Hackers target all businesses, including lenders. What about the security of information contained in a mortgage application?
On average, says security expert Elliott Frantz, mortgage websites tend to be more secure than those of many other industries. But, he cautions, “that’s no reason to let your guard down.”
Frantz is CEO of Virtue Security, an ethical hacking company in New York that works with health care and financial industries. He has good news and bad news:
- “The good news is that the financial industry is heavily regulated and many of those regulations extend all the way down to mortgage brokers and online security practices,” Frantz says.
- “The bad news is that this is still a highly targeted industry where fraud, identity theft and other cybercrimes are something we need to look out for.”
What customers want: Convenience
The need for consumer vigilance was recently underscored by a study from Halock, a cybersecurity firm that looked at the security practices of 63 U.S. mortgage lenders. More than 45 of those lenders permitted applicants to send personal and financial information, such as W-2 forms and tax returns, over unencrypted email. About one-eighth of the lenders offered a secure email portal.
3 things about data security
- Lenders are reluctant to inconvenience customers with security measures.
- The lender must share your information with other companies.
- It helps to be vigilant about the lender’s data security.
Why the casual approach to data security? Several lenders explained that “it was a matter of what the customer was most comfortable with,” the study found.
Protect yourself with these guidelines
Frantz says customers should insist that lenders offer:
- A secure connection, where the URL begins with “https” and displays a lock icon next to it. “Pop-up warnings regarding this connection should never be ignored,” Frantz adds.
- A site requiring a strong password.
- A way, other than email, to send sensitive information.
It’s also a good idea to ask about security, says Christopher Budd, global threat communications manager at Trend Micro, a computer-security firm in Seattle.
“You should be able to get a good sense of how seriously they take security just by asking,” he says. “But remember, applying for a mortgage or a refi often means dealing with several third-party vendors, so it’s important to understand that there might be organizations handling your application who you haven’t dealt with directly.”
Pull credit reports several times a year to check for identity theft, especially if you have a new mortgage, says Benjamin Caudill, co-founder and principal consultant at Rhino Security Labs in Seattle.
Some info is public record
It’s important to understand two types of information that arise from a mortgage, says Tom Flanagan, ?vice president of information technology for Alain Pinel Realtors in Saratoga, California:
- Sensitive financial data, which represents a small portion of a mortgage or refinance application.
- Information that often ends up becoming public record.
Some data is kept for record keeping
“Most of the information found in mortgage documents is public information and will be recorded,” Flanagan says. “For example, address, purchase price, buyer, loan amount, lender, etc., will all be found on title.”
Flanagan adds: “All other information — like W-2s, Social Security numbers and tax returns — should stay in control of the mortgage bank and be retained only for record-keeping purposes.”
He notes that the title company receives bank account information to ensure that money is received from the correct accounts and sent to the correct accounts.