How to Prevent Authentication Attacks

In recent years, we’ve heard an increasing number of news stories related to cybercrime. Most of the time, we’re hearing about major corporations or government institutions being targeted and having their customers’ personal data compromised. But that doesn’t mean those big organizations are the only ones in the line of fire.

Often, fraudsters aren’t even after these large organizations; instead, they’re looking to get their hands on the personal data of the organization’s customers,’ such as their banking information.

Another growing trend is real estate wire transfer embezzlement, also known as wire fraud.

With wire fraud, a fraudster gains access to a home buyer, seller, or another involved person’s user authentication credentials. This allows them to gain access to a target email address or account. In turn, they watch the account, determining who is involved and learning details about the transaction. They then try to trick the victim into sending the money to them instead of its rightful owner.

In the following article, we’re going to take a deeper look at authentication attacks. Are you at risk? We'll also leave you with a few tips to help you prevent real estate wire fraud.

What is "broken authentication" In real estate?

The purpose of authentication and secure authentication apps is to ensure that the person logging into an account or network is who they say they are.

Broken authentication refers to weaknesses in the authentication process. This might allow a fraudster to capture a user’s login credentials, or bypass the secure authentication process entirely.

The goal of an authentication attack is to gain access and take over an account to get the same privileges as the legitimate user.

In the case of real estate wire fraud, the attacker might attempt to steal the login credentials of a law firm clerk or an escrow officer. With these, they could gain control over any funds that are in the escrow account.

Types of real estate authentication attacks

There are many different types of authentications and multiple methods that fraudsters can use to gain unauthorized access to your accounts and/or other sensitive information.

Below, we’ll go over some of the most common forms of broken authentication, which could lead to real estate wire fraud

1. URL rewriting

In some cases, a website or mobile application may support URL rewriting, which places the user’s session ID in the browser’s URL.

For example, this could lead to an attack if an internet user wanted to let a friend know about a house for sale in their area or just a good deal somewhere on the market. They might copy and paste the URL from their browser to send to their friend, via a potentially compromised email address, and not notice that their session ID is present in the URL.

The URL might look something like this:

When their friend uses the same URL to access the webpage, they’d connect to it using the original friend’s session ID; and that person’s credit card or banking information could still be present.

If a fraudster were able to access the email with the URL, and the user’s session ID, they could acquire this sensitive information.

2. Improper application timeout

Imagine a law firm clerk is using a public computer to access their firm’s network while away from the office. They finish their work but instead of clicking on “Logout,” they simply close the tab and walk away from the computer.

An hour later, a fraudster walks up and starts using the same browser on the same public computer. Because the application still hasn’t timed out, the browser could be authenticated with the clerk’s login information.

This could give the fraudster access to whatever documents or information the clerk was looking at. In some cases, it could be yours or your client’s transaction details.

3. Weak or predictable log-in credentials

An authentication attack can also be carried out by the fraudster using easy-to-guess or predictable usernames and passwords to access real estate accounts.

For example, many people often use weak passwords such as “abcd1234” or their first and last names because they are easy to remember.

While these passwords do make it easier to remember your login information, it’s simple for fraudsters to guess them. The attacker then gains unauthorized access to the account and any real estate funds associated with it.  

4. Improperly hashed and salted passwords

In other cases, an external attacker--or even somebody inside a real estate organization--could gain access to the password database of their company’s network.

If these passwords are not properly protected via secure encryption protocols, the fraudster could easily access every one of the network’s users’ passwords.

Is your organization at risk?

If you’re involved in any sort of real estate transaction, be it as a buyer, seller, escrow officer, or law firm clerk, the simple answer is, yes, you are at risk of an authentication attack.

This is because fraudsters are always on the lookout for easy ways to get their hands on large sums of money. Real estate wire transfers provide them with the perfect conditions to get away with their crime.

Additionally, you might be at risk if:

• You’re using easy to guess or predictable login credentials
• Your authentication credentials aren’t protected when stored on your computer or device
• You’ve sent passwords or other types of login credentials over unencrypted connections
• You frequently use public computers or Wi-Fi networks

How to protect your transactions

There are many types of fraud, and authentication attacks are a very real threat when it comes to real estate transactions. However, there are some online practices to avoid in order to prevent fraud.

1. Always use strong passwords that would be hard to guess. Don’t use personal information, such as your first or last name, date of birth, address, or place of residence.

2. Secure any devices that have your passwords stored on them with a strong password or other kinds of authentication measures.

3. Stay away from public computers and Wi-Fi networks, especially when dealing with real estate transactions or banking information.

4. Fraudsters often lurk around these unsecured networks hoping to capture your login credentials. Be sure to take the necessary steps to protect yourself, your clients, and their real estate funds.

Preventing fraud with CertifID

CertifID prevents these types of attacks, making all transactions between escrow and compliance officers, law firm clerks, title owners, or home buyers and sellers more secure. This is done by having the users verify their identities and banking information before any transaction takes place.

When it comes time for the transfer of monies, all parties involved are assured of the other’s identity. The transaction can then take place with a vastly reduced risk of wire fraud. Contact CertifID today to learn more about how you can protect your sensitive information and prevent fraud.

‍