Safe as houses

Bob Baucom, director of operations and technology at Consolidated Multiple Listing Service in Columbia, S.C., heard lots of horror stories from others in the real estate industry.

There was the disgruntled employee in a nearby state who logged into the web-based multiple listing service (MLS) application, which lists properties for sale, and put her former boss's house on the market. Another irate ex-employee elsewhere made random changes to listings. Up north, a teenager accessed the system to find vacant houses and host parties in them.

Baucom and other Consolidated MLS board members, intent on preventing such breaches of their service, opted to take a proactive approach and beef up security. "It's all about trying to protect the data," says Baucom, who is also the owner and broker-in-charge of RE/MAX Midlands Realty.

Consolidated MLS, which serves more than 2,400 real estate agent houses, is one of approximately 800 multiple listing services in the U.S. providing listings of available properties.

A few years ago, most MLSs switched to web-based systems, which relied on a simple user name and password for authentication, says Amy Geddes, operations director at Clareity, an IT consulting firm serving the real estate industry. Consolidated MLS followed that trend.

Before switching to a web-based system, Consolidated MLS used a program that included client software on individual machines. That program also relied on usernames and passwords for authentication, but offered a bit more security, because a user needed to be at a system with that software, says Baucom.

"If I gave you my login name and password, it wouldn't do you any good unless you were sitting at a machine that had that program loaded on it," he says.

"Once we went to a web-based system, we were more vulnerable."

Agents could easily share passwords with non-members, clients, or others, putting the listings – which contain some sensitive data – at risk.

Listings for agents might have information such as burglar alarm codes, private showing instructions, or whether a house was vacant. All this means that listings held "any number of things that you wouldn't want the public to know if you have your house listed," says Baucom.

With a background in law enforcement, including 13 years with the FBI, Baucom says he is, perhaps unsurprisingly, "more paranoid than most people" when it comes to security.

So he and other board members at Consolidated MLS decided to get ahead of any problems and began checking out strong authentication solutions from various security companies.

They selected Secure Computing's SafeWord PremierAccess with SAFEMLS-branded hardware tokens from Clareity. Agents now access the web-based listings by providing a username and PIN code plus a one-time password, which is generated by pressing a button on the token.

"It's something you have, combined with something you know," says Geddes.

SafeWord PremierAccess is event-based, which means that users get a new password each time they press the button on the token, she explains.

Other two-factor authentication solutions are time-based – they flash a new password every 60 seconds, which can result in synchronization problems and "password not accepted" errors, she says.

Another plus of the SafeWord technology is that the tokens do not expire, unlike other solutions, says Jay Goldlist, vice-president and general manger of Secure Computing's enterprise security division. And replacing expiring tokens can be a real chore, especially if users are as dispersed as they are for Consolidated MLS, he adds.

Baucom says the strong authentication system stops abuse by preventing password sharing or theft.

The system is not infallible – no system is, he notes. But while someone could potentially share their one-time password with someone else, the system does not allow duplicate logins and the person with unauthorized access could be tracked down, says Baucom.

Consolidated MLS, with help from Clareity, was the first in the real estate industry to roll out strong authentication, he adds. The process went "surprisingly well" and, in three days, 70 percent of the service's users were on board.

An education session led by Clareity on some of the security breaches experienced by other MLSs helped to convince agents of the need for the extra security.

"They were asking: 'Why are we doing this? This is just something else to carry around'," recalls Baucom.

"An hour later, they had bought totally into the system... The horror stories were extremely important in getting our people to buy into the program."

Another factor that helped deployment is the integration of the top MLS systems with the authentication solution provided by Secure Computing and Clareity, notes Goldlist. Agents use the same systems they had before, so no new training is necessary. Secure Computing and Clareity teamed up last year to provide security solutions specifically designed to protect MLS data.

Secure Computing also offers a self-enrollment capability, which allows users to register tokens via the web instead of needing to come into the office.

To further enhance protection of its data, Consolidated MLS has also deployed ListSecure from Threewide, which works alongside Threewide's ListExporter to provide secure distribution of real estate data to numerous destinations. ListSecure combines encryption, data tags, image watermarks and other methods to secure delivery and tracking of sensitive data.

But this is a young process. Geddes says strong authentication is a fairly new concept for the real estate industry.

"They're just realizing they need to secure their industry with more than just a name and password," she says.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.