Clean Up on Aisle One
My original plan for this week was to ask one of our customers to do a guest spot on the Clareity Security Blog. You know, some fluff piece on how great we are combined with a few of the fun stories we get from customers every week about how they caught unauthorized users in the MLS. I promise you the post will come, just not this week.
Last week, Clareity Security had the opportunity to fully execute our data center disaster recovery plan. I don’t recommend doing this as a stress reliever, but the experience was amazing in it’s demonstration of what worked (a lot did) and what didn’t (we changed several processes and policies). It also shined a spotlight on our awesome support and engineering teams – who held it together under very difficult circumstances. Difficult decisions that were in the best interest of our customers were made even though they impacted our bottom line. We all agreed when it was over, we had done the right thing – not the easy thing – but the right thing. It’s a core value at Clareity Security and one I’m proud to say we haven’t compromised.
The point of this post (I do have one), is that the lesson that reverberated for me last week was communication. Our customers have much more patience and understanding for technical issues when we COMMUNICATE what is happening, early and often. If you think you have communicated enough, there is a good chance you haven’t. If you think you have over communicated…there is no such thing.
We provided routine updates to vendors, MLS staff and leadership and even our own management team. I personally spoke to almost every customer last week that was impacted (some of you called me back just to say thanks!) I found it to be a rewarding experience in spite of the stressful nature of the week. Our customers are completely responsible for our success – they provide us with the critical feedback we need to ensure we provide outstanding service and COMMUNICATION.
Intel’s Acquisition of McAfee = More Emphasis on Security
Last week we saw one of the largest acquisitions in the history of computer security as Intel agreed to buy McAfee for $7.7 billion dollars. Clareity Security sells and supports McAfee SECURE™ (formerly HACKERSAFE™), a daily security monitoring service for web sites. Intel must have wanted McAfee badly because they paid a 60% premium over the stock price, which left a few analysts scratching their heads and calling it an expensive acquisition.
Why did Intel do it? Hans Mosesmann, an analyst at Raymond James Associates said: “Security is becoming a really big deal. The security threats that are out there are not going away — you could argue that they are going to get worse — and having a tightly coupled hardware and software is a strategic advantage.” In other words, Intel plans to build more security, malware and anti-virus features right on the PC chip. Intel’s chips also appear in other devices that connect to the internet such as DVD players, set top boxes, TVs, and even cars, and these devices need to be protected too.
Intel is also looking to diversify itself from the PC chip market as the world moves to the mobile web using smart phones and iPads. McAfee’s software provides mostly recurring subscription revenue, which will help smooth Intel’s revenue and give them an opportunity to enter the growing market for securing mobile devices. McAfee now offers smart phone security software, through the recent acquisitions of Trust Digital and TenCube. These companies make security software for the iPhone, Android, Blackberry and others. Since people are 15 times more likely to lose their smart phone than their laptop, mobile device security is becoming a big business and this is another strategic reason why Intel paid so much for McAfee.
Budgets – Friend or Foe?
Furthering Amy’s theme of knowing your customer better through the use of analytics, let’s explore fiscal planning for 2011. Many of our MLS industry partners are meeting right now with their finance committees, reviewing the current number of subscribers, the current year’s revenue numbers, and working on 2011 budgets. Tough decisions on programs, events, staff, new investments, etc. are made in conjunction with the revenue forecast.
Looking back at 2010, many organizations have not only met, but far exceeded their revenue targets. High-fives all the way around! This defines ultimate success for an organization, doesn’t it? Does this mean next year’s forecast should follow the same model? Should the forecast be increased or decreased? Consult the crystal ball or even flip a coin? Neither method has historically created an accurate prediction.
With all of these questions, analytics are more important than ever to help separate the signal from the noise, the wheat from the chaff. Our Scout for SAFEMLS solution uses rich analytics to identify revenue and cost reduction opportunities by recognizing shared subscription accounts. Revenue assurance is the formal name for ensuring everyone is paying for services received and is a very important part of revenue forecasting. Easily understood is the straight line drawn between a shared subscription and a lost revenue opportunity. Which begs the question – “Why budget for a 10% revenue loss when more than 25% of your subscribers are sharing access to services?”
As your organization heads into this 2011 budget season, please ask the tough question – ‘are we maximizing the revenue for all users of our services vs. just the current paying subscribers?’ If the answer falls along “we don’t know” or “it’s unclear” or “what??” please drop us a line to discuss our proven track record of maximizing our customers’ revenue and how we can create success for you.
Raise your hand if you think understanding your customer is more important than ever…
… Ok, actually hand-raising may not be the best way to measure this exercise since we are having this conversation virtually. I think we can all agree on a few premises though:
1) Understanding your customers can help retain and grow revenue.
2) All organizations benefit from gathering data on their customer and using it to provide better (or even different) services.
3) The word “analytics” is a big scary word that is hard to get our brains wrapped around.
In real estate it seems everyone with a website has some type of tool they use for analytics. Google Analytics is popular because of the price (free), others like Webtrends are often included in hosting packages. More sophisticated and expensive products from companies like Omniture are also available. The bottom line is ALL of these products help you to better understand which content is popular, but tell you very little about your customer and their uniqueness.
I have been watching with interest, the trends with digital publishers such as newspapers and other paid subscription (SaaS) providers. I think of MLS organizations and other real estate service websites as being digital content providers with similar models. Some times the content is offered for a fee (MLS subscriptions), sometimes the content is free (real estate search sites) and sometimes the content is offered with a “pay-wall” where you have access to some information for free but additional information requires a “registration” process and often a fee (third party applications, VOW’s, and some real estate search sites).
Like other digital publishers, organizations in real estate can benefit from understanding not just what “content” is popular, but more about the actual “people” interacting with that content. Understanding the demand at the “user” level instead of the “content” level helps organizations to understand which users are getting value from your service and which are not. This information can be used to predict user behavior and open opportunities for revenue optimization.
I’m probably losing a few folks about now with all of these buzzwords so let me put this into simpler terms with an example. If I am an MLS organization, understanding my users’ behavior (based on their login activity combined with which content they find most valuable) I can make better decisions about future products and services. I can predict with leading indicators, as opposed to trailing indicators, changes in demand for my services along with changes in my market. Imagine being able to predict your own increase (or decrease) for demand to drive operational cost decisions ahead of time. Imagine being able to target sub-groups of your membership for additional product opportunities. Imagine understanding your user population well enough to consider the impact of a change to your pricing model.
These are just a few of the benefits of deploying “user based” analytics, such as those utilized in Clareity Security’s Scout for SAFEMLS product, to detect and report account sharing. We would love the opportunity to hear more about how MLS organizations, real estate website service providers, brokers and agents are using or would like to use analytics to better understand the health of their business, and we look forward to sharing success stories from other customers.
About “Adaptive” Authentication
Clareity Security set the standard for real estate industry login security over five years ago, introducing strong authentication to the industry. Strong authentication, also termed “multi-factor” authentication, involves two of the three following items: something you know (e.g. a password or PIN), something you have that is not shared (e.g. a token, PDA or cell phone), or something you are (e.g. biometric information such as typing patterns). Recently, some vendors have offered an “adaptive security” mechanism that would replace strong authentication, implying that adaptive security is comparable in strength to strong authentication but when it comes to MLS use cases, this is simply misleading.
Adaptive security, for those unfamiliar with it, tries to detect abnormal use and then takes action when that abnormal use is detected. For example, if a user usually logs on from MyCity, Michigan and there is a logon attempt from YourCity, California, the system would attempt to make an assessment of whether the logon was valid. That works great in the banking context, but it just doesn’t apply in any significant way to MLS authentication security, where the most common problem is users intentionally sharing accounts within the same geographic area and even within the same office or home office, where they would likely be using the same computer type and perhaps even the same IP address – likely even the very same computer! An MLS user may also utilize a variety of computers to access the MLS – at customers’ homes, at coffee shops, or sharing computers in broker offices – that makes it even more difficult for adaptive technology to reliably distinguish between legitimate and illegitimate logon attempts based only on identifying the computer or IP address of the user. The potential for false positives is far greater and presents potential customer service issues for the organization.
Clareity Consulting has performed security audits for MLSs that have tried adaptive authentication. Their staff ask, “So, this user-id logged in from 2 computers – I don’t know if one is the home and the other is the office, or if this is a shared password. Another logged in from 15 computers and local IP addresses – I don’t know if they’re out in the field checking the MLS from wherever they can or if this is a shared account. Another user logged in a lot from one IP address – I don’t know if that’s a bunch of appraisers sharing a computer, a husband and wife team, or just someone that logs in a lot. So, I’ve got this information about Devices and IP Addresses used from the adaptive system – what do I do with it?” Unfortunately, there isn’t a good answer for them!
The only time one can depend solely on device identification to supplement the username and password credentials is when the device is something that is never shared – like a cell phone. Clareity Security experimented extensively in fielding a solution leveraging the agent’s cell phone, but both software and certificate deployment to the cell phone and text-messaging were simply too unreliable and required too much support from the MLS help desk.
Some vendors might point out that financial institutions use adaptive authentication – they are correct, but what they leave out is that banks are swiftly moving away from adaptive authentication alone and are moving to or adding strong authentication mechanisms. The real estate industry has unique issues around intentional account sharing, computer sharing, and mobile professionals, making adaptive authentication using device and IP address based identification insufficient to provide revenue assurance or ensure that MLSs remain members-only systems.
Intelligence-Based Scout for SAFEMLS Tackles MLS Challenges
In early 2009, Clareity Security partnered with AdmitOne Security to deliver Scout for SAFEMLS as an expansion of its industry leading SAFEMLS solution. Scout for SAFEMLS is an intelligence-driven authentication suite designed to improve revenue assurance and organizational security. Intelligence-driven strong authentication transparently monitors user access, continuously analyzes for unauthorized use, and automatically applies security policies for remediation.
Scout for SAFEMLS offers a convenient end user experience without compromising security or requiring the organization to incur the expense and time to provision hardware, software, or certificates to end user. Powerful biometric keystroke dynamics tracking offers unsurpassed account-sharing identification far beyond the traditional limited success of IP address and login frequency tracking offered by other security solutions in the marketplace.
Chart 1: Tracking of IP addresses fails to identify 60% of Shared Accounts
In a study of 400,000+ login attempts, using IP address and login frequency as the two measures of identifying a shared account, other systems’ methods resulted in one out of every 10 (10%) non-shared accounts being falsely identified as shared and a six out of ten (60%) miss rate of not identifying actual shared accounts.
Installation of Scout for SAFEMLS began in June of 2009 and the results have been overwhelmingly positive. Based on past experience with traditional SAFEMLS implementations, Clareity Security estimated identified account sharing percentages between 15 and 25% of all active user accounts. The results have actually been much higher. Scout for SAFEMLS is currently installed in eleven MLS accounts representing over 125,000 users with average account sharing detection of 32%.
Chart 2: Shared Accounts as identified by Scout for SAFEMLS
Many MLS organizations have recognized account sharing is directly correlated with revenue leakage. In addition to the benefit of protecting valuable MLS information from unauthorized access, MLS organizations also experience a strong return on investment through the increased revenues from new subscribers no longer able to illegitimately access the service.
Beyond identification of account sharing as the first step in fixing the problem, Clareity Security developed an automated remediation management module within Scout for SAFEMLS, which allows the organization to build customized remediation policies for the shared accounts. Varying from stringent, immediate shared account enforcement policies to developing policies intended to initially educate the end user and escalate enforcement for those users remaining non-compliant, Clareity Security works directly with the MLS organization to develop the ‘right’ set of policies. The true power of Scout for SAFEMLS resides in positively identifying shared accounts and then enacting remediation steps against shared accounts while assuring legitimate users are not inconvenienced.
With the on-going revenue assurance opportunity as a stated goal for many MLS organizations, the identified sharing statistics prove a substantial opportunity for revenue recovery and prevention of revenue leakage. The following example of a 5,000 subscriber MLS organization using Scout for SAFEMLS to identify and remediate shared accounts demonstrates this significant revenue opportunity:
Chart 3: Revenue Opportunity for MLS organization with 5,000 subscribers
Based on a typical cost of a MLS subscription of $35 per month, a 5,000-subscriber MLS organization, using Scout for SAFEMLS, will realize an almost immediate growth in revenue through the identification and recapture of shared subscriptions.
As MLS organizations forecast and plan based on subscription base changes, having the appropriate tools to monitor, analyze, and identify revenue leakage is absolutely critical to the on-going success of the organization. Scout for SAFEMLS from Clareity Security is uniquely positioned as the only intelligence-based analytics tool capable of meeting those challenges for the MLS organization.
For additional information visit www.clareitysecurity.com or contact:
Troy Rech, VP of Sales
540-857-0543
Troy.Rech@ClareitySecurity.com
Solving Unlicensed Use of Valuable MLS Systems Using Strong Authentication
Solving Unlicensed Use of Valuable MLS systems using Strong Authentication
Clareity Security – July 2009
Over the last five years, over half a million users have had their MLS and other real estate software protected by strong authentication, primarily Clareity Security’s SAFEMLS® solution. Strong authentication stops unauthorized access by combining multiple factors – something you know (like a username and password or PIN) with something you – and only you – have (like a cell phone or hardware token) or something you are (biometrics – like fingerprints). Strong authentication has been proven effective in combating unlicensed use and associated revenue leakage while reducing the load on valuable system resources. In most implementations of SAFEMLS, organizations realized an increase of 5 to 40% of membership and associated revenue. In addition, several implementations saw decreases in system usage by up to 50% as illegitimate users were turned away.
Clareity Security has proven itself as the market leader in the authentication space with the flagship SAFEMLS solution. SAFEMLS was originally introduced in 2004 with both hardware and software token offerings. In a continuous effort to offer users a choice of form factors that were both convenient and affordable, Clareity Security released strong authentication options that did not require the user to carry a hardware token (or ‘fob’). Choices included receiving one-time-use passwords on a cell phone or PDA, via the lockbox key and a wide variety of other methods.
Recently Clareity Security began offering an intelligence-based, zero-footprint (no end-user software or hardware) authentication solution. Scout and Sentry for SAFEMLS® uses multiple authentication factors to ensure that the user logging in is the legitimate user. It combines something the user knows (the username and password) with something the user has (intelligent analysis of what computers the user is coming from) with something the user is (a proven and security-regulation certified biometric technology: keystroke dynamics). This technology captures the user’s session information of location, device, and biometric and builds a profile to determine what the legitimate user’s access looks like. These three factors together are used by Scout for SAFEMLS to aggregate, analyze, and act on session data to stop unlicensed use.
The following chart is an example of a shared account where Sentry for SAFEMLS has identified two distinctly different typing patterns or profiles by Keystroke Dynamics. In this case, the two user profiles are also using different devices to access the MLS.
Unlike traditional authentication solutions requiring administrative overhead, Scout and Sentry for SAFEMLS leverage access intelligence and provide the first and only security solution to automate remediation of account sharing. Remediation actions can include sending notifications to the user, forcing password changes and ultimately sending a one-time-use code to the user’s email address – or even better sending it to their cell phone. The user must then use that special code to finalize their login. Most importantly, legitimate users are never impacted by this solution.
Recently, some vendors have confused the market by introducing weaker forms of authentication and incorrectly calling them “strong authentication” without providing a defense against collusion, the primary source of unlicensed use. For example:
- - “Secret Questions” – This mechanism adds an additional ‘something you know’ – answers to secret questions – to your existing username and password. By definition it is not strong authentication and is easy to defeat, as users can share the answers as easily as they have shared passwords. If one asks a lot of secret questions, the answers can be shared via email or paper copy, or the user may just use the same answer for all questions. Worse, if the user answers really secret questions truthfully – like birth date, mother’s maiden name, or social security number – your MLS now has very sensitive data to protect and increased liability. Secret Questions are also as vulnerable to keystroke logging, packet sniffing and other hacking as traditional password authentication. If used appropriately, secret questions can add value to a more comprehensive authentication solution, but on their own, they have limited value and can create user frustration and an increase in help desk calls.
- - “Certificates” – This is similar to a web browser cookie stored on your computer – it’s “something you have” in addition to the username and password. Unfortunately, since one of the industry’s primary problems relates to shared computers, this is fairly useless as a method. Certificates are just files that can be e-mailed to other computers and users. Colluding users can easily defeat the authentication technique. Authenticating the computer is not a replacement for authenticating the end-user. Also, how is the user authenticated to get new certificates then they go to a new machine? If there’s no strong authentication needed to get the certificate, this security method is as strong as its weakest link!
- - “Adaptive Authentication” tries to detect abnormal use and then takes action when that abnormal use is detected. For example, if a user usually logs on from Detroit, Michigan and there is a logon attempt from Honolulu, Hawaii, the system would attempt to make an assessment of whether the logon was valid. However, in the real estate industry the most common problem is users intentionally sharing accounts within the same geographic area and even within the same office, where they would likely be using the same computer type and perhaps even the same IP address. MLS users also utilize a variety of computers to access the MLS – at customers’ homes, at coffee shops, or sharing computers in broker offices – that makes it even more difficult for adaptive technology to reliably distinguish between legitimate and illegitimate logon attempts.
Clareity Security is the only vendor that provides a convenient token-less method of strong authentication that is both effective and does not impact legitimate users. Don’t be fooled by ‘weak’ authentication masquerading as strong login security. The security standard set for MLS logins and data sharing agreements all over the country is strong authentication. Genuine strong authentication that addresses collusion is the only proven method of protecting the login against illegitimate use and providing the MLS operator the benefit of increased revenue.