What is two-factor authentication, and why is it important for your real estate business?

We’ve noticed an uptick in agent email addresses that have been compromised by cyber criminals with the intent of defrauding home buyers, sellers and title companies – and most agents are totally unaware when we tell them.

The emails we’ve received of late are generally inquiries about wire transfers of seller proceeds. The sender is hoping the recipient (in this particular scam, title companies) will fall for a request to wire funds to their “client’s” account. If the victim is duped and sends funds, the fraudsters will quickly clear the account making it virtually impossible to recover the funds.

Reports of wire fraud scams have come in from all over the country and have cost the industry millions, if not billions, of dollars over the past several years.

These emails inquiring about wire transfers don’t come from the agent’s legitimate email account either, which is why the agent is often unaware any cyber hacking has occurred. Instead, the emails come from phony email accounts that look almost identical to the agent’s legit email account that was hacked – perhaps an extra letter, hyphen or dash is the only difference.

By the time the title company receives one of these phony email inquiries, the real estate agent’s legitimate email account has already been compromised along with all the contents of the inbox. Information pertaining to upcoming closings, specific property addresses, names and email addresses of other parties in the transaction are all used to bait the wire-fraud trap.

Needless to say real estate professionals must do all they can to protect their inboxes and the interests of their buyers and sellers, and email accounts have proved a particularly vulnerable area for attack. That’s where 2-factor authentication comes in handy.

What is two-factor authentication?

Pretty much like it sounds, two-factor authentication creates a second layer of security that a user must clear to gain access to the account. A classic example is the ATM card. To take money out, the individual must know their pin code (password) AND be in possession of the bank card that’s linked with the account that matches their pin. Having one or the other is not enough.

Two-factor authentication works very similarly with email, and many major email providers such as Gmail and Yahoo! Mail offer the option. To configure, a user goes to account settings, ticks the box to enable two-factor authentication and enters her mobile phone number. There’s an option to receive a verification code by phone or text. Enter the verification code to configure two-factor authentication with that mobile device.

From then on, any time the user logs into her account she must also enter a unique code to gain entry. It might seem like a hassle, but it increases email security significantly.

Even if an individual’s username and password are compromised – maybe they accidentally downloaded malware from a spam email or used public, unsecured WiFi to access their email – the criminals cannot gain access unless they also possess the specific mobile device that was configured with the email account.

The two most common two-factor authentication methods rely on text messages and/or mobile applications to produce the code.

With text message, a user logs into her email account with username and password and then receives a text message on her phone that contains the unique six-digit code. Once she successfully enters the code at the email login, she unlocks the second layer of security and gains access to her account.

A second method is similar to the SMS approach but instead relies on a free smart phone app, such as Authenticator by Google, which produces a new six-digit code every 30 seconds. A user logs into her email account with username and password and then opens the app to obtain the unique six-digit that unlocks the account.

With both methods, the user must have knowledge of their username / password AND possess a specific device that’s configured with the email account. Knowledge of the username / password makes one factor, and possession of a specific device makes two factors.