[ad_1]
The Fortune 500 Real Title Securities Giant's website First American Financial Corp. [NYSE:FAF] Hundreds of millions of documents have been leaked since 2003, until KrebsOnSecurity notifies it this week. The digitized records – including bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts and driver's license images – were available without any authentication at all. anyone with a web browser.
First American financial company Image: Linkedin.
First American, based in Santa Ana, California, is a leading provider of title and settlement insurance services to the real estate and mortgage industries. It employs some 18,000 people and has raised more than $ 5.7 billion in 2018.
Earlier this week, KrebsOnSecurity was contacted by a real estate developer from the state of Washington, who stated that he had not been very lucky to get a response from the company about what he had discovered, namely that part of his website (firstam.com) was leaking. tens if not hundreds of millions of records. He stated that anyone knowing the URL of a valid document on the website could view other documents simply by changing a single digit in the link.
And this could potentially include anyone who has already received a document link via email from First American.
KrebsOnSecurity has confirmed the developer's findings, which indicate that the First American website has revealed about 885 million files, the oldest dating back more than 16 years. No authentication was required to read the documents.
Most of the exposed files are records of electronic transactions with bank account numbers and other information from buyers and sellers of homes or real estate. Ben Shoval, the developer who informed KrebsOnSecurity of the data exposure, said it was because First American was one of the most widely used companies for title insurance and for entering into real estate contracts – where the two parties to the sale met and signed legal documents.
"Closing agencies are supposed to be the only neutral party that does not represent the interests of anyone else, and you have to buy title insurance if you have any mortgage," Shoval said.
"The title insurance agency collects all kinds of documents from the buyer and the seller, including social security numbers, driver's licenses, account statements and even internal company documents, if you are a small company. You give them all kinds of private information and you expect them to remain private."
Shoval shared a document link that had been provided to him by First American during a recent transaction, which referred to a registration number consisting of nine digits and dating back to April 2019. The amendment The number of the document in its link by two-way numbers generated records of other people before or after the same date and time, indicating that the document numbers may have been issued sequentially.
The earliest document number available on the site – 000000075 – referred to a 2003 real estate transaction. From there, the dates on the documents get closer to the real time with each increment of progression in the issue number. recording.
Screen capture redacted from one of the millions of sensitive records exposed by the First American website.
As of May 24 in the morning, firstam.com was returning documents to date (more than 885 million), including many PDFs and post-dated forms for impending property closures. At 2 pm ET Friday, the company had deactivated the site that served the records. It is unclear how long the site has remained in a promiscuous state, but archive.org posts documents available on this site since at least March 2017.
First American did not want to comment on the total number of records potentially exposed via its site, nor the length of time these records were publicly available. But a spokesman for the company shared the following statement:
"First American discovered a design flaw in an application that allowed unauthorized access to customer data. At First American, security, privacy and confidentiality are top priorities and we are committed to protecting the information of our customers. The company immediately took action to remedy the situation and shut down external access to the application. We are currently evaluating its potential impact on the security of customer information. We will not have any other comments until our internal review is complete. "
I want to point out that these documents were simply available on the First American website; I do not know if the fraudsters were aware of this fact before, nor do I think that the documents were collected en mbade (although slow and slow or distributed indexing of these data would have not difficult for even a novice attacker).
Nevertheless, the information revealed by First American would be a real gold mine for phishers and crooks involved in so-called Business Email Compromise scams (BEC), which often mimic real estate agents, closing agencies, insurance companies securities and trusted third parties in order to trick property buyers into transferring funds to fraudsters. According to the FBI, OCI scams are the most expensive form of cybercrime.
Armed with a simple link to a First American document, fraudsters at the BEC would have an infinity of phishing patterns very compelling. Such a database would also give fraudsters a constant stream of new information on future real estate financial transactions – including email addresses, names and phone numbers of closing agents and buyers.
As noted in previous stories, these types of data exposures are among the most common and yet avoidable. In December 2018, the parent company of Kay Jewelers and Jared Jewelers Fixed a weakness in their site exposing the order information of all their customers online.
In August 2018, the giant of the financial industry Fiserv Inc. Correction of a bug reported by KrebsOnSecurity that exposed the personal and financial details of countless customers on hundreds of banks websites.
In July 2018, theft protection service for identity LifeLock corrected a defect of disclosure of information revealing the email address of millions of subscribers. And in April 2018, PaneraBread.com remedied a weakness by exposing millions of customer names, electronic and physical addresses, birthdays and partial credit card numbers.
Tags: Ben Shoval, First American Financial Corp.
This entry was posted on Friday, May 24th, 2019 at 4:47 pm and is filed under Data breaches.
You can follow the comments of this entry via the RSS 2.0 feed.
You can go to the end and leave a comment. Ping is currently not allowed.
Source link
