Information Security News mailing list archives

Security glitch puts mortgage applications online


From: William Knowles <wk () C4I ORG>
Date: Thu, 16 Nov 2000 03:27:19 -0600

http://www.techserver.com/noframes/story/0,2294,500280192-500439731-502819847-0,00.html

By D. IAN HOPPER, Associated Press

WASHINGTON (November 15, 2000 9:18 p.m. EST http://www.nandotimes.com)
- At least 700 loan applications - including Social Security numbers -
were divulged on the Internet because of a security breach in the
software used by many mortgage brokers, officials said Wednesday.

Though quickly rectified, the breach should send a warning through an
industry that now processes one of every three mortgage applications
electronically using software made by California-based Contour
Software, security and loan experts said.

"It's of great concern to us," said Tom Lovell, president of AMEX
Mortgage in Tempe, Ariz., a mortgage broker whose customers'
applications were divulged on the World Wide Web because of the
software problem.

"We've been evaluating new services, and this gives us more cause for
that," he said.

The breach, discovered by a computer security firm, angered homeowner
Ronald Johnson, who comparison-shopped for mortgages online and
learned that his application was visible on the Internet. It included
his and his wife's Social Security numbers, lists of assets and work
history.

"I really don't buy anything online, because I'm afraid if I put my
credit card number on there it's going to be all over the world," said
Johnson from his Fountain Hills, Ariz., home.

"But when we applied for a loan for this house, I thought it would be
a good time to use the Web. I guess I was wrong about that, too," said
Johnson, who learned about the problem from The Associated Press.

A Contour Software spokesman called the problem "a rarity" and said
the application would be difficult to locate on the Internet.
Spokesman Scott Cooley blamed a disgruntled former employee, who
turned off security settings for a computer directory where the loan
applications were stored.

"Keep in mind that it would have been impossible to find this
directory without knowing it by name," Cooley said.

Cooley said the problem was fixed and appears to have involved at
least 700 customers from at least 27 mortgage brokers who use the
company's software.

As of late Wednesday afternoon, the loan applications were no longer
visible on the Internet. Cooley said he didn't know how long the
information was available before the security firm discovered it.

A representative of New York-based SecureFront Technologies said the
company discovered the problem during an authorized security audit for
a regional bank in Pennsylvania.

"We were surprised when we discovered that we were able to browse a
number of directories with only a Web browser and without any
passwords," said SecureFront CEO Albert Lee, who performed the initial
test.

"Doing a brief search on the Web, we were able to identify at least 27
other banks and lenders that are affected by the same problem," Lee
said.

The Mortgage Bankers Association of America says Contour's software
processed almost 2 million home loans in 1999 totaling $228 billion,
part of marked explosion in online home buying because of the
Internet's ease in comparison shopping for loans. The total includes
applications taken online and off line.

MBAA spokesman Dave Warner said the growth has stalled this year,
because potential homeowners are unwilling to fill out long
applications online and also harbor their own security concerns.

AMEX Mortgage stopped taking online applications six months ago.

PSC Mortgage Group in Los Angeles has used Contour Software's products
for years and verified that information found online belonged to their
customers.

"That's a very big deal. It's very, very disturbing," said Klara
Soros, operational manager at PSC Mortgage Group.

Johnson, the customer surprised to learn his assets and other private
information were in plain view on the Internet, said he'd never had
trouble with identity theft or mysterious credit card charges before.
Now he's concerned.

"There's some information out there that could get me in a lot of
trouble. I wish I knew what I could do to get it off of there,"
Johnson said. "I don't know what to do."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".


Current thread: