Data security could shake up real estate industry

Part 2: Innovations in digital real estate technology

Editor’s note: Real estate, technology and the Internet: it’s a match made in heaven. The combination is changing the way we search for homes, how we talk about our homes and think about where we live. In this three-part series we explored the latest innovation in real estate technology on several fronts, including home listings presentation on the Web, new data security systems, and blogs and online communities. (See Part 1: New forms of media converge in data-rich property listings and Part 3: Curbed.com dives deep into heart and soul of neighborhoods.)

It starts with one Realtor who’s nice enough to give his MLS login password to a trusted prospective buyer so that person can search for homes on his own. Then the buyer hands it off to his wife, who gives it to her brother who’s also been thinking about buying a home. The brother gives it to his wife who leaks it to a cousin who happens to work for a moving company and soon all the people who’ve left their contact information on that MLS system are being solicited by a national mover.

That’s a mild version of what can go wrong when security of digital real estate content is breached. With all the innovation in online home listings, lead capture systems and Web-based transaction management systems, there’s a lot at stake. Controlling access to the MLS, transaction and broker systems is more critical than ever, since it is no longer just home listing information that is vulnerable. MLS systems now include a host of contact management and customer relationship applications that store personal information about clients and prospects.

Security has come to the forefront as many brokers have stepped up and asked their MLSs how they will protect their core listings asset.

John Mosey, president of the Regional Multiple Listing Service of Minnesota, said, “There’s not really much on the radar screen of the average practitioner…Large brokers are mostly concerned.” Brokers want to know if their data is at risk because of any security issues, he added.

Security issues for real estate data range from password sharing to data scraping, which occurs when someone steals listings data contained in an MLS usually by hacking the MLS technology platform. MLSs contain valuable and sensitive information about consumers, like the size of loan they’ve been approved for, when they intend to move, or when they are likely to not be at home for showing times.

Many in the real estate data technology business consider password sharing to be one of the most prevalent security problems multiple listing services and their members face today, even though the agents handing out their passwords in most cases probably have no intention of causing a security or consumer privacy breach.

“I don’t think people really think through that what they’re doing is wrong,” said Bryan Foreman, president of Interealty, which provides MLS technology systems.

While Foreman is confident the underlying MLS systems his company builds and maintains are secure, he said the biggest challenge is for MLSs to keep track of who has access to the system. The real question is, “who has the keys, how many sets of keys and how often do you change the locks?” he said.

According to a poll conducted by the Human Firewall Council, 52 percent of office workers polled said they would download company information if a friend asked for it, 64 percent had already given their password to a colleague and nearly 67 percent gave their password to the pollster. “There is no reason to believe that the real estate industry protects its passwords any better,” Clareity Consulting wrote in a recent study on real estate data security.

There are many ways to potentially solve the password problem, including implementing mandatory password changes every month or quarter, or distributing a “token” such as a keychain, card or USB device that must be plugged into the computer to gain access. The token method adds an extra layer of security, mandating that the user possesses both an object and a password–much like an ATM card. Such tokens already are being implemented at MLSs nationwide, according to Clareity CEO Gregg Larson.

Clareity has made a big push for higher security standards in the real estate industry this year. The consulting company partnered with Secure Computing, a global security products and service provider, to provide real estate professionals with a new security system for MLS and real estate-related data. The partnership now offers a user authentication product for MLSs in a variety of token forms.

“There’s more and more valuable content online today and the only tool you need to get it is a Web browser, and in some cases you don’t even need a password,” Larson said.

Clareity performs security audits on MLSs and Larson said the results often are alarming. Once called on, the company gets permission to scan the MLS network. During a recent scan of a large regional MLS, Clareity was able to download about 10,000 real estate listings in a matter of minutes.

“We downloaded their entire database in six minutes,” Larson said. “The only tool we used to hack their system was Internet Explorer 6.0.” The data included all the property details, listing expiration dates and showing instructions.

Threewide Corp. has devised a new technology to help MLSs protect their listing exports by pushing data to registered users using controlled, monitored and audited methods. The process includes end-user registration, data encryption, one-time-use data files and embedded data tagging, and image watermarking unique for each export, Threewide CEO Ira Luntz said.

“While nobody can prevent the dispersal of data in raw form, we have built tools that clearly identify who the data was sent to and when,” Luntz said.

Threewide moves more than 3 million MLS data records through its pipelines each month. The company’s ListAndSend product suite enables MLSs to move their data and images back and forth among a variety of sources, controlling who receives the data and when they will receive it. Luntz noted that Threewide does not track the MLS data, but its software includes a data-tagging element that enables the MLS to track it.

Data sent through Threewide also is encrypted for added security.

Threewide expects to launch its ListSecure product in February. Luntz said it will be positioned as a separate product but will need the ListExporter component to work.

Rapattoni Corp. is another MLS technology company actively pursuing greater security of real estate data and MLS systems. The company in November launched Secure Logon, which aims to eliminate unauthorized access and ID sharing among real estate professionals by using a Passkey system. The Rapattoni Passkey is in the form of a portable USB device that can fit on a keychain. Agents insert the device into their computer’s USB hub and enter their username and password to access the MLS system.

Rapattoni Corp. President Andy Rapattoni said the USBs cannot be replicated. “We built in a serial number that is encrypted so you cannot read it,” he said. “The first thing our software checks is that information to make sure it’s a Rapattoni key and valid serial number.”

The Passkey also can be used with lockboxes that are placed on homes for sale. Rapattoni said the company is developing the security system so it can be used with any MLS system, not just the Rapattoni MLS platform because many markets have more than one MLS and each may operate on different technologies.

No MLS is currently using the Secure Logon Passkey, but Rapattoni expects to install a lot of the systems next year after MLSs approve their annual budgets.

The National Association of Realtors in the last year has ramped up its efforts to educate members on best practices in security. NAR’s Center for Realtor Technology in July released a new data security software product reCaptcha, which can determine whether a computer has been under attack by a remote computer programmed to intrude secretly and capture private data from Web sites.

The product was designed to assist system managers to develop countermeasures to protect MLS systems from data theft, or “scraping.”

At its meeting in Orlando last month, NAR also released special guides for protecting real estate information.

Carl DeMusz, CEO of the Northern Ohio Regional MLS, said a lot of discussion took place in Orlando about security issues facing MLSs. His organization plans to undergo a security audit and is weighing its options for what technologies to implement.

“We’re looking at tokens for password protection, protection from screen scraping and an external audit of our security system,” he said.

Tomorrow: Blogs dive deep into heart and soul of neighborhoods.

***

Send tips or a Letter to the Editor to jessica@inman.com or call (510) 658-9252, ext. 133.


Comments