be sure to enable 2FA on that password manager otherwise your emails could end up as fodder for WikiLeaks or even worse, involved in wire fraud.

Dominic Fahey, senior vice president of strategy & corporate development for North American Title Group, is a Bruce Springsteen fan who does title insurance, in that order. He can be reached at dfahey@nat.com.


Survey: Developing Cyber-savvy Workforce Vital to Reducing Risk

One in five U.S. organizations that participated in the Willis Towers Watson 2017 Cyber Risk Surveys reported that a cyber breach in the last year with 6 percent of those incidents having been significant, consistent with publicized recent large cyber breaches. 

Willis Towers Watson carried out web-based surveys with 163 U.S. employers and with over 2,000 employees. A quarter of these employees work in a corporate IT function.

“Creating a culture of cybersecurity and building a cyber-savvy workforce is of key importance to effectively manage the people, capital and technology risks across every organization,” the company reported in its survey results. “Cybersecurity is a challenge and part of a journey toward mitigating risk involving human error and improving operating procedures.

To date, technological responses have led the way. However, growing recognition of the human element in cyber risk means that most companies that responded to the survey expect to focus more heavily on operating procedures and creating a more cyber-savvy workforce in the months and years to come.

And with good reason it would seem. Willis Towers Watson’s recent Cyber Claims Database shows that by far the largest proportion of cyber claims reported to insurers stems from employees’ actions, or collective inaction.

Claims by breach

The concurrent employee view of the survey appears to offer some explanation for the claim statistics, by showing a disconnect between cyber awareness and accountability of the workforce and organization’s views of their preparedness.

Toward a Culture of Cybersecurity

While most companies feel they are on the right track in terms of data privacy and information security, many say they are looking to create a culture of cybersecurity in their organization. Most admit, however, to being currently on the lower rungs of the ladder to reach this goal, although they have aspirations to climb it quickly. Over half have no formally articulated cyber strategy now, but over 80% want to be in a position of having embedded cyber risk management within the company culture within three years

So, how will they get there? The unequivocal answer is by making more progress on improving business and operating processes and on addressing factors tied to human error or actions.

Figure two progress

Business-related activities expected to figure prominently in companies’ plans include more stringent reviews of contractors and third-party suppliers and testing of emergency response plans. To offset risk, a large majority of companies are also reviewing or adding to their cyber insurance coverage as the available market has expanded, with the higher levels of activity seen in the U.S. so far reflecting the fact that American companies have historically bought more of this type of cover, compared to European companies that have tended to focus more on business interruption and continuity. Fifty four percent of U.S. companies have added to or enhanced cyber coverage in the last two years.

Two thirds of companies have also already taken steps to centralize data privacy and information security. Two thirds of companies have also already taken steps to centralize data privacy and information security. This may account for most companies believing they have or need appropriate levels of corporate support and clear lines of responsibility for data privacy and information security—leaving more to do on supporting processes and employee engagement.

Among the specific people-related actions that companies expect to take in the next couple of years, training programs for both employees and contract workers frequently top the agenda.

Does Employee Behavior Match Company Policy?

As companies adapt their cybersecurity approaches to more actively address people risks, they will of course need employees to step up to the plate and play their part.

Combining the results of our employee and employer surveys shows they have some work to do here, including doing more in some cases to create and maintain an environment in which employees are comfortable reporting data privacy and security incidents.

One dangerous but apparently common belief among employees is that the company’s IT and security systems are the ultimate protector. Even though a significant majority of companies feel they are doing what they need to in setting up and communicating robust protection systems, policies and processes, the message does not always resonate, judging by some current employee behaviors. Around 40% use a work computer or cellular device to access confidential company information and discuss work-related topics in public places. About 30% admit to logging in to a work device on an unsecured public network or using a work computer in public settings. Roughly 25% take confidential paper files home and use unapproved devices to do work at home. Some employee attitudes toward opening email attachments, changing passwords regularly and sharing personal information, such as employer name and job title, on social media sites may also leave companies more vulnerable, particularly to social engineering, where cyber criminals use impersonation techniques to trick employees into divulging confidential information or data.

Given these findings, there certainly seems to be a need to more closely assess the reasons why employees continue to engage in risk producing behaviors.

A root cause may be that nearly half of U.S. employees surveyed said they spent less than 30 minutes on data protection and information security training last year. Around 60% said they had only completed any training because it was a company requirement, although many claimed to have derived some knowledge and benefit from whatever they had done.

Segmenting Employees

Such results inevitably lead to employees with different levels of understanding, accountability or engagement with cyber risk management. It may benefit companies, therefore, to segment their awareness training and other learning tools in order to refine an approach for different groups of employees/workers. For example, executive-level employees may need more training on confidential corporate information and use of company devices while traveling in foreign countries, while HR training may focus primarily on protection of employee data.

From the responses to a range of questions on the employee survey, we have defined four types of employees according to how they use technology at work or at home.

  • Alert – those who protect personal information in daily life and are aware of information security at work.
  • Comply – those who follow data/information protection policies at work but are careless on a personal level.
  • Ignore – those who pay attention to protecting personal information, but who don’t act with the same care at work.
  • Unconcerned – those whose technology usage patterns at home and work may lead to potential cyber risks.

Figure 4 characteristics

Conclusion: Beyond Technology

The findings from our surveys signal a shift in cybersecurity strategies. Although companies still think there is more work to do on technological responses, most feel they are broadly on track and making progress in addressing potential weaknesses in their IT infrastructure.

Attention is now increasingly turning to the operational- and people-related risks that cyber claims experience shows leave companies exposed to cyber risk even with state-of-the-art technology strategies.

There is growing impetus behind the view that building effective cyber resilience has to have its roots within the organization culture and its people. Solutions are likely to be complex and multidimensional, as is always the case for any kind of cultural change. Certainly, companies may have to adapt their operations to the constantly changing nature of cyber threats. Nor should they ignore the expanding risk mitigation options available through the insurance market. But employers will increasingly look to foster a more cyber-savvy workforce, including the use of innovative employee engagement, talent management and reward strategies, to fortify their cyber security posture.


Be Brave and Innovate at ALTA ONE

When you think of innovation, it’s important to remember that every new process or concept doesn’t have to be high-tech. To be innovative, you need to observe and listen to your team members and your customers in order to deliver the exceptional experience that they want and deserve. Over the next few weeks, we will highlight people who have created products or processes that have made our lives easier or safer. We hope reading about these pioneering people inspires you to join us in Miami for ALTA ONE—where you can be ready for what’s next and lead the way into 2018 by learning about innovative solutions that can help you provide your customers with what they want today, tomorrow and in the future. Feel free to leave comments and share your favorite innovator!



ALTA will be Closed Tuesday in Observance of Independence Day


ALTA leadership and staff would like to wish everyone a happy and safe Fourth of July. During this holiday, take time to remember how fortunate we are to live in a country that provides us the rights of life, liberty and the pursuit of happiness. And let us not forget the valuable role land title professionals play in protecting property rights. Share how you celebrated Independence Day by posting photos to our Facebook page at www.facebook.com/altaonline.


The Numbers Don't Lie: 9 Reasons Why You Must Attend ALTA ONE


Click here to register or for more information!


Promote Your Company on Google With These Easy Steps

Google AdWords Tutorial - HOP Leader Training

Google ads may seem confusing or too costly for your business. ALTA has developed this five-step process to help you get started for just $50 per ad.


Visit ADWORDS.GOOGLE.COM and enter your email address and include your website address. Then you’ll be directed to create a Google account (important if you are using a corporate email address). Next, you must accept the privacy terms.


Enter your daily spending budget. ALTA recommends $10 per day for testing purposes. Next, choose your location. Feel free to be as specific as you’d like. Next, select your keywords. You should choose between 15-20 keywords. Use variations of your company name, home buying in your state, etc. Be sure to keep your “bid” set at “AdWords automatically sets your bids.”


Now, you’re finally ready to create your ad text! First, you’ll enter a website to lead customers to your company or product. Next, you should write two headlines. ALTA recommends using the first header to gain attention and the second header should include your company or product name. Then, you should include a brief description of your business or why a customer should choose you (i.e. We help you protect your property rights at ABC Title Company). Lastly, include a phone number so that individuals can call your company directly when clicking on your ad. This is especially important for mobile users.


Using the “Billing” drop down menu, you’ll select “Billing Preferences.” At this time you’ll create your billing profile including business name, contact information and phone number. Next, you will enter your payment information. You can choose to add a credit card or to link to your bank account. Then you’ll agree to more terms and conditions and your account will be ready!


You only pay when your ad is clicked on—not when it is seen. You can pause your ad campaigns at any time. And finally, if an ad isn’t working, try something new (including adjustments to your daily budget anytime).


ALTA members have exclusive access to an array of digital marketing content in the Homebuyer Outreach Program. For more digital marketing strategies, don't miss ALTA's Innovation Boot Camp, Aug. 23-24 in Baltimore.



Create a Facebook Advertising Campaign in Three Easy Steps

Here are three steps to help you create an advertising campaign on Facebook:

  1. From your Facebook page, select “Create Ads,” which can be found by clicking on the arrow in the upper right-hand corner of the screen.
  2. Next, choose an advertising objective. You can select from Awareness, Consideration or Conversion. As an example, if you want to get more consumers to know about your title company, select “Brand awareness” under the Awareness column. Then click Continue.
  3. Next, you can choose to advertise your page, website or event and then choose the audience, budget, images and text for the ad before placing the order.

ALTA members can utilize content and images in the Homebuyer Outreach Program to help with campaigns.


ALTA to Launch ‘Whatever You Call Home’ Campaign

Coinciding with National Homeownership Month in June, ALTA will launch an ad campaign titled “Whatever You Call Home” to help educate consumers about the closing process and the benefits of title insurance.

ALTA_HOP-Whatever_You_Call_Home(300x250px)_[40-kb]As the centerpiece of the promotion, ALTA will once again target 25- to 34-year-olds in specific markets on Pandora. The streaming and automated music service now has an additional filter that allows us to target people who plan to purchase a home within the next year. Starting June 3 and running through June 11, we will target this demographic in these areas:

  • Baltimore
  • Chicago
  • Columbus, OH
  • Dallas/Fort Worth
  • Kansas City
  • Miami/Fort Lauderdale
  • Nashville
  • Orlando

You can listen to the audio here: ALTA_pandora

Last year, the ad campaigns resulted in more than an 80 percent increase in traffic to HomeClosing101.org. 

In addition to reaching first-time homebuyers on Pandora, ALTA also will target homebuyers through other channels as well, including Google Ads, Facebook and YouTube.

ALTA has created a video that also will direct homebuyers to its consumer education website. The video reminds consumers that before they paint, decorate and make their home theirs, they need to protect their property rights with an owner’s title insurance policy.

Finally, ALTA will distribute a series of press releases highlighting top reasons why homebuyers need title insurance, the key steps in the closing process and a reminder about wire fraud schemes. We’ll share results of the campaign later this year.



Most Voters Say CFPB Should be Run By Bipartisan Commission

A poll commissioned by ALTA, the Consumer Bankers Association and Independent Community Bankers of America, found that 58 percent of registered voters in key battleground states say the Consumer Financial Protection Bureau (CFPB) should be run by a bipartisan commission.

Morning Consult, which polled voters in Indiana, Maine, Michigan, Missouri, Montana, North Dakota, Ohio and West Virginia, found that three in five voters said a commission would lead to consumer protections that are fairer, more accountable, more representative and more transparent. The poll, which found that just 14 percent said the CFPB should keep its current structure, shows that consumers support structural changes at the bureau.

“It's hard to find any policy position in Washington that a majority of Americans agree on,” said ALTA CEO Michelle Korsmo. “So when 58 percent of consumers said the CFPB’s authority to supervise financial institutions, write rules and enforce penalties is too important to be controlled by a single director, Congress should listen to them.”

Converting the CFPB into a bipartisan commission would make the agency similar to the Federal Deposit Insurance Corporation, the Federal Reserve Board and the National Credit Union Administration. Three of the five federal banking regulators also are led by commissions. The other two, the CFPB and the Office of the Comptroller of the Currency, are led by single directors.

Changing CFPB leadership from a single director to a commission is an issue with bipartisan potential. In meetings last year with the heads of partner trade associations, ALTA found support for a narrow bill focused on a commission. This initiative garnered support from moderates on both sides of the aisle. This year has been different as legislators on both sides of the aisle have staked out extreme positions on the issue. On the left, Senator Elizabeth Warren (D-MA) is devoted to protecting the current structure of the CFPB at all costs. On the right, Chairman Jeb Hensarling (R-TX) is seeking to severely limit the power of the CFPB as part of his Financial Choice Act.

“CBA and its members have long championed what the poll results revealed: a bipartisan commission at the CFPB would increase accountability, fairness, and transparency,” CBA President and CEO Richard Hunt said. “With the 2018 elections coming up, members of Congress in key battleground states may find these results useful, as voters, regardless of party affiliation, believe the best way forward for consumers and small businesses is through a commission made up of a diverse and bipartisan group of experts similar to that of the FDIC. Now’s the time for lawmakers to act.”

Aggregate Key Findings

  • 58 percent of surveyed voters support establishing a bipartisan commission at the CFPB.
  • By a 3-1 margin, these voters prefer a bipartisan commission over a single director.
  • Only 14 percent of respondents said they believe the CFPB should be left the way it is now.
  • By a 4-1 margin, voters agree the CFPB should be structured as a commission like the Federal Deposit Insurance Corp. (FDIC).
  • More than half of voters believe a commission would help consumers and small businesses.
  • Three in five voters said a commission would make the CFPB fairer (63 percent), more representative (62 percent), more accountable (62 percent) and more transparent (60 percent).
  • 57 percent said the CFPB’s authority to supervise financial institutions, write rules and enforce penalties is too important to be controlled by a single director.
  • 59 percent also said a commission would better position the CFPB to help consumers over the long run.

Key Findings State-by-State

  • In Indiana, by a 4-1 margin, voters agree the CFPB should be structured as a commission like the Federal Deposit Insurance Corporation.
  • In Ohio, by a 3-1 margin, voters prefer a bipartisan commission over a single director.
  • In Maine, 63 percent of voters support establishing a bipartisan commission at the CFPB.
  • In Michigan, voters said a commission would make the CFPB fairer (62 percent), more representative (63 percent), more accountable (62 percent), and more transparent (60 percent).
  • In Missouri, voters said a commission would make the CFPB fairer (61 percent), more representative (61 percent), more accountable (62 percent), and more transparent (58 percent).
  • In Montana, 60 percent of voters support establishing a bipartisan commission at the CFPB.
  • In North Dakota, by a 4-1 margin, voters prefer a bipartisan commission over a sole director.
  • In West Virginia, three out of five voters believe a commission would help consumers and small businesses.



Closing Times Sink to Pre-TRID Days

The average time to close a loan is now shorter than it's been since 2015, according to the latest Origination Insight Report from Ellie Mae.

Pages from Ellie_Mae_OIR_MARCH2017The survey found that the average time now sits at the lowest level in two years, coming in at 43 days in March, down from 46 days in February. 

For refinances, the time to close dipped to 43 days from 47 days in February. The time to close a purchase dropped to 43 days, down from 45 days in February.

“The purchase market continued to heat up in March, representing 63 percent of total closed loans,” said Jonathan Corr, president and CEO of Ellie Mae. “We also saw the time to close shrink to the shortest duration since February of 2015 at 43 days across all closed loans, purchases and refinances, as Ellie Mae lenders automate more mortgage processes to improve efficiency, quality and compliance.”

In addition, home loans for purchases increased to 63 percent in March, up from 57 percent the month prior.

The Origination Insight Report uses data from a sampling of approximately 80 percent of all mortgage applications that were initiated on Ellie Mae’s loan origination system, Encompass.