As I was driving into the office yesterday, I pulled into the local gas station to fill up and grab a coffee. Sure it’s “gas station coffee” but when you’re in a hurry, you take whatever you can get. As society transitions from cash to credit cards, it makes you wonder just how little cash a gas station has on hand. As I opened the door, fumbling to hold the hot coffee in one hand while putting away the credit card with the other, I could hear the sound of a low rumbling diesel. Upon looking up from my caffeinated goodness, I couldn’t help but notice this beastly dual axle armored truck which had just stormed into the parking lot. With it, there were two armed men wearing bullet proof vests; one sitting behind the wheel keeping a watchful eye while the other went inside, gun in holster, to retrieve the gas station’s money. I wondered to myself as I drove away, just how much money justifies sending in a team of armed men? It turns out, some gas stations have less than $10,000.00 in cash per pickup. $10,000.00 in cash for all that security. Wow.
Somewhere, at that very same time, Stacy and her family just moved into town and are in the process of purchasing a new home. She can’t wait to close because she’s staying at her in-law’s house with her husband and 2 children- to say it’s cramped is an understatement! By all accounts they’re an American success story. Stacey is a nurse, and her husband David is a dentist. Their two children are in the 3rd and 5th grades and look forward to playing soccer in the spacious back yard of a new suburban home. Having received the proceeds from the sale of their prior home, and with pre-approval letter in hand, they just made an offer on the home of their dreams. Everything is going perfect for them. Little do they know, something is about to go horribly wrong.
Luckily, their lender has taken all of the necessary steps to protect their non-public personal information. After all, they have to. With so much on the line, so much to lose, and the CFPB breathing down their neck, their lender is a model for data security and best practices and their staff are well trained. The lender has all the correct policies and procedures, the latest encryption software, encrypted email, and the best money can buy in the areas of IT, firewalls, and security.
Their title company is also top notch. They’ve taken the Best Practices very seriously. Sure they don’t have the big lender budget, but they’ve trained their staff to be very security conscious. They encrypt their email, lock their computers when not in use, employ a clean desk policy, passed several underwriter and third party audits and received a fancy attestation certificate. All-in-all the title company and the lender all work very hard to protect the consumer’s privacy, identity, and non-public personal information. They also know to be VERY careful about phishing scams, wire fraud, and social engineering.
Stacey and David have been receiving multiple encrypted emails with regards to the transaction. These emails contain status updates, an occasional request for information, and wiring information. But not to worry, both the lender, title company, and surprisingly the real estate agent, are all following proper cyber security procedures. It is important to note that the chain of security up until this point is very strong. Unfortunately, the title company sent an email, off into the unknown- the buyer’s computer. The title company had NO knowledge of the state or condition of the buyers computer. In this case, the buyers computer was running Windows 2000. It was 12 years old. It had no anti-virus software, and it had roughly 82 active viruses and malware on it. It was also actively being monitored by what we will call “bad guys” or, more accurately, cyber-criminals.
The lender, real estate agent, and the title company had no way of knowing, controlling, or otherwise affecting or improving the level of security on the buyer’s computer, yet they all chose to email (even through secure email) the buyer. Once this happened the chain of security was broken. What happened after was very sad for Stacy and David. The “bad guys”, having all of the necessary information concerning the transaction, were very easily able to trick Stacey and David into wiring the money to another account by calling them from a telephone number made to appear as if it originated from the Title Company.
Stacey and David lost all of their money and their dream of purchasing the new home. The money was never recovered, and to this day the family is forced to remain living with their in-laws.
What can we learn from this?
a) The chain of security is only as strong as its weakest link. The buyers computer was the weakest link.
b) Banks, Lenders, and Title Companies are regulated and must have security in place. John and Jane Doe’s home computers are subject to no such regulation.
c) Why would a Title Company ever even think of sending something that exists within their controlled, audited, and protected environment, out to a buyer’s computer when they have absolutely no knowledge that the buyer has any form of security? *
*and guess who the buyer will blame when the money is stolen?
What is the answer?
Computers are tools, and there are times when they shouldn’t be used. If it can ruin someone’s life, if it can bankrupt someone, it shouldn’t used. Be a leader, don’t just educate your buyers, people may not remember. WRITE DOWN wiring instructions on a card and physically hand it to them – then follow up. There’s a saying “somethings are better left unspoken”. There’s another saying “somethings are better left off a computer”. It’s your company, it’s your reputation, it’s your liability, and it’s your decision.
Finally, I’d like to close with this one question. If a gas station feels it necessary to send an armored truck, with bullet proof glass, and two gun toting men, for what usually amounts to a small amount of cash, why would anyone send wiring instructions to a random buyers computer with the push of a button?
Isn’t it time that we re-think how we ask our customers to transfer what is almost always their life savings?