As a consultant often called on by MLSs for help with VOW and IDX compliance audits, I also serve as a subject matter expert for Clareity Security’s SAFE Syndication product. And, as someone who is always pushing for improved information security in the real estate industry, I love that information security is featured prominently in the VOW rules, section 19.5: “A Participant’s VOW must employ reasonable efforts to monitor for, and prevent, misappropriation, ‘scraping’, and other unauthorized use of MLS listing information. A participant’s VOW shall utilize appropriate security protection, such as firewalls, as long as this requirement does not impose security obligations greater than those employed concurrently by the MLS.” The last part of that rule is also reflected in optional IDX rule section 18.3.14. Auditing these rules has allowed me to help many brokers improve their VOW and IDX security and reduce the risk of an information security incident.
I’ve already written about guidelines for anti-scraping and monitoring and, although anti-scraping is a constantly evolving challenge, that article provides at least a baseline for evaluating VOW rule compliance.
But, what else should MLSs be looking for when evaluating VOW and IDX security?
First, as specifically mentioned in the rule, appropriate firewall protection must be established. When I audit a VOW, I look to make sure that there are only a few specific network ports open on the server – 80 and 443 as needed for the web server to function, and ports needed to provide a secure method of server administration, such port 22 – or 989 and 990. If ports like 21 and 3389 are open and actually used to administer the website, it should be a big compliance red flag because they are common security incident causes – and issues I see the majority of the time when auditing a VOW or IDX site.
Second, you want to verify that all the web server software is up to date and properly configured. That means checking the web server (IIS, Apache, etc.) version, the operating system version (when possible) and the platform (.NET, JSP, ColdFusion, WordPress, etc.) version, making sure that those are the most current versions or that newer versions don’t have fixes for significant security vulnerabilities. You might think that keeping systems patched would be second nature for a technology provider, but in my experience it seems not to be the case.
Third, you want to evaluate any externally obvious security misconfigurations of the server and platform. Every server and platform has its own security configuration guidelines and it’s reasonable to expect that obviously poor configurations should not be visible to an external evaluator.
Fourth, and probably the most complicated part of evaluating VOW security, you want to evaluate application security – at least the OWASP Top 10 Vulnerabilities: Injection, Cross-Site Scripting (XSS), Broken Authentication and Session Management, Insecure Direct Object References, Cross-Site Request Forgery, Security Misconfiguration, Insecure Cryptographic Storage, Failure to Restrict URL Access, Insufficient Transport Layer Protection, and Unvalidated Redirects and Forwards. I usually evaluate Information Leakage and Improper Error Handling as well. Some of these items can’t be easily validated externally (i.e. Insecure Cryptographic Storage) though I’m always glad to hear that a web developer has encrypted the passwords and so cannot technically be compliant for VOW rule 19.3b. (“The Participant must at all times maintain a record of the name, email address, user name, and current password of each registrant.”). I’ve seen every one of these OWASP vulnerabilities while auditing VOWs and many times there are half a dozen issues on a single VOW.
If you’re a staff person at an MLS and a lot of the preceding read like gobbledy-gook to you or you don’t know how to audit security, you may want someone like me auditing VOWs and IDX sites for you, or at least auditing the security and anti-scraping related portions. It’s easy to split the audit responsibilities if your MLS is a Safe Syndication customer. It has been a blessing for the industry that the VOW and IDX rules give MLSs the opportunity to ensure that at least some reasonable security best practices are in place for VOW sites. I’ve had brokers tell me they were actually grateful someone was keeping an eye on their technology provider in this area, since they lacked the capacity to do so themselves and just figured that all appropriate measures had been taken.
Please keep in mind that website security is the smallest portion of overall brokerage security. Taking appropriate steps in terms of policies and contracts, physical security, account management and password controls, internal networking and computing, mobile device security, and internal web applications are all important. The NAR sponsored security workshops and security articles and blogs that I write, and which many MLSs and Associations reprint, are helping me reach some brokers and agents – but it’s a very difficult task to try to improve information security in this industry and I hope that I can count on my readers to act as security allies and spread the word.
An average REALTOR® manages unique logins for 20 or more websites, both personal and professional (think MLS, Association site, broker’s intranet, third party related sites, etc.). It is likely each of those websites has a different password policy with varying requirements for password length, letter/number/character requirements, and expiration periods. As in the old Abbott and Costello skit Who’s on First, keeping abreast of what password goes where, is an unlikely reality unless two common solutions are utilized. The prevailing method employed is to use as few password combinations as possible to ensure easy access. In other words, use the same password for every site possible. The second most common solution is writing the passwords all down on a piece of paper and storing the paper in a desk drawer. Both are ticking time bombs waiting for the right moment to blow.
The January 2012 hack of ZAPPOS® loudly reiterates the problem of using the same password across multiple sites when a breach occurs. In communications to their customers ZAPPOS® simply stated, “We also recommend that you change your password on any other web site where you use the same or a similar password.”. A breach in one site can have a cascading effect to other sites due to the commonality of passwords used. This serious problem is not unique to REALTORS®. The plethora of user IDs won’t go away any time soon. In fact, we anticipate the problem will only worsen over time as more and more sites collect user information behind the veil of login.
What is the bottom line for the MLS or Association? Jump into deploying technologies with both feet. Stop catering to the dinosaurs (of all ages) that resist change at every turn. Remove the silly obstacles subscribers encounter when gaining access to frequently used systems (such as asking them to remember multiple IDs and passwords for various systems). “Was it my NRDS number or my email address or my license number? I don’t remember.” should become the concerns of the past.
Ultimately, by deploying single-sign on (SSO) support costs will decrease and user efficiency will increase for both end users and staff. Best of all you will satisfy your subscribers with an easy means to navigate between their applications without repeatedly presenting authentication credentials in order to do so.
Stay tuned as Clareity Security continues to innovate new ways to present value and efficiency through technology tools.
Sunshine, Spring Training and Syndication…all of that and MORE is going down in the desert next week.
Can you believe it’s that time of year already? Almost 200 industry folks are preparing for the annual pilgrimage to the Clareity Consulting MLS Executive Workshop in sunny Scottsdale, AZ. Sure it helps that many of us are feeling a bit deprived of Vitamin D and the average temperature in the Valley of the Sun is a perfect 73 degrees. It can’t hurt that the town is brimming with professional baseball players and you have your choice of over 100 places to chase a golf ball through the desert. The real excitement for Clareity is the opportunity to deliver incredible content, spend time with clients and customers and hopefully leave mutually enriched.
The agenda is packed with great speakers, panelists and information. I am privileged to lead the discussion on Strategic Syndication. Those of you with a good memory might remember last year’s topic labeled “Syndication….the last word” where we basically agreed it had been beaten to death. But like all topics in need of better answers, we as an industry aren’t done. With so many contributors, much progress has been made. I’ve been pleased to work with several of our early adopters of the Clareity Security SAFE Syndication™ product. I’ve also been an active participant on the Council of MLS Board of Directors who produced a Syndication Toolkit for their members and are working hard to keep it current. Earlier today, Matt Cohen wrote a great post “Strategic Syndication – Year One” which summarizes the current syndication landscape.
So while we admit we were FAR from the last word on syndication last year, we are pleased to see real action being taken to improve the process for MLS organizations, brokers and the consumer. Looking forward to seeing many of you next week! Don’t forget your sunscreen
PS – while I’ve gone on about the gorgeous weather in Scottsdale, it is technically still “winter” so a light jacket or sweater for the evening is always appropriate since we like to throw our parties poolside!
In Part One of this series, Clareity Security described how Safe Syndication helps MLSs provide a member benefit helping brokers with the advice they need to engage in “Strategic Syndication” and also efficiently handle questions about listings found everywhere online – but Safe Syndication does so much more. Safe Syndication also helps MLSs manage rule compliance for IDX websites and Virtual Office Websites.
In the past, MLSs have depended on “complaint-based” and partial rule auditing. “Complaint based” auditing alone is a recipe for disaster – we’re sure you can hear it in your ears right now: “The MLS picks on me because I’m a new model online broker!” With an MLS IDX/VOW audit policy and consistent auditing, all brokerages are treated equally and there is no discrimination or cause for complaint. Also, non-compliance with many IDX and VOW rules, such as security and anti-scraping requirements, are not going to be evident to the casual site visitor and thus will never come up for a complaint-based audit. Finally, reviewing a site for only some rules is problematic because once one has let a site slide on un-noticed rule violations for long enough, the site owners are far more resistant to change than if issues are brought up during the site launch.
So, MLSs need a system that formalizes their rules of when to audit (or re-audit) and what to audit, provides audit reminders and workflow management to MLS staff, and manages documentation and reporting. Safe Syndication is just that system. And MLSs can either use the system themselves or even engage Clareity Security to provide full auditing services, including the tricky technical parts of the audit such as testing security practices and writing “scraping” programs to test anti-scraping – and allowing the MLS and its staff to remain “arms-length” from the audits and the possible politics surrounding them.
Clareity led the way on syndication in 2011, debunking the myth that “Listings Everywhere” have as much value as some people think and showing the various ways that listing advertising websites are intentionally siphoning off leads from the listing agents and misleading consumers. Clareity illustrated exactly how leading websites were not aligned with broker and agent business objectives. Unfortunately, individual brokers don’t have the time or inclination to keep an eye on these websites in order to gauge whether it makes sense to send their listings to each site. So, Clareity Security created Safe Syndication, which facilitates the MLS providing an increasingly important member benefit to brokers and agents: helping them understand how well each listing advertising website aligns with their business objectives before choosing to syndicate their listings to those websites. With the MLS involved, it will be much easier for brokers to engage in what Clareity calls “Strategic Syndication”.
In its 2011 white paper, Clareity created the “Syndication Bill of Rights”, a set of easily measurable criteria that brokers (or MLSs) can use to help evaluate the advertising websites. Clareity suggested that MLSs rate the websites and provide educational materials to their brokers, so that brokers didn’t duplicate effort evaluating these websites. Some MLSs already use syndication services that provide guidance of the websites, but such services can have a difficult time rating the performance of these portals, especially when those syndication services being paid by the portals, and MLSs have found the report cards don’t really cover most of the criteria that brokers care about and which Clareity included in its white paper. MLSs need to take compliance evaluation further.
So, Clareity Security has created Safe Syndication. Safe Syndication provides a way for MLSs to establish a measurement scorecard based on their own criteria, perhaps using the Syndication Bill of Rights as a starting point, and delivers a mechanism for measuring compliance and delivering additional value to brokers and agents by providing them with the information they need to make informed syndication decisions. ListHub customers will benefit from deep integrations, including single-source entry of portal participation and complaints, as well as access to the ListHub “Report Card”. Clareity Security is open to integrations with other third parties using a similar API. In the future, Clareity Security plans to provide social integration between customers – collaboration on compliance report cards and the sharing of statistics regarding portal complaints. This feature will make it even easier for MLSs to share the effort of keeping track of all of the syndication websites.
Unless you were hiding under a rock today or happened to be vacationing in an exotic location with no access to US media (P.S. I’m green with envy if you were in that second category) you have by now at least heard of SOPA (Stop Online Piracy Act) and her equally frightening sister PIPA (Protect IP Act of 2011). If you haven’t heard of it, here is a good summation from Mashable on why there is SIGNIFICANT cause for concern. Concern enough that many popular websites such as Google, Wikipedia, WordPress and others went dark (or partially dark) today to demonstrate what the internet experience could be like without much of the valuable information we are able to openly share today. I found this post from AgentKnowHow.com to have some good insight into what could happen specific to real estate if either of these measures were to pass.
It’s true that piracy is bad. So bad in fact that it is already a crime to do so with many options for individuals and corporations to protect copyrighted material and other intellectual property. This issue got me thinking about the hundreds of times I’ve heard the saying “an ounce of prevention is worth a pound of cure”, this is especially true if the cure is far worse than the illness. With that in mind, here are a few quick thoughts on what real estate related organizations (or really any organizations) should do to protect their intellectual property:
2) Make sure you copyright your content or other bodies of work and that you understand the requirements for doing so. My friend Brian Larson and the other good people at Larson/Sobotka, PLLC have provided some great articles on understanding copyright as it relates to MLS organizations and brokers.
3) Use best practices to protect your content. These best practices can be making sure that any policies you have are monitored and enforced. For example if your content is password protected but you never monitor user usage and behavior or require them to change their password, you are NOT using best practices.
Let’s hope the Internet can remain the vital and useful tool that supports so much of our business today. I’m confident by enforcing existing laws and using some best practices we can all get back to enjoying, and when appropriate, sharing the many contributions that are created on the web.
In a recent blog post, Amy Geddes presented a case study demonstrating some of the ways we can measure the success of Scout for SAFEMLS based on the first forty days of remediation and averaged across multiple customers. While we believe these results demonstrate our product is successful, apparently it lead others to ask, “How do those measurements for success look at the individual MLS level?”. Well, we are glad you asked.
Enter RealTracs.com, as an example. Realtracs.com is a Nashville based regional MLS that feels Scout for SAFEMLS has delivered success. As many are aware RealTracs.com develops, supports and maintains their own MLS system. In 2011 they modified their billing model from broker-based to agent-based and implemented Scout for SAFEMLS to compliment this effort.
Scout for SAFEMLS creates a secure login environment. Additionally, Scout for SAFEMLS adds revenue assurance through the analyzing of shared accounts and the SAFEMLS Remediation Manager. This service empowered RealTracs.com to monitor and take action against account sharing and abuse through the remediation process.
At a time when the economy is challenged and the real estate market is down, many have chosen to cut office overhead and/or avoid MLS fees by account sharing. RealTracs.com was able to significantly grow their member base by almost 10%. In addition to the demonstrable increase in active MLS users, RealTracs.com experienced a sharp decline of 54% in account sharing and non-paying (unauthorized) users accessing the MLS, and a decrease in account abuse of over 65% (the number of users abusing an account). For MLS organizations like RealTracs.com (who develop, support and host their system), this carries a clear cost savings and direct return on their Scout for SAFEMLS investment. By reducing the volume of users and the unique IP addresses accessing the MLS (and securing access to only those members paying their dues), RealTracs.com saves on hardware expenses and other costs associated with hosting their MLS system.
When speaking with another MLS customer, Clareity Security was informed of interesting results based on that customer’s internal data. They discovered that when a brokers’ office has had agents enter into remediation they are 34% more likely to add the agent as a new subscriber/member to the MLS within 30 days, than those that do not have agents in remediation.
Is this success measured at the individual MLS level? We at Clareity Security believe so, and more importantly, so do our customers. Subscriber growth and retention are key components in the MLS business model but it is just one piece of our measured success story. What about the story behind the numbers? Sure we can measure decreases in unauthorized account use and account sharing. While these factor largely into converting unauthorized users into new subscribers (when utilizing remediation best practices), a decrease in these two components also means an increase in security of your subscribers’ data and listings. When unauthorized users enter into your system they may not be doing so with malicious intent, but they are still accessing information that is controlled by your license agreement and these users have not agreed to your terms. Therefore, they can break your rules without fear of recourse. By not subscribing appropriately, they are in essence stealing from you, your paying subscribers and the consumers who provide the information (but that’s another story).
At Clareity we get asked A LOT – Does Scout for SAFEMLS really work? Not, how does it work…that’s easy to explain – but DOES it really work? That question from both our customers and potential customers prompted us to start focusing VERY heavily on measuring our outcomes. We are excited that the outcomes are both positive and measurable! We also can’t say enough about how much our customers contribute to the success of Scout for SAFEMLS. With almost every new installation came a new use case or circumstance that resulted in an improvement to SAFEMLS best practices. Existing and future SAFEMLS customers benefit from those best practices when applied to their organizations!
But we digress…we all know you really just want the numbers right? Hold on, first we have to tell you how we measured because we know you are going to ask us later. The information from this study consists of an aggregation of Scout for SAFEMLS data for 10 customers representing over 158,000 subscribers during their first 40 days of what we call “remediation”. Remediation means that a policy (based on best practices) is in place and actively working to reduce identified unauthorized access to the MLS resources behind the Scout for SAFEMLS login page.
The data sampled over 158,000 member accounts with a total sharing percentage of over 9%. After forty days of remediation management member accounts had grown approximately 4% with a sharing decrease of over 14%. The percentage of accounts shared included with the growth had decreased by over 17%. The percentage of unauthorized patterns had decreased by nearly 23%.
What do these numbers mean to an MLS?
We all know account sharing can result in lost revenue, security risks in the case of unauthorized access, and unnecessary customer support calls which increase costs for providing service. Combining a tool like Scout for SAFEMLS with the experience and best practices developed by Clareity Security staff and customers is proven to recapture (or in some cases retain) revenue for MLS organizations. In addition, reducing unauthorized access means the MLS can experience cost savings while securing access to valuable MLS data. We love the opportunity to show our customers and potential customers value. May we help you?
Clareity Security has been leading the charge to improve and simplify the management of listing syndication for MLS organizations and brokers. With the firm belief that knowledge is power, it has been our mission to continuously educate the real estate community about this ongoing challenge. REAL Trends recently published the following article that mentions Clareity Security’s new SafeSyndication™ product which we are sharing here with their permission.
Attention Brokers: Regain Control of Your Listing Data
Over the past few years, REAL Trends and Clareity Consulting have been working together to identify flaws in the listing syndication arena and have surveyed numerous brokers in joint studies to identify problems with the current model. While most brokers would agree that their control has diminished these days, a new technology solution is on the horizon to help broker’s regain control of their listing data. We are advocates for this new system. To start the introduction of this solution, we must first identify the problem:
The good versus the bad: With so many online publishers and all of them operating differently, how can a broker possibly know all of the defining characteristics and business practices of each publisher? For example which publishers send you traffic, which post listing agent data, which post listing agent data above “preferred agents,” and which offer you search engine optimization value and which take all of it for themselves? This list can go on and for a broker this can be overload.
At REAL Trends, we attempt to listen to and empower our broker audience and in a joint study published with Clareity Consulting in 2010, through a national study on this topic, identified these four areas for improvement many of which overlap with the growing problem I have identified above.
1) Provide brokers more insight and control;
2) Enhance MLS security and control over where the listings were syndicated;
3) Enforce syndication integrity and accuracy;
4) Ensure the information wasn’t used to sell leads back to brokers.
Enter SAFE Syndication Proposed Solution from Clareity Security
SAFE Syndication is a technology solution that addresses most of the major concerns and the growing problems that have been identified above. Clareity Security’s SAFE Syndication solution includes an integration partnership with ListHub making it simpler for brokers to benefit from additional reporting on the sites they syndicate listings to. SAFE Syndication delivers value to brokers by offering:
- Improved data accuracy which improves REALTOR brand and image
- Consolidated reporting and compliance management as it relates to data display rules and syndication agreements.
- A publisher report card which can be integrated with ListHub data that measures the listing portals/publishers on criteria defined by the Broker (such as the Clareity Bill of Rights).
How SAFE Syndication Works
The Future of Your Data
In the next two months, SAFE Syndication will be launching and beta testing with several brokers. Clareity Security has your best interest in mind, it is a great idea to stay on top of this and if you are interested in becoming a beta tester or would like to get more information regarding SAFE Syndication by Clareity Security feel free to contact Travis Saxton at 303-741-1000 or firstname.lastname@example.org. As always REAL Trends will continue to monitor and stay on top of the cutting edge trends that impact the residential brokerage industry. We will update this story as more information and the launch of SAFE syndication is complete.
A note from Clareity: Thank you to the REAL Trends team for your support!