Merriam-Webster’s dictionary defines “value” as: 1: a fair return or equivalent in goods, services, or money for something exchanged 2: the monetary worth of something: market price 3: relative worth, utility, or importance (a good value at the price).
I am a paid subscriber to a number of websites (e.g., ESPN.com, Scouts.com and Ducks Unlimited). All of these subscription services have employees who provide specialized content, tools, data, expertise and analysis that I find valuable. Where this differs from MLS subscribers paying to access the MLS is compensation. Not one of these services holds me to a professional standard or generates income for me. This makes the MLS service, and the data within, significantly more valuable and worthy of even greater protection. The MLS likewise provides specialized content, applications, support and business tools, but it also facilitates shared compensation between professionals whose livelihoods depend on the integrity of the information. If these services did not provide significant value, subscribers would not experience: 2. the monetary worth of something: market price.
In my eyes, Scout for SAFEMLS mitigates the revenue risk associated with people attempting to bypass license agreements, therefore subsidizing the service for those paying for the access. On countless occasions, Clareity Security has provided case studies demonstrating the success of Scout by capturing a portion of this “lost” revenue while also deterring and removing these “thieves.” Here is an excerpt from Clareity’s most recent case study:
Many of our customers have applied Clareity Security’s suggested best practices for the Scout service (and others that we reviewed are now implementing said practices). A recent review of twelve Clareity Security customers showed sharing decreased by almost 18%, unauthorized users decreased over 22%, and active accounts increased by almost 2%. This increase may seem modest but during the same timeframe membership in the National Association of REALTORS® has dropped 1.75%. It is obvious that these numbers would greatly impact any MLS organization both from a revenue opportunity and a cost of operation perspective. A shared account will not only cause revenue deprivation but also adds to the cost of providing service to your paying members. Not to mention your data being compromised by unauthorized users who are not bound by the standards of your Terms of Service agreement!
Yet some remain unconvinced of the value of Scout. As Stephen Colbert states, “I am not a fan of facts. You see, facts can change, but my opinion will never change, no matter what the facts.” Perhaps the numbers won’t convince everyone there is a problem. Some know there is a problem, but choose to look the other way? Then there are elements of risk and problems that may not be so easy to see.
For example, last week Ray Ewing, CEO of SANDICOR MLS, which provides MLS Services to 20,000 real estate professionals throughout the San Diego, California market area, shared the following two stories with me:
There is an agent lead generation and marketing company that we will refer to as “Company X.” Company X regularly prompts agents for their ID and password for their MLS service. Most users do not even think twice about this and quickly provide that information. Then Company X, utilizing the agents credentials, downloads the expired MLS listings along with more complementing data and feeds it back to the agent with a marketing package. Company X is not even a subscriber of SANDICOR! By utilizing Scout, Ray Ewing and his staff have been able to identify this unauthorized use and vetted Company X to confirm this abuse.
Additionally, using the tools available in Scout, Ray and his team were able to identify a user who was exploiting an automated login to run query scripts against the system for data. According to Ray, these queries would at times get stuck and continue to run, impacting the MLS system’s performance. Armed with the information provided by Scout, SANDICOR was able to add language to their LCA stating that users were not allowed to use an automated login and would be redirected to use RETS. The scariest part about this is after doing some research, Ray discovered this user was accessing more than just SANDICOR data.
We spend a lot of time talking about Scout’s ability to increase membership by forcing system abusers to pay for service, but there is a bigger picture here. There is more than meets the eye when protecting the value of paid services. No matter how you define value, if a service has a paid subscriber base and is allowing that value to be shared, stolen, or even hijacked for someone else’s profit or gain, then that service is diminishing its own value.
So I ask again, how do you define value?
Last year Clareity Security demonstrated A Successful Case Study for customers using Scout for SAFEMLS™. The case study identified measurable success in both reducing unauthorized access and providing revenue assurance to MLS organizations through the implementation of the full Scout for SAFEMLS solution. Recently, we started to dig even deeper into the data behind the success of Scout for SAFEMLS. For this new study we analyzed a sampling of our customers who followed some best practices recommended by Clareity Security as part of the implementation. We researched further into which specific actions were most successful in remediating account sharing and unauthorized access. The results are very clear; applying Clareity Security’s best practices generates extremely positive results.
Clareity Security’s best practices have been established by analyzing our customers’ policies against the sharing outcomes in their individual systems. Clareity Security has worked individually with each customer to develop security policies based on these best practices and their local rules and policies, with the specific goal of deterring account sharing at the earliest possible action while minimizing user inconvenience. The chart below illustrates Scout for SAFEMLS’s effectiveness at eliminating 97% of sharing for users who enter remediation by the fourth action step.
Many of our customers have applied these best practices, and more are in the process of reviewing updated recommendations from us based on our findings. Our review of twelve Clareity Security customers over a six week period of time showed sharing decreased by almost 18%, unauthorized users decreased over 22%, and active accounts increased by almost 2%. This increase may seem modest but during the same timeframe membership in the National Association of REALTORS® dropped 1.75%.
These numbers greatly impact your MLS organization both from a revenue opportunity and a cost perspective. A shared account cannot only cause revenue deprivation but also adds to the cost of providing service to your paying members.
Clareity Security has gained considerable knowledge about the profile of a shared MLS account in the past eight years. While the numbers are not surprising to us, we believe they are interesting and worth noting for purposes of this paper. A shared account, on average, has almost twice the usage of a non-shared account and the unique devices used to access the account are double a non- shared account. This excess traffic translates to heavier server loads, greater network traffic, and even increased help desk calls. All of which mean extra expenses to the MLS.
Clareity Security is pleased to offer this solution to our existing customers and welcomes the opportunity to work with new organizations. Combining a tool like Scout for SAFEMLS with the experience and best practices developed by Clareity Security staff and customers is proven to recapture (or in some cases retain) revenue for MLS organizations. In addition, reducing unauthorized access means the MLS can experience cost savings while securing access to valuable MLS data.
As a consultant often called on by MLSs for help with VOW and IDX compliance audits, I also serve as a subject matter expert for Clareity Security’s SAFE Syndication product. And, as someone who is always pushing for improved information security in the real estate industry, I love that information security is featured prominently in the VOW rules, section 19.5: “A Participant’s VOW must employ reasonable efforts to monitor for, and prevent, misappropriation, ‘scraping’, and other unauthorized use of MLS listing information. A participant’s VOW shall utilize appropriate security protection, such as firewalls, as long as this requirement does not impose security obligations greater than those employed concurrently by the MLS.” The last part of that rule is also reflected in optional IDX rule section 18.3.14. Auditing these rules has allowed me to help many brokers improve their VOW and IDX security and reduce the risk of an information security incident.
I’ve already written about guidelines for anti-scraping and monitoring and, although anti-scraping is a constantly evolving challenge, that article provides at least a baseline for evaluating VOW rule compliance.
But, what else should MLSs be looking for when evaluating VOW and IDX security?
First, as specifically mentioned in the rule, appropriate firewall protection must be established. When I audit a VOW, I look to make sure that there are only a few specific network ports open on the server – 80 and 443 as needed for the web server to function, and ports needed to provide a secure method of server administration, such port 22 – or 989 and 990. If ports like 21 and 3389 are open and actually used to administer the website, it should be a big compliance red flag because they are common security incident causes – and issues I see the majority of the time when auditing a VOW or IDX site.
Second, you want to verify that all the web server software is up to date and properly configured. That means checking the web server (IIS, Apache, etc.) version, the operating system version (when possible) and the platform (.NET, JSP, ColdFusion, WordPress, etc.) version, making sure that those are the most current versions or that newer versions don’t have fixes for significant security vulnerabilities. You might think that keeping systems patched would be second nature for a technology provider, but in my experience it seems not to be the case.
Third, you want to evaluate any externally obvious security misconfigurations of the server and platform. Every server and platform has its own security configuration guidelines and it’s reasonable to expect that obviously poor configurations should not be visible to an external evaluator.
Fourth, and probably the most complicated part of evaluating VOW security, you want to evaluate application security – at least the OWASP Top 10 Vulnerabilities: Injection, Cross-Site Scripting (XSS), Broken Authentication and Session Management, Insecure Direct Object References, Cross-Site Request Forgery, Security Misconfiguration, Insecure Cryptographic Storage, Failure to Restrict URL Access, Insufficient Transport Layer Protection, and Unvalidated Redirects and Forwards. I usually evaluate Information Leakage and Improper Error Handling as well. Some of these items can’t be easily validated externally (i.e. Insecure Cryptographic Storage) though I’m always glad to hear that a web developer has encrypted the passwords and so cannot technically be compliant for VOW rule 19.3b. (“The Participant must at all times maintain a record of the name, email address, user name, and current password of each registrant.”). I’ve seen every one of these OWASP vulnerabilities while auditing VOWs and many times there are half a dozen issues on a single VOW.
If you’re a staff person at an MLS and a lot of the preceding read like gobbledy-gook to you or you don’t know how to audit security, you may want someone like me auditing VOWs and IDX sites for you, or at least auditing the security and anti-scraping related portions. It’s easy to split the audit responsibilities if your MLS is a Safe Syndication customer. It has been a blessing for the industry that the VOW and IDX rules give MLSs the opportunity to ensure that at least some reasonable security best practices are in place for VOW sites. I’ve had brokers tell me they were actually grateful someone was keeping an eye on their technology provider in this area, since they lacked the capacity to do so themselves and just figured that all appropriate measures had been taken.
Please keep in mind that website security is the smallest portion of overall brokerage security. Taking appropriate steps in terms of policies and contracts, physical security, account management and password controls, internal networking and computing, mobile device security, and internal web applications are all important. The NAR sponsored security workshops and security articles and blogs that I write, and which many MLSs and Associations reprint, are helping me reach some brokers and agents – but it’s a very difficult task to try to improve information security in this industry and I hope that I can count on my readers to act as security allies and spread the word.
An average REALTOR® manages unique logins for 20 or more websites, both personal and professional (think MLS, Association site, broker’s intranet, third party related sites, etc.). It is likely each of those websites has a different password policy with varying requirements for password length, letter/number/character requirements, and expiration periods. As in the old Abbott and Costello skit Who’s on First, keeping abreast of what password goes where, is an unlikely reality unless two common solutions are utilized. The prevailing method employed is to use as few password combinations as possible to ensure easy access. In other words, use the same password for every site possible. The second most common solution is writing the passwords all down on a piece of paper and storing the paper in a desk drawer. Both are ticking time bombs waiting for the right moment to blow.
The January 2012 hack of ZAPPOS® loudly reiterates the problem of using the same password across multiple sites when a breach occurs. In communications to their customers ZAPPOS® simply stated, “We also recommend that you change your password on any other web site where you use the same or a similar password.”. A breach in one site can have a cascading effect to other sites due to the commonality of passwords used. This serious problem is not unique to REALTORS®. The plethora of user IDs won’t go away any time soon. In fact, we anticipate the problem will only worsen over time as more and more sites collect user information behind the veil of login.
What is the bottom line for the MLS or Association? Jump into deploying technologies with both feet. Stop catering to the dinosaurs (of all ages) that resist change at every turn. Remove the silly obstacles subscribers encounter when gaining access to frequently used systems (such as asking them to remember multiple IDs and passwords for various systems). “Was it my NRDS number or my email address or my license number? I don’t remember.” should become the concerns of the past.
Ultimately, by deploying single-sign on (SSO) support costs will decrease and user efficiency will increase for both end users and staff. Best of all you will satisfy your subscribers with an easy means to navigate between their applications without repeatedly presenting authentication credentials in order to do so.
Stay tuned as Clareity Security continues to innovate new ways to present value and efficiency through technology tools.
Sunshine, Spring Training and Syndication…all of that and MORE is going down in the desert next week.
Can you believe it’s that time of year already? Almost 200 industry folks are preparing for the annual pilgrimage to the Clareity Consulting MLS Executive Workshop in sunny Scottsdale, AZ. Sure it helps that many of us are feeling a bit deprived of Vitamin D and the average temperature in the Valley of the Sun is a perfect 73 degrees. It can’t hurt that the town is brimming with professional baseball players and you have your choice of over 100 places to chase a golf ball through the desert. The real excitement for Clareity is the opportunity to deliver incredible content, spend time with clients and customers and hopefully leave mutually enriched.
The agenda is packed with great speakers, panelists and information. I am privileged to lead the discussion on Strategic Syndication. Those of you with a good memory might remember last year’s topic labeled “Syndication….the last word” where we basically agreed it had been beaten to death. But like all topics in need of better answers, we as an industry aren’t done. With so many contributors, much progress has been made. I’ve been pleased to work with several of our early adopters of the Clareity Security SAFE Syndication™ product. I’ve also been an active participant on the Council of MLS Board of Directors who produced a Syndication Toolkit for their members and are working hard to keep it current. Earlier today, Matt Cohen wrote a great post “Strategic Syndication – Year One” which summarizes the current syndication landscape.
So while we admit we were FAR from the last word on syndication last year, we are pleased to see real action being taken to improve the process for MLS organizations, brokers and the consumer. Looking forward to seeing many of you next week! Don’t forget your sunscreen
PS – while I’ve gone on about the gorgeous weather in Scottsdale, it is technically still “winter” so a light jacket or sweater for the evening is always appropriate since we like to throw our parties poolside!
In Part One of this series, Clareity Security described how Safe Syndication helps MLSs provide a member benefit helping brokers with the advice they need to engage in “Strategic Syndication” and also efficiently handle questions about listings found everywhere online – but Safe Syndication does so much more. Safe Syndication also helps MLSs manage rule compliance for IDX websites and Virtual Office Websites.
In the past, MLSs have depended on “complaint-based” and partial rule auditing. “Complaint based” auditing alone is a recipe for disaster – we’re sure you can hear it in your ears right now: “The MLS picks on me because I’m a new model online broker!” With an MLS IDX/VOW audit policy and consistent auditing, all brokerages are treated equally and there is no discrimination or cause for complaint. Also, non-compliance with many IDX and VOW rules, such as security and anti-scraping requirements, are not going to be evident to the casual site visitor and thus will never come up for a complaint-based audit. Finally, reviewing a site for only some rules is problematic because once one has let a site slide on un-noticed rule violations for long enough, the site owners are far more resistant to change than if issues are brought up during the site launch.
So, MLSs need a system that formalizes their rules of when to audit (or re-audit) and what to audit, provides audit reminders and workflow management to MLS staff, and manages documentation and reporting. Safe Syndication is just that system. And MLSs can either use the system themselves or even engage Clareity Security to provide full auditing services, including the tricky technical parts of the audit such as testing security practices and writing “scraping” programs to test anti-scraping – and allowing the MLS and its staff to remain “arms-length” from the audits and the possible politics surrounding them.
Clareity led the way on syndication in 2011, debunking the myth that “Listings Everywhere” have as much value as some people think and showing the various ways that listing advertising websites are intentionally siphoning off leads from the listing agents and misleading consumers. Clareity illustrated exactly how leading websites were not aligned with broker and agent business objectives. Unfortunately, individual brokers don’t have the time or inclination to keep an eye on these websites in order to gauge whether it makes sense to send their listings to each site. So, Clareity Security created Safe Syndication, which facilitates the MLS providing an increasingly important member benefit to brokers and agents: helping them understand how well each listing advertising website aligns with their business objectives before choosing to syndicate their listings to those websites. With the MLS involved, it will be much easier for brokers to engage in what Clareity calls “Strategic Syndication”.
In its 2011 white paper, Clareity created the “Syndication Bill of Rights”, a set of easily measurable criteria that brokers (or MLSs) can use to help evaluate the advertising websites. Clareity suggested that MLSs rate the websites and provide educational materials to their brokers, so that brokers didn’t duplicate effort evaluating these websites. Some MLSs already use syndication services that provide guidance of the websites, but such services can have a difficult time rating the performance of these portals, especially when those syndication services being paid by the portals, and MLSs have found the report cards don’t really cover most of the criteria that brokers care about and which Clareity included in its white paper. MLSs need to take compliance evaluation further.
So, Clareity Security has created Safe Syndication. Safe Syndication provides a way for MLSs to establish a measurement scorecard based on their own criteria, perhaps using the Syndication Bill of Rights as a starting point, and delivers a mechanism for measuring compliance and delivering additional value to brokers and agents by providing them with the information they need to make informed syndication decisions. ListHub customers will benefit from deep integrations, including single-source entry of portal participation and complaints, as well as access to the ListHub “Report Card”. Clareity Security is open to integrations with other third parties using a similar API. In the future, Clareity Security plans to provide social integration between customers – collaboration on compliance report cards and the sharing of statistics regarding portal complaints. This feature will make it even easier for MLSs to share the effort of keeping track of all of the syndication websites.
Unless you were hiding under a rock today or happened to be vacationing in an exotic location with no access to US media (P.S. I’m green with envy if you were in that second category) you have by now at least heard of SOPA (Stop Online Piracy Act) and her equally frightening sister PIPA (Protect IP Act of 2011). If you haven’t heard of it, here is a good summation from Mashable on why there is SIGNIFICANT cause for concern. Concern enough that many popular websites such as Google, Wikipedia, WordPress and others went dark (or partially dark) today to demonstrate what the internet experience could be like without much of the valuable information we are able to openly share today. I found this post from AgentKnowHow.com to have some good insight into what could happen specific to real estate if either of these measures were to pass.
It’s true that piracy is bad. So bad in fact that it is already a crime to do so with many options for individuals and corporations to protect copyrighted material and other intellectual property. This issue got me thinking about the hundreds of times I’ve heard the saying “an ounce of prevention is worth a pound of cure”, this is especially true if the cure is far worse than the illness. With that in mind, here are a few quick thoughts on what real estate related organizations (or really any organizations) should do to protect their intellectual property:
2) Make sure you copyright your content or other bodies of work and that you understand the requirements for doing so. My friend Brian Larson and the other good people at Larson/Sobotka, PLLC have provided some great articles on understanding copyright as it relates to MLS organizations and brokers.
3) Use best practices to protect your content. These best practices can be making sure that any policies you have are monitored and enforced. For example if your content is password protected but you never monitor user usage and behavior or require them to change their password, you are NOT using best practices.
Let’s hope the Internet can remain the vital and useful tool that supports so much of our business today. I’m confident by enforcing existing laws and using some best practices we can all get back to enjoying, and when appropriate, sharing the many contributions that are created on the web.
In a recent blog post, Amy Geddes presented a case study demonstrating some of the ways we can measure the success of Scout for SAFEMLS based on the first forty days of remediation and averaged across multiple customers. While we believe these results demonstrate our product is successful, apparently it lead others to ask, “How do those measurements for success look at the individual MLS level?”. Well, we are glad you asked.
Enter RealTracs.com, as an example. Realtracs.com is a Nashville based regional MLS that feels Scout for SAFEMLS has delivered success. As many are aware RealTracs.com develops, supports and maintains their own MLS system. In 2011 they modified their billing model from broker-based to agent-based and implemented Scout for SAFEMLS to compliment this effort.
Scout for SAFEMLS creates a secure login environment. Additionally, Scout for SAFEMLS adds revenue assurance through the analyzing of shared accounts and the SAFEMLS Remediation Manager. This service empowered RealTracs.com to monitor and take action against account sharing and abuse through the remediation process.
At a time when the economy is challenged and the real estate market is down, many have chosen to cut office overhead and/or avoid MLS fees by account sharing. RealTracs.com was able to significantly grow their member base by almost 10%. In addition to the demonstrable increase in active MLS users, RealTracs.com experienced a sharp decline of 54% in account sharing and non-paying (unauthorized) users accessing the MLS, and a decrease in account abuse of over 65% (the number of users abusing an account). For MLS organizations like RealTracs.com (who develop, support and host their system), this carries a clear cost savings and direct return on their Scout for SAFEMLS investment. By reducing the volume of users and the unique IP addresses accessing the MLS (and securing access to only those members paying their dues), RealTracs.com saves on hardware expenses and other costs associated with hosting their MLS system.
When speaking with another MLS customer, Clareity Security was informed of interesting results based on that customer’s internal data. They discovered that when a brokers’ office has had agents enter into remediation they are 34% more likely to add the agent as a new subscriber/member to the MLS within 30 days, than those that do not have agents in remediation.
Is this success measured at the individual MLS level? We at Clareity Security believe so, and more importantly, so do our customers. Subscriber growth and retention are key components in the MLS business model but it is just one piece of our measured success story. What about the story behind the numbers? Sure we can measure decreases in unauthorized account use and account sharing. While these factor largely into converting unauthorized users into new subscribers (when utilizing remediation best practices), a decrease in these two components also means an increase in security of your subscribers’ data and listings. When unauthorized users enter into your system they may not be doing so with malicious intent, but they are still accessing information that is controlled by your license agreement and these users have not agreed to your terms. Therefore, they can break your rules without fear of recourse. By not subscribing appropriately, they are in essence stealing from you, your paying subscribers and the consumers who provide the information (but that’s another story).
At Clareity we get asked A LOT – Does Scout for SAFEMLS really work? Not, how does it work…that’s easy to explain – but DOES it really work? That question from both our customers and potential customers prompted us to start focusing VERY heavily on measuring our outcomes. We are excited that the outcomes are both positive and measurable! We also can’t say enough about how much our customers contribute to the success of Scout for SAFEMLS. With almost every new installation came a new use case or circumstance that resulted in an improvement to SAFEMLS best practices. Existing and future SAFEMLS customers benefit from those best practices when applied to their organizations!
But we digress…we all know you really just want the numbers right? Hold on, first we have to tell you how we measured because we know you are going to ask us later. The information from this study consists of an aggregation of Scout for SAFEMLS data for 10 customers representing over 158,000 subscribers during their first 40 days of what we call “remediation”. Remediation means that a policy (based on best practices) is in place and actively working to reduce identified unauthorized access to the MLS resources behind the Scout for SAFEMLS login page.
The data sampled over 158,000 member accounts with a total sharing percentage of over 9%. After forty days of remediation management member accounts had grown approximately 4% with a sharing decrease of over 14%. The percentage of accounts shared included with the growth had decreased by over 17%. The percentage of unauthorized patterns had decreased by nearly 23%.
What do these numbers mean to an MLS?
We all know account sharing can result in lost revenue, security risks in the case of unauthorized access, and unnecessary customer support calls which increase costs for providing service. Combining a tool like Scout for SAFEMLS with the experience and best practices developed by Clareity Security staff and customers is proven to recapture (or in some cases retain) revenue for MLS organizations. In addition, reducing unauthorized access means the MLS can experience cost savings while securing access to valuable MLS data. We love the opportunity to show our customers and potential customers value. May we help you?