Have you ever wondered why we spell CLAREITY with an “REI”? Well, it’s a form of an acronym and there are a few different interpretations that can be associated with the “REI”. For example, Real Estate Information, Real Estate Integrators and my personal favorite, Real Estate Innovators. The “E” in Clareity can also stand for E-commerce. All are accurate interpretations of what Clareity does.
At Clareity we truly are Real Estate Integrators. In 2005, Clareity identified an industry challenge as MLS vendors and 3rd party service providers integrated their services on various authentication platforms. Our CTO, Matt Cohen brought our industry’s leading service providers together in Las Vegas. At the conclusion of the second meeting, all parties agreed to utilize the SAML platform moving forward. The National Association of REALTORS liked what we were doing and provided Clareity a grant to create a SAML tool kit for real estate software developers. Today, Clareity platforms now integrate with over 80 product and service providers.
Clareity Security was formed with great intentions. We wanted to create solutions that added value and solved problems specific to our industry. As an Industry partner we are proud to provide services to over 100 MLSs (and a significantly larger number of Associations), representing 550,000 real estate professionals.
Clareity built a solid business based on providing a higher level of data security and revenue assurance for sensitive and proprietary MLS information. Simultaneously we began offering a Single Sign on Service to facilitate more secure and convenient access to third party applications.
Two years ago at the request of a few MLS customers we started delivering the Clareity SSO Portal – which leveraged the SAML platform and made Single Sign On (SSO) and the applications offered by the MLS more visible. The Clareity Portal empowered these organizations to demonstrate their value proposition while simultaneously creating a better subscriber experience.
The Clareity SSO Portal translated into immediate success for both the organization and the end user. The benefits were immediate to our MLS and Association customers:
- They created a modern, locally branded experience that showed members the full range and value of the services offered
- They became the secure and trusted point of entry for all services.
- End users raved that a single User ID and Password provided access to ALL services
- Adoption of 3rd party site licensed applications increased by as much as 12% within weeks
- They gained a new channel for pushing custom content to their members
- They added a mobile optimized entry point for applications and services.
Noting these benefits, our customers came to a natural conclusion for what should come next. They asked us to evolve the Clareity Portal into the Clareity Store to create a trusted place for secure E-commerce transactions.
Feedback we received from customers in 2011 and 2012 indicated a shift in traditional thinking regarding site licenses. In addition to offering CORE services, our customers wanted to offer a broader choice of products and services to their subscribers, however existing site licensing models were often expensive and were becoming more difficult to manage as the list of vendors grew. The “country club” model with one price for an all-inclusive experience was failing to offer the flexibility needed to keep up with all the innovation in real estate technology. It also failed to create a personalized experience for subscribers based upon their unique needs. Our customers also expressed frustration from licensing a product for every member, when adoption was low for many of the products. And of course, there were also brokers that yelled STOP using my money to level the playing field – let agents pay for the optional things they want!
The solution to this dilemma is really quite simple:
CORE + STORE = SATISFIED MEMBERS (AND BROKERS)
Offering competitive and meaningful core services plus introducing a Store offers MLS organizations a bridge to the future of the MLS delivery of service. This goes way beyond offering a stand-alone App Store. This is about creating a hyper personalized and convenient way for products to be “one-click” ordered and provisioned to MLS subscribers while creating a seamless experience for members to access all of their products and services.
There has been movement by several vendors to develop proprietary APIs to improve access to and transport of MLS data. Clareity Security, our customers and most of our industry partners believe that the industry is best served by having a single way to move real estate data between the MLS and other products. The RESO organization has worked hard on those standards over the past few years. The MLS and vendor executive leadership is now in place to get both data standards and standards for transport in place in the very near future. Clareity has donated hundreds of hours to RESO as have many other companies who are to be commended for their efforts.
Clareity knows that for a Store to be successful, it needs to be part of the end-user’s daily experience and nested in their natural workflow. Hence, the Clareity Store was designed to provide the customer’s CORE services through the SSO Portal and offer deep work flow integration within the leading MLS service providers software. Our approach has been validated by the ten large MLS markets representing an initial 270k actual users fully committed to this experience.
Additionally, we are pleased to announce a new partnership with CoreLogic to offer its MLS customers a customized Store within all CoreLogic platforms. Clareity’s 550,000 user base combined with CoreLogic’s 650,000 MLS subscribers provides the national footprint that software developers and service providers have only dreamed about – until now.
When you look at the BIG picture…what Clareity offers is an experience that is much more than just an App Store. Think BIGGER . Combining CORE services with the choice of HUNDREDS of useful products and services that can be seamlessly ordered and provisioned to create a convenient, personalized experience for MLS subscribers was our design goal for our Store and we DID it! Clareity offers real estate organizations the opportunity to brand and evolve their business to the ever changing technology market. And Clareity helps our customers accomplish this while doing it their way, at their own pace, and by respecting existing data licensing models and business rules while supporting evolving technology.
We hope you will reach out to us and learn more about the Clareity Store – and see for yourself why the App Store component is only a fraction of the Clareity Store offering!
Lets start with some simple internal questions to get in the right frame of mind: Who is your organization? What service do you provide? Who do you provide these services to? What value do you deliver to your customer?
I am aware most of you have already completed this exercise in some secluded strategic planning session for your business. But, as you ponder or answer these questions, dig deeper. Does your customer know these answers? Is your customer aware of the full breadth of the services you offer? Is your customer aware of the value you are delivering? If they were aware of these benefits would it help you retain existing customers and secure new ones?
Over the years, our collective industry services have evolved. Whether you are an agent, a broker selling property/retaining agents, or an MLS, all these questions apply. Do you communicate your value to your customer? Does your customer know what products and services they are receiving in exchange for their investment in you?
Does your business continue to rely on emails, letters and flyers? Do you simply chalk up a 2% email “viewed” rate to the conditioned “RDR” response (short for REALTORS don’t read)? Or do you want to reinvent the way your value can be communicated or presented to your customer?
Personally, my parents have always told me to be humble. However, humble does not always apply when it comes to my business. In business, I want to tell the world what we do, why we do it and who we do it for. I want to communicate what value I can deliver and why. I want to win over my customers. I want them to believe as I do.
I think many of you feel the same way about your business, so why not reinvent the way you communicate your value to your customers and prospects?
We believe your customer deserves to be presented with your value on a daily basis in a non-invasive manner. Your customers access your MLS data an average of 2-5 times per day. Why not furnish them with all you offer through a custom landing page. You may be surprised with the results. Clareity customers currently using the SSO Portal have experienced:
- Increased Adoption / Usage of all Services – as the user is presented with all the service options upon login we generally see a 10% to 12% increase in adoption
- Improved End User Experience – one login to all solutions improves efficiency and ease of use
- Content driven down through broker/Associations/MLS Site – messaging is clear, concise and consistent as it is delivered to a customer across all services and through all access points
- Demonstrated value proposition to end users – the customer understands what services your business is offering
If you are looking to increase not only value perception, but redefine and deliver real value contact Clareity today to see how we can help.
Many of you have read the “Syndication Bill of Rights” that Clareity Consulting drafted as part of its April 2011 white paper titled “Syndication to Real Estate Portals: Problems and Solutions”. Clareity’s Bill of Rights laid down 10 rules that would make real estate publishers “industry friendly” and more respective of a the broker’s intellectual property – the listing. Over the past year, I was invited to present the Bill of Rights notion at many NAR, state, and local broker meetings. Since that time, we’ve seen several small and large brokers cease syndication to some or all publishers, but we haven’t seen a broker stampede or mass exodus yet. We’ve also seen a few national publishers (e.g. Homes.com and Trulia) respond and begin to improve their behavior by prominently displaying proper attribution and contact information for the listing agent and brokerage “above the fold,” instead of hiding it 4-5 screens deep. Still, on some sites, advertising for other agents – typically buyer’s agents – are displayed all around and even inside the listing detail so it doesn’t look like advertising, thereby deceiving the consumer. For the listing agent or broker, it’s as if someone plastered ads covering the yard sign the agent paid to have placed outside one of their listings. How can this conflict between the listing broker’s interests and the need for increasing quarterly profits of publicly traded companies be resolved?
Two weeks ago, a gentleman named Ben Caballero contacted me and introduced himself as the chairman of the newly created National Association of Real Estate Professionals (NAREP). Ben said he was a big fan of the Clareity Syndication Bill of Rights, so of course he had my immediate attention. Ben told me that the NAREP had formally opened for membership in October and is organizing as a 501(c)(6) non-profit trade association. NAREP plans to launch a national real estate listings network of Internet Data Exchange (IDX) websites overseen and managed by individuals who truly understand real estate — licensed real estate professionals. Ben’s goal is to create a competitive listings website that better meets the interests of listing agents and serves consumers better by delivering pure, current, and accurate information.
Following is an overview of NAREP and its objectives Ben sent me:
NAREP’s revenue model involves collecting a nominal $10-$20 total fee at closing from its member listing agents, a sharp contrast to those business models of Zillow, Trulia, Realtor.com, and others (i.e., the “ZTRs”), which typically charge monthly fees regardless of whether any home sale results. NAREP’s listings site would conspicuously display NAREP member agent’s contact information. NAREP member agents agree to cease syndication of their listings to all websites not adhering to Clareity’s Syndication Bill of Rights (www.narep.net/br).
As the controversy surrounding the ZTRs demonstrates, monetization of listing data incentivizes their much-discussed and questionable business practices. The Internet lends itself well to the Pay-Per-Click (PPC) concept when selling a commodity, and the ZTRs have adopted a form of the PPC model (in that they charge their fees on the front end, regardless of the outcome). The ZTRs treat a home as just another commodity, but a home is not a commodity from the perspective of the individual buyer or seller. Rather, it is a personal part of their lives. All homes — and their buyers and sellers — are unique in some way. In short, the buying and selling of a home is a personal experience that is much different than that of buying or selling a commodity.
Until now, consumers and industry professionals have tolerated the ZTRs’ business practices for lack of anything better.
By introducing a non-profit business model to the Internet real estate space that relies on the Pay-Per-Sale (PPS) concept, NAREP will give real estate consumers and practitioners an alternative to the ZTRs. NAREP will do so: (1) by enabling its practitioners to ensure the integrity of their listings, as the IDX data feed will ensure accuracy since it comes directly from the MLSs; (2) by providing consumers with a simpler, more streamlined online experience; and (3) by satisfying consumers’ hunger for listing data. Because it incentivizes data integrity and promotes customer service from cradle-to-grave of the home buying/selling process, NAREP believes that, for homes, the PPS model of monetization is more compatible with the real estate industry’s long-standing and proven business practices.
NAREP’s mission is to end syndication abuse, not syndicators or syndication sites. If they wish to remain relevant, they must adopt more responsible business practices than what they currently have in place. Clareity’s Syndication Bill of Rights is a good place for them to start.
So, Ben is a man on a mission. NAREP is a fledgling trade association, but perhaps it can fill a void that groups like NAR, CMLS and the Realty Alliance have been unable to do for legal fears – anti-trust or group boycott – and other reasons, including broker fragmentation on this issue. Some colleagues have told me, “Gregg, NAREP is just a few brokers led by one guy that’s fed up with the system.” My response to that has been, “Isn’t that how most groups start?”
I find NAREP very interesting as one of the first efforts in a long time focused on the interests of brokers and online publishing. At Clareity Consulting’s first conference back in 1998 – “Law and Order in Information Commerce” – the content owner’s IP rights were a major topic on the agenda. Since the beginning of online publishing, the collective voice and IP protection for broker’s content have been fragmented. No offense to NAR, The Realty Alliance or Leading Real Estate Companies of America, but there has been a leadership void in this specific area, and other than the handful of brokers that have pulled their listings from syndication, 99% of brokers and agents have been forced to put up with the increasingly egregious terms and unfortunate business practices set by the national publishers, or “ZTRs” as Ben calls them.
Ben is not your average REALTOR®. According to NAREP’s Press Release dated October 10, 2012:
“Caballero was the top individual real estate professional in the United States for 2010 and 2011, as measured by unit sales and dollar volume, with more than 4,500 home sales exceeding $1.2 billion in total value. He is the co-founder of the National Association of Real Estate Professionals. He serves as a member of the board of directors of the Greater Metro Multiple Listing System of the MetroTex Association of REALTORS®.”
So Ben is not some wing nut with an idea who just fell off the turnip truck. Ben knows real estate and he’s sick and tired of syndication and the publishers looking for ever-increasing profits, made off of his listings. Can this one man rally the industry?
I love the subject of online real estate advertising and I’ve been involved with it since launching CyberHomes at NAR in Atlanta in 1995. (Wow, that was 17 years ago this week.) I was curious what a large brokerage I respect would think about NAREP, so I made an introduction, and Ben met with them last week. I was impressed when this firm responded very positively and agreed to join and support NAREP and the company’s CEO was invited to join the NAREP board. This brokerage is part of a powerful national franchise/organization and is also a member of the Realty Alliance. A few large brokers can put a dent in any publisher’s inventory.
Will NAREP grow to fill the aforementioned void and be able to turn the table on the publishers? Will NAREP be successful enough that the publishers are forced to further moderate their practices in order to receive the broker’s listings? Will the national publishers, with over two billion dollars in market capitalization, and more than $300 million in cash, overwhelm anything NAREP, and a freshly united real estate professional group, do to reach consumers?
NAREP reminds me of a song I learned at bible camp in Minnesota when I was about 10 years old: “It only takes a spark, to get a fire going …”
NAREP will be in booth #422 in Orlando, or you can reach the man on a mission at:
Ben Caballero,Co-Founder and Chairman
National Association of Real Estate Professionals, Inc.
Today most MLS leadership is aware of the challenges associated with, and consequences resulting from, an MLS compliance department that doesn’t provide uniform rule enforcement: the longer rule violations go unaddressed, the harder it is to get them fixed, allowing the chance of hearing the “You’re picking on me.” complaint to rise exponentially. When it comes to listing maintenance within the MLS system, many agents view listings and have the opportunity to see and report rule violations on a daily basis. Regardless, MLS’ have implemented resources such as MLS Data Checker, iCheck, and other compliance tools to ensure uniform enforcement. When it comes to IDX and VOWs, uniform enforcement is more problematic. Agents don’t spend a lot of time on competitors’ websites, and when they do, they aren’t looking for compliance with all rules in the way an MLS should. The burden falls more than ever on the MLS Compliance Department and SAFE Syndication™ is the only tool to help MLS compliance staff manage the enormity of this task.
SAFE Syndication™ places all of the IDX and VOW license information in an easy to use application. It is no longer a challenge to hunt down the latest version of an Excel spreadsheet or chase down paper in a filing cabinet which is sometimes lost or destroyed. The MLS can easily assign various duties to individuals as the information flows through the system. One employee can enter all of the site information into the system and, because the MLS can set a site to require an audit on load, the Compliance Department can audit the site based on a list of upcoming audits in the dashboard. In an environment where one user is responsible for all of the processes, there is no longer the need to keep track of licenses in one system, sites in another, and audits in yet another. All sites are audited based on the same set of rules so the process creates objectivity and neutrality while eliminating prior subjective decisions with undefined or undocumented sets of rules. Additionally, because SAFE Syndication™ becomes the system of record, it provides an up-to-date representation of all MLS’ IDX and VOW vendor and publisher licenses. With the ListHub integration, the initial import of the original data and the ability to define an audit schedule, SAFE Syndication customers are up and running very quickly.
Cathy Libby, Operations Manager for MREIS, an early adopter of SAFE Syndication™, had this to say: “MREIS decided to become an early user of SAFE Syndication based on the fact that Clareity Security’s program provided a solution to many of the steps MREIS was already doing in-house by cobbling together various tasks. Rather than recreate the wheel, we felt it would be in our best interest to switch to this program, despite it being in its infancy. We were able to work collaboratively with Clareity Security, provide our input and help develop SAFE Syndication into a first class product.
MREIS uses SAFE Syndication to track all of the vendors providing IDX and VOW services to our Participants. We also use it to conduct mandatory compliance reviews and routine audits of IDX and VOW web sites. SAFE Syndication provides one central location for all of our information and having the dashboard really helps when more than one person is involved in the compliance process.”
As MREIS has experienced, SAFE Syndication™ offers many benefits. The first and foremost benefit is ensuring that the rules are applied to all participants equally. When an MLS sets up their service the initial task is to set the audit schedule for IDX websites and VOWs, for both customizable and non-customizable sites. The MLS determines whether new and/or existing sites will require an initial audit and the percent of sites audited in a given timeframe. This feature, accessible from the SAFE Syndication™ dashboard, drives the list of sites needing to be audited. Using a consistent rules-based method for determining which sites to audit is a major step in addressing complaints about inconsistent rule enforcement.
SAFE Syndication™ also ensures compliance with all of the rules and consistently validates when a site is due to be audited. This presents a consistent message to the industry that the cursory method in which sites were being audited in the past was insufficient. A glance is not good enough to meet the comprehensive audit requirements facing MLS’ today. If a compliance staff says IDX sites take only minutes to audit and VOWs just take an hour or two, a warning flag should be raised – the MLS needs to take steps to improve the comprehensiveness of its audits.
SAFE Syndication™ manages the entire audit process. It can be dizzying to stay on top of those sites due for audit, those in progress, in remediation, and those requiring a re-audit, not to mention sites going back and forth through these steps on their way to “completion and compliance”. The program dashboard makes it easy to keep track of audits in progress and to ensure the audits are being completed in a timely manner.
SAFE Syndication™ also saves staff time in a variety of other ways and makes it significantly easier to multi-task audits with other workflow. MLS’ have a clear “to do list”, can easily find and manage audits in progress and can swiftly find older audits by searching only the website address in question. SAFE Syndication™ also makes it easy to see the audit history of a website and manage multiple audit report versions over time. SAFE Syndication™ provides a scalable solution which is far superior to the current processes that are dependent on the mindfulness of a single compliance person and are managed with over-stuffed filing cabinets, unwieldy spreadsheets and complaint filled emails and sticky-notes.
Once you get started with SAFE Syndication™ you’ll finally feel like your IDX and VOW compliance is being done right and is totally under control.
For additional information on SAFE Syndication™ please contact us at firstname.lastname@example.org.
Merriam-Webster’s dictionary defines “value” as: 1: a fair return or equivalent in goods, services, or money for something exchanged 2: the monetary worth of something: market price 3: relative worth, utility, or importance (a good value at the price).
I am a paid subscriber to a number of websites (e.g., ESPN.com, Scouts.com and Ducks Unlimited). All of these subscription services have employees who provide specialized content, tools, data, expertise and analysis that I find valuable. Where this differs from MLS subscribers paying to access the MLS is compensation. Not one of these services holds me to a professional standard or generates income for me. This makes the MLS service, and the data within, significantly more valuable and worthy of even greater protection. The MLS likewise provides specialized content, applications, support and business tools, but it also facilitates shared compensation between professionals whose livelihoods depend on the integrity of the information. If these services did not provide significant value, subscribers would not experience: 2. the monetary worth of something: market price.
In my eyes, Scout for SAFEMLS mitigates the revenue risk associated with people attempting to bypass license agreements, therefore subsidizing the service for those paying for the access. On countless occasions, Clareity Security has provided case studies demonstrating the success of Scout by capturing a portion of this “lost” revenue while also deterring and removing these “thieves.” Here is an excerpt from Clareity’s most recent case study:
Many of our customers have applied Clareity Security’s suggested best practices for the Scout service (and others that we reviewed are now implementing said practices). A recent review of twelve Clareity Security customers showed sharing decreased by almost 18%, unauthorized users decreased over 22%, and active accounts increased by almost 2%. This increase may seem modest but during the same timeframe membership in the National Association of REALTORS® has dropped 1.75%. It is obvious that these numbers would greatly impact any MLS organization both from a revenue opportunity and a cost of operation perspective. A shared account will not only cause revenue deprivation but also adds to the cost of providing service to your paying members. Not to mention your data being compromised by unauthorized users who are not bound by the standards of your Terms of Service agreement!
Yet some remain unconvinced of the value of Scout. As Stephen Colbert states, “I am not a fan of facts. You see, facts can change, but my opinion will never change, no matter what the facts.” Perhaps the numbers won’t convince everyone there is a problem. Some know there is a problem, but choose to look the other way? Then there are elements of risk and problems that may not be so easy to see.
For example, last week Ray Ewing, CEO of SANDICOR MLS, which provides MLS Services to 20,000 real estate professionals throughout the San Diego, California market area, shared the following two stories with me:
There is an agent lead generation and marketing company that we will refer to as “Company X.” Company X regularly prompts agents for their ID and password for their MLS service. Most users do not even think twice about this and quickly provide that information. Then Company X, utilizing the agents credentials, downloads the expired MLS listings along with more complementing data and feeds it back to the agent with a marketing package. Company X is not even a subscriber of SANDICOR! By utilizing Scout, Ray Ewing and his staff have been able to identify this unauthorized use and vetted Company X to confirm this abuse.
Additionally, using the tools available in Scout, Ray and his team were able to identify a user who was exploiting an automated login to run query scripts against the system for data. According to Ray, these queries would at times get stuck and continue to run, impacting the MLS system’s performance. Armed with the information provided by Scout, SANDICOR was able to add language to their LCA stating that users were not allowed to use an automated login and would be redirected to use RETS. The scariest part about this is after doing some research, Ray discovered this user was accessing more than just SANDICOR data.
We spend a lot of time talking about Scout’s ability to increase membership by forcing system abusers to pay for service, but there is a bigger picture here. There is more than meets the eye when protecting the value of paid services. No matter how you define value, if a service has a paid subscriber base and is allowing that value to be shared, stolen, or even hijacked for someone else’s profit or gain, then that service is diminishing its own value.
So I ask again, how do you define value?
Last year Clareity Security demonstrated A Successful Case Study for customers using Scout for SAFEMLS™. The case study identified measurable success in both reducing unauthorized access and providing revenue assurance to MLS organizations through the implementation of the full Scout for SAFEMLS solution. Recently, we started to dig even deeper into the data behind the success of Scout for SAFEMLS. For this new study we analyzed a sampling of our customers who followed some best practices recommended by Clareity Security as part of the implementation. We researched further into which specific actions were most successful in remediating account sharing and unauthorized access. The results are very clear; applying Clareity Security’s best practices generates extremely positive results.
Clareity Security’s best practices have been established by analyzing our customers’ policies against the sharing outcomes in their individual systems. Clareity Security has worked individually with each customer to develop security policies based on these best practices and their local rules and policies, with the specific goal of deterring account sharing at the earliest possible action while minimizing user inconvenience. The chart below illustrates Scout for SAFEMLS’s effectiveness at eliminating 97% of sharing for users who enter remediation by the fourth action step.
Many of our customers have applied these best practices, and more are in the process of reviewing updated recommendations from us based on our findings. Our review of twelve Clareity Security customers over a six week period of time showed sharing decreased by almost 18%, unauthorized users decreased over 22%, and active accounts increased by almost 2%. This increase may seem modest but during the same timeframe membership in the National Association of REALTORS® dropped 1.75%.
These numbers greatly impact your MLS organization both from a revenue opportunity and a cost perspective. A shared account cannot only cause revenue deprivation but also adds to the cost of providing service to your paying members.
Clareity Security has gained considerable knowledge about the profile of a shared MLS account in the past eight years. While the numbers are not surprising to us, we believe they are interesting and worth noting for purposes of this paper. A shared account, on average, has almost twice the usage of a non-shared account and the unique devices used to access the account are double a non- shared account. This excess traffic translates to heavier server loads, greater network traffic, and even increased help desk calls. All of which mean extra expenses to the MLS.
Clareity Security is pleased to offer this solution to our existing customers and welcomes the opportunity to work with new organizations. Combining a tool like Scout for SAFEMLS with the experience and best practices developed by Clareity Security staff and customers is proven to recapture (or in some cases retain) revenue for MLS organizations. In addition, reducing unauthorized access means the MLS can experience cost savings while securing access to valuable MLS data.
As a consultant often called on by MLSs for help with VOW and IDX compliance audits, I also serve as a subject matter expert for Clareity Security’s SAFE Syndication product. And, as someone who is always pushing for improved information security in the real estate industry, I love that information security is featured prominently in the VOW rules, section 19.5: “A Participant’s VOW must employ reasonable efforts to monitor for, and prevent, misappropriation, ‘scraping’, and other unauthorized use of MLS listing information. A participant’s VOW shall utilize appropriate security protection, such as firewalls, as long as this requirement does not impose security obligations greater than those employed concurrently by the MLS.” The last part of that rule is also reflected in optional IDX rule section 18.3.14. Auditing these rules has allowed me to help many brokers improve their VOW and IDX security and reduce the risk of an information security incident.
I’ve already written about guidelines for anti-scraping and monitoring and, although anti-scraping is a constantly evolving challenge, that article provides at least a baseline for evaluating VOW rule compliance.
But, what else should MLSs be looking for when evaluating VOW and IDX security?
First, as specifically mentioned in the rule, appropriate firewall protection must be established. When I audit a VOW, I look to make sure that there are only a few specific network ports open on the server – 80 and 443 as needed for the web server to function, and ports needed to provide a secure method of server administration, such port 22 – or 989 and 990. If ports like 21 and 3389 are open and actually used to administer the website, it should be a big compliance red flag because they are common security incident causes – and issues I see the majority of the time when auditing a VOW or IDX site.
Second, you want to verify that all the web server software is up to date and properly configured. That means checking the web server (IIS, Apache, etc.) version, the operating system version (when possible) and the platform (.NET, JSP, ColdFusion, WordPress, etc.) version, making sure that those are the most current versions or that newer versions don’t have fixes for significant security vulnerabilities. You might think that keeping systems patched would be second nature for a technology provider, but in my experience it seems not to be the case.
Third, you want to evaluate any externally obvious security misconfigurations of the server and platform. Every server and platform has its own security configuration guidelines and it’s reasonable to expect that obviously poor configurations should not be visible to an external evaluator.
Fourth, and probably the most complicated part of evaluating VOW security, you want to evaluate application security – at least the OWASP Top 10 Vulnerabilities: Injection, Cross-Site Scripting (XSS), Broken Authentication and Session Management, Insecure Direct Object References, Cross-Site Request Forgery, Security Misconfiguration, Insecure Cryptographic Storage, Failure to Restrict URL Access, Insufficient Transport Layer Protection, and Unvalidated Redirects and Forwards. I usually evaluate Information Leakage and Improper Error Handling as well. Some of these items can’t be easily validated externally (i.e. Insecure Cryptographic Storage) though I’m always glad to hear that a web developer has encrypted the passwords and so cannot technically be compliant for VOW rule 19.3b. (“The Participant must at all times maintain a record of the name, email address, user name, and current password of each registrant.”). I’ve seen every one of these OWASP vulnerabilities while auditing VOWs and many times there are half a dozen issues on a single VOW.
If you’re a staff person at an MLS and a lot of the preceding read like gobbledy-gook to you or you don’t know how to audit security, you may want someone like me auditing VOWs and IDX sites for you, or at least auditing the security and anti-scraping related portions. It’s easy to split the audit responsibilities if your MLS is a Safe Syndication customer. It has been a blessing for the industry that the VOW and IDX rules give MLSs the opportunity to ensure that at least some reasonable security best practices are in place for VOW sites. I’ve had brokers tell me they were actually grateful someone was keeping an eye on their technology provider in this area, since they lacked the capacity to do so themselves and just figured that all appropriate measures had been taken.
Please keep in mind that website security is the smallest portion of overall brokerage security. Taking appropriate steps in terms of policies and contracts, physical security, account management and password controls, internal networking and computing, mobile device security, and internal web applications are all important. The NAR sponsored security workshops and security articles and blogs that I write, and which many MLSs and Associations reprint, are helping me reach some brokers and agents – but it’s a very difficult task to try to improve information security in this industry and I hope that I can count on my readers to act as security allies and spread the word.
An average REALTOR® manages unique logins for 20 or more websites, both personal and professional (think MLS, Association site, broker’s intranet, third party related sites, etc.). It is likely each of those websites has a different password policy with varying requirements for password length, letter/number/character requirements, and expiration periods. As in the old Abbott and Costello skit Who’s on First, keeping abreast of what password goes where, is an unlikely reality unless two common solutions are utilized. The prevailing method employed is to use as few password combinations as possible to ensure easy access. In other words, use the same password for every site possible. The second most common solution is writing the passwords all down on a piece of paper and storing the paper in a desk drawer. Both are ticking time bombs waiting for the right moment to blow.
The January 2012 hack of ZAPPOS® loudly reiterates the problem of using the same password across multiple sites when a breach occurs. In communications to their customers ZAPPOS® simply stated, “We also recommend that you change your password on any other web site where you use the same or a similar password.”. A breach in one site can have a cascading effect to other sites due to the commonality of passwords used. This serious problem is not unique to REALTORS®. The plethora of user IDs won’t go away any time soon. In fact, we anticipate the problem will only worsen over time as more and more sites collect user information behind the veil of login.
What is the bottom line for the MLS or Association? Jump into deploying technologies with both feet. Stop catering to the dinosaurs (of all ages) that resist change at every turn. Remove the silly obstacles subscribers encounter when gaining access to frequently used systems (such as asking them to remember multiple IDs and passwords for various systems). “Was it my NRDS number or my email address or my license number? I don’t remember.” should become the concerns of the past.
Ultimately, by deploying single-sign on (SSO) support costs will decrease and user efficiency will increase for both end users and staff. Best of all you will satisfy your subscribers with an easy means to navigate between their applications without repeatedly presenting authentication credentials in order to do so.
Stay tuned as Clareity Security continues to innovate new ways to present value and efficiency through technology tools.
Sunshine, Spring Training and Syndication…all of that and MORE is going down in the desert next week.
Can you believe it’s that time of year already? Almost 200 industry folks are preparing for the annual pilgrimage to the Clareity Consulting MLS Executive Workshop in sunny Scottsdale, AZ. Sure it helps that many of us are feeling a bit deprived of Vitamin D and the average temperature in the Valley of the Sun is a perfect 73 degrees. It can’t hurt that the town is brimming with professional baseball players and you have your choice of over 100 places to chase a golf ball through the desert. The real excitement for Clareity is the opportunity to deliver incredible content, spend time with clients and customers and hopefully leave mutually enriched.
The agenda is packed with great speakers, panelists and information. I am privileged to lead the discussion on Strategic Syndication. Those of you with a good memory might remember last year’s topic labeled “Syndication….the last word” where we basically agreed it had been beaten to death. But like all topics in need of better answers, we as an industry aren’t done. With so many contributors, much progress has been made. I’ve been pleased to work with several of our early adopters of the Clareity Security SAFE Syndication™ product. I’ve also been an active participant on the Council of MLS Board of Directors who produced a Syndication Toolkit for their members and are working hard to keep it current. Earlier today, Matt Cohen wrote a great post “Strategic Syndication – Year One” which summarizes the current syndication landscape.
So while we admit we were FAR from the last word on syndication last year, we are pleased to see real action being taken to improve the process for MLS organizations, brokers and the consumer. Looking forward to seeing many of you next week! Don’t forget your sunscreen
PS – while I’ve gone on about the gorgeous weather in Scottsdale, it is technically still “winter” so a light jacket or sweater for the evening is always appropriate since we like to throw our parties poolside!
In Part One of this series, Clareity Security described how Safe Syndication helps MLSs provide a member benefit helping brokers with the advice they need to engage in “Strategic Syndication” and also efficiently handle questions about listings found everywhere online – but Safe Syndication does so much more. Safe Syndication also helps MLSs manage rule compliance for IDX websites and Virtual Office Websites.
In the past, MLSs have depended on “complaint-based” and partial rule auditing. “Complaint based” auditing alone is a recipe for disaster – we’re sure you can hear it in your ears right now: “The MLS picks on me because I’m a new model online broker!” With an MLS IDX/VOW audit policy and consistent auditing, all brokerages are treated equally and there is no discrimination or cause for complaint. Also, non-compliance with many IDX and VOW rules, such as security and anti-scraping requirements, are not going to be evident to the casual site visitor and thus will never come up for a complaint-based audit. Finally, reviewing a site for only some rules is problematic because once one has let a site slide on un-noticed rule violations for long enough, the site owners are far more resistant to change than if issues are brought up during the site launch.
So, MLSs need a system that formalizes their rules of when to audit (or re-audit) and what to audit, provides audit reminders and workflow management to MLS staff, and manages documentation and reporting. Safe Syndication is just that system. And MLSs can either use the system themselves or even engage Clareity Security to provide full auditing services, including the tricky technical parts of the audit such as testing security practices and writing “scraping” programs to test anti-scraping – and allowing the MLS and its staff to remain “arms-length” from the audits and the possible politics surrounding them.