The Challenges of e-Security

by Rob Lee
BIO AND CONTACT INFO

Avoiding a Nightmare on Main Street
When you think of something frightening, what comes to mind? Halloween? Freddie Krueger? What about Internet Security? Like Halloween, Internet security as it pertains to mortgage banking could become the nightmare on Main Street if we don't deal with it more forcefully. Because right now, somewhere in the spooky zones of cyberspace, somebody is breaking into somebody else's network. I hope it's not yours or mine. But unfortunately, we won't know that until after the deed is done.

The good news is, all those Freddie Kruegers running around out there are not alone. Many people-a pretty big army, in fact-are working around the clock to safeguard networks from intruders. It's a cat-and-mouse game. Fortunately, many computer hackers are in it just for kicks, for the pure thrill of sneaking in someplace they're not supposed to go.

Sometimes they leave an electronic calling card, to let the people running the network know they've scored a point. And sometimes they behave like ghosts, leaving no trace at all of their incursion-and usually, no damage. Other hackers are just plain thieves. They want your data and they're going to steal it if they can. At least thieves operate with logic and methods that are somewhat predictable. They're like the villains in the James Bond movies-evil, but in the end, defeatable. The most dangerous hackers, though, are also the hardest to understand. Their motivation is pure malice. They want to crash your network, vandalize your data, destroy your customer relationships and cause your business to stop functioning and they've concocted a real witches brew of computer viruses, crackers and worms to do it.

Internet Migration
This is not the kind of stuff anyone wants to, but you need to hear it-even if you've heard it before. Why? Because the mortgage banking industry is migrating toward the Internet just like everyone else.

It's unstoppable-a hundred-year event that's changing the way commerce is conducted. Just as an example, over the next two months, holiday shoppers will spend nearly $12 billion dollars on merchandise they see and order on the Web, according to Jupiter Communications. The Internet as a tool for real business has reached critical mass. More than half the households in 21 major metropolitan areas in the U.S. have Internet access and use it on a regular basis, according to a Nielsen/NetRating report.

That's more than triple the number only 7 months ago. Let me repeat that. Triple the number of 7 months ago. A lot of people like to use the word "explosion" when they talk about Internet commerce-and it's a good word to use. If we compare it to a hydrogen bomb being detonated, right now we're about a second and a half into it and maybe 10 feet off the ground. The mushroom cloud will be along shortly. Consumers are getting comfortable booking travel online, bidding in auctions online, gambling online and even buying cars online. So it's natural for them to want to obtain a mortgage online. And that's great news.

Cost Savings Are Compelling
As mortgage banking expands on the Internet, we'll see higher productivity, lower costs, expanding markets and much, much closer relationships with customers. The cost factor alone is absolutely compelling. A typical banking transaction costs the institution only 2 cents via the Web instead of a dollar or more at a teller window. Since the mortgage banking business operates on pretty thin margins, there's a real incentive to move toward anything that reduces costs, but only if it allows lenders to provide service to customers at the level they expect in what is most often a highly significant event in their lives.

The Internet can do a lot in one other very important aspect of customer service-it can save time. During the origination process, data can be pulled from an in-house loan servicing system to pre-populate many form fields, if the applicant previously obtained, or even applied for, a loan. In the case of a new borrower, liabilities can be automatically filled in with information pulled from his, her-or their-credit report. When it comes to time saved, lenders benefit even more than consumers from the Internet.

Once payments begin, the borrower can update personal contact information-such as phone number, e-mail or fax-by going online instead of calling a customer service rep. Putting payoff quotes online saves the lender even more money in terms of phone charges and call center payroll. Each query to loan payoff data yields marketing gold in the form of a current customer e-mail address that can be used for follow-up marketing efforts.

Direct mail costs a dollar per piece. The same information sent by e-mail costs pennies-and the response rates are higher. The Internet allows customers to serve themselves any time day or night. They can obtain mortgage information, compare rates and lenders and download forms or submit them online. Concerns about racial discrimination are vastly reduced or eliminated. So it's no surprise that Fannie Mae's National Housing Survey for 2000 has revealed some strong indicators that the Internet is going to play a much bigger role in mortgage banking: 4 out of 5 Americans of home-buying age have Internet access at home or at work. Thirty-three percent of adult Americans think the Internet can be useful for filling out and submitting loan application forms.

More than half of them believe that most home mortgages will be handled over the Internet by the year 2005. Franklin Raines, chairman and CEO of Fannie Mae, said the survey "has uncovered a perceptible and positive shift in people's view of the Internet and their willingness to use it to purchase a home. This is good news as the mortgage industry reinvents itself in the Internet age."

Fear of the Online Mortgage Process
What's surprising to me is that, today, the promise of true Internet mortgage banking is still unfulfilled. By that I mean using the Internet from the very beginning of the loan process all the way through to the end. That same Fannie Mae survey found a huge falloff as the loan process progressed: A majority-56 percent-of recent home buyers used the Internet to get mortgage information. But only 4 percent of recent purchasers applied for a mortgage online? And a mere 2 percent -1 in 50-completed the entire mortgage approval process over the Internet. Why are so many people holding back?

Well, Fannie Mae found that answer, too. They're afraid?afraid to give out so much personal information online. Now, they're not afraid of you. And they're not afraid of the online mortgage process. Their fears are focused on the Internet itself. Sixty percent of the people surveyed said the Internet is not a secure place to conduct personal finances. This represents a huge barrier to the migration of mortgage banking onto the Internet and everyone-lender and borrower alike-is losing out because of it. You and I who are comfortable working online may think a lot of people are being kind of paranoid.

After all, people hand over their credit cards to restaurant waiters and gas station attendants all the time. They give out their social security numbers all over the place. So, let's ask ourselves: are those 6 out of 10 individuals just victims of their own groundless fears? I don't think so. They've got good reason for distrusting what happens when personal information goes into a computer. A half-million U.S. citizens have their identities stolen each year because of lax verification systems. This "identity theft" is growing at 40 percent a year. The threat of lawsuits against the companies operating those lax systems is very real.

A mass media expert named Marshall McLuhan used to say that perception is reality. Well, listen to this perception expressed in a recent study by New Harris Interactive: American consumers are more concerned about loss of their personal privacy online than about health care, crime or taxes. If the mortgage banking industry is to reap the benefits of making the Internet a major part of our business, we have to change that perception.

Increasing Consumer Confidence
One part of the solution is education. We have to persuade our customers that typing an origination form online is just as acceptable as writing one on paper. This will take time-and every breach-of-security incident on the Internet is a setback. The real issue is consumer confidence. And it's critical that we frame that issue precisely in people's minds.

At a recent finance conference in Boston, IBM's chairman, Lou Gerstner, drew the very important distinction between privacy and anonymity. He pointed out that nobody really expects to stroll completely anonymously through the networked world and that no civilized society could accomplish very much if everyone could. Instead, privacy is about the ability to make a choice-choosing what you want to disclose about yourself-and to whom. That's the definition of privacy that we, as an industry, must convey to consumers. We need to do so very prominently and we need to take proactive steps to help all borrowers understand precisely what personal information we require to make good lending decisions-and why we require it. This will go an especially long way with the less sophisticated borrower.

The other half of changing people's perception about the Internet is more tangible. We have to implement more effective Internet security measures. And that's more of a challenge. Why? Because of the nature of the Internet itself. It represents convenience. There's a reason why Gateway and Dell have sold millions of personal computers into American homes-people believe it will make their lives more convenient. The truth is, consumers don't want to sacrifice one iota of convenience to get greater security. They regard that as our job. They expect us to keep all the bad guys out and let all the good guys in. They expect us to protect their personal privacy and confidential data with appropriate levels of information security, but at the same time make it even more simple and convenient for them to make online inquiries or conduct online transactions.

Balancing Security and Cost
These conflicting demands send IT staffs right up the wall. Because they know the ugly truth-the Internet was never designed to be very secure. The people who created the Internet Protocol made a conscious decision to make it very open, so large numbers of people could interact freely. As a consequence, it has primitive security support. This is a terribly imperfect situation. What can we do about it? Well, let's take a look at the requirements for secure Internet mortgage activity.

Opinions vary, but I see three of them:

1. Protection-to prevent the corruption or destruction of data.
2. Integrity- to ensure the authenticity of data.
3. Accessibility-to balance privacy against convenience.

Let me briefly address each of these.

Protection
The biggest concern here is computer viruses. You may recall the "I LOVE U" virus back in May 2000 that crashed the computer systems of corporations and governments worldwide. And let's not forget the lovely Melissa virus and the ExploreZip worm. Each of them cost billions of dollars in computer downtime. Virus terminology is both colorful and scary: Trojan horses ? logic bombs ? denial of service attacks ? mail bombs. In response to this plague, the information industry has assembled a very substantial anti-virus contingent that spans everyone from SWAT teams to researchers. It's like Arnold Schwarzenegger and Jonas Salk working in adjacent cubicles. They're good-very good. And they have extensive resources at their command. And it helps that law enforcement agencies around the world are pretty much on the same page about dealing with virus-makers-once they're tracked down, they get busted.

Integrity
The Internet has two fundamental problems here:

1. When data appears to come from computer A, there is no guarantee that it really did come from computer A.
2. Even if the data really did originally come from computer A, there is no guarantee that someone didn't see it in transit. Hackers use "sniffer" programs to detect encrypted or sensitive data. They gather and decode it-and if they get onto network hosts, they can alter or delete files, steal information, and erase all evidence of their activities. The solution that deals with this is a system of network firewalls complimented by intrusion detection systems. Developers are making great progress in building systems that extend and enhance the safety zones around sensitive data. And like their counterparts working to immunize our networks against viruses, they are making good progress.

Accessibility
This means verifying a person's identity when she or he logs onto your network-so you can grant them access to appropriate applications and data. The identity theft I mentioned earlier is frequently an issue here-as thieves try to fool your systems into thinking they're one of your customers. The password systems used by most e-commerce sites are inadequate to protect the personal information attached to mortgage documents. Much stronger medicine is the type of crypto-system that enables you to reliably authenticate people and to encrypt and decrypt messages. Encryption systems are based on mathematically-based keys that include large, random combinations of numbers and characters, as well as trapdoor and one-way functions. This is the stuff the average spy novel is made of.

So those are the issues and requirements. Now, what actions can you take right now to achieve effective Internet security? The first step is you must personally believe that this is a critical issue to the success of your organization. Then, as the organizational leader, you must provide two elements: executive attention and dedicated resources.

Executive Participation is Critical
The participation of top leadership is essential to identify a company's Internet security issues and develop a strategy that balances performance with reasonable cost. As I mentioned before, it is our job to provide security to our customers-although the cost of doing so cannot be allowed to outweigh the convenience and performance of the Internet. Otherwise, we are defeating its purpose. Dedicated resources are just as essential. By that, I mean specialized professionals-working with adequate budgets- who stay abreast of Internet security events and trends, and understand their ramifications for the company.

They provide overall direction for policies and practices and support the administrators across the company who run cooperative or subordinate Internet security programs. If you've got your top leadership involved-and good people who focus exclusively on this problem you have significantly increased your ability to create a highly secure environment for Internet transactions. Your business will benefit tremendously in the months and years ahead. We all have a big stake in this. More than most industries, our individual success depends on our collective reputation. When mortgage banking, as an industry, becomes known for its secure Internet environment-as a place consumers can completely trust -will all benefit. The market is growing. The tools are at hand. And the leaders of our industry are concerned.

First published on 8/13/01 BankersOnline.com