Home  |   Articles  |   Projects  |   About Us

Combat identity theft and data fraud

We've all been affected by identity theft or data fraud in one way or another. If you haven't, hopefully it will be a long time for you to bump against it. But more than likely a colleague you know has been a victim, perhaps a friend of a friend, or worst of all you've been on the receiving end of some kind of investigation regarding the fraudulent use of your name or your data.

 

The Problems:
It's one thing to say, "identity theft and data fraud are real problems today." But as a team of product managers charged with finding a solution, we have to dig down to find the real root of the problem. In doing our research, here's what it all boils down to:

1. Reports with your name, signature and license information are floating freely all over cyberspace.
   
   
2. PDF security is a myth - ANY PDF can be altered in seconds no matter what you've been told
   
   
3. You currently have no independent 3rd parties that can verify whether you signed a report or not, as well as the data contained in the report when it was originally delivered to the client

The Solutions:
We're working on a product called Appraiser SureDocs that will solve the problems listed above. The solution is in being able to verify the authenticity of a report, and in being able to authenticate the real identity of the signer.

 

If someone wants to alter a PDF of your report or lift your signature, if they know how to use the most basic of photo editing or graphics programs, they can. So no matter if you send your reports attached to an e-mail, securely delivered via an XSite delivery plugin, or even hand deliver them, if your signature or data can be seen, it can be stolen or manipulated. Period. That's where 3rd party verification of authenticity comes in.

 

SureDocs will do several things that are important to note:

1. True identity verification: After installing SureDocs, you'll go through an identity verification process to create a username and password. These will be entered when signing a report in SureDocs. The identity verification is provided by Equifax and asks you things like what company is the financing on your car with, who is your mortgage with, how much is your mortgage payment, and other things that only you would know. Until you've gone through this, you won't be given a username and password, and you won't be able to sign with SureDocs. (You'll only have to go through the identity verification once. )
   
   
2. Hashing: When signing with SureDocs, it will create what's called a hash value for your report. A hash value is a unique number derived from a formula that represents all of the text in your report. So if someone alters a single character in your PDF, its hash value won't be identical to the hash value of the report you originally signed with SureDocs.
   
   
3. Serial numbers: After signing with SureDocs, the signature is applied along with a serial number. That serial number is what is used to verify the authenticity of the signature and report on the SureDocs website.
   
   
4. SureDocs website: Remember how I said earlier that your signature and reports are floating around all over the place? And remember how I said that anything can be altered? We can't stop that right now, so the way to defend yourself is to be able to have an independent 3rd party that can verify authenticity.
   
   Should a report or your signature ever be questioned, the first thing to ask would be, "Does the report have a SureDocs serial number next to my signature? " If the answer is no, and you sign all reports with SureDocs, then that's one thing. If the answer is yes, then it's time to go to the SureDocs website, enter the serial number, and compare the report in question to the original document signed with SureDocs and sent to the client. 3rd party authentication is vital.

In the course of doing our research, we've come across a number of themes and questions repeatedly that I'd like to mention here in this article. I think they're important when thinking about SureDocs and what its intent is.

 

Changing the way we think about signing
When you stop and think about it, the method of signing reports in WinTOTAL, and to my knowledge in every brand of appraisal formfilling software, is very much out of date. What we all currently refer to as a "digital signature" is really nothing more than layering an image of your signature over the form on-screen and then printing. We were ahead of the curve in our "digital signatures" back in the 90's, but the rest of the world passed us by on this one. There are legal definitions of digital signatures and e-signatures that are much more relevant and secure. It's time the appraisal industry catches up too.

 

Other concepts about signatures we have to change the way we think about:

1. Signature images in WinTOTAL: In the end, the only signature that matters is the one that's on the report that was actually delivered to the client. That's it. The signature image you see onscreen inside WinTOTAL means nothing...except that the report is locked. We've got to break from the notion that signature on the report in WinTOTAL is something more than a lock. It's not.
   
   To that end, after installing SureDocs, when you sign a report you will no longer see a signature image on the form in WinTOTAL. The reason is that you signed a PDF of the report, which is the only thing that really matters. In WinTOTAL, once a report has been signed you'll see a watermark on the report letting you know the report has been locked. You'll also have a Lock/Unlock button on the toolbar.
   And yes, you'll still have the ability to apply a non-secure signature (i.e. the way we do it now), even though you'll have SureDocs installed.
   
   
2. Signing versus locking: When you sign the papers for your new car, or for a student loan, or when you buy a home, can you "unsign" a legally binding document? No. You can't unsign something anywhere, but yet you can in WinTOTAL. We've got to change that concept by giving you the ability to LOCK and unlock a report with the click of a button that has NOTHING to do with signing a report. Again, the only signature that matters is the one on what was actually delivered to the client.
   
   
3. Signing for others: We've "enabled" users to do this, so much of this bad habit is our fault. But make no mistake....this is a bad habit. It's true you haven't had tools to expedite the signing of reports remotely (i.e. trainee/supervisor, office admin, etc), but that doesn't change the fact that any way you slice or dice it, signing someone else's signature on a legally binding document is bad juju, even though people do it every day. With SureDocs, you WILL NOT be able to sign for someone else, and vice versa, and it very well may add a step to the delivery process. Is that additional step for security worth it? Ultimately, that's for you to decide.

Is this Gramm-Leach-Bliley Act (GLB) compliant?

SureDocs doesn't really have anything to do with GLB. It's important to make the delineation that signing and delivering are two different things. SureDocs' primary function is to be a signing mechanism, not a delivery vehicle. That said, it will streamline signing by a trainee and supervisor by sending the PDF back and forth via the SureDocs web service.

 

What about SureReceipts?

The actual SureDocs "engine" for appraisers has grown from technology we developed initially in our mortgage products (and you thought our products in other markets were pointless!). There we developed a version of SureReceipts on steroids, called SecureReceipts. This technology is an improvement because it not only gives you the e-mail notifications that SureReceipts provides, it also tells you which pages have actually been viewed. Also, it requires a username and password to download the PDF, which SureReceipts does not do. SecureReceipts will become the new tool for appraisers to deliver reports securely (in compliance with GLB), and to still have that peace of mind in knowing your report reached the client.

 

Will clients use it?

If it's easy enough for them to get to the report, Yes. But that's the trick. If a report is delivered via SecureReceipts, your client will have to enter a username and password to retrieve it. They will only need 1 (one) login to download a SureDocs report, no matter how many appraisers they work with or deliver to them with SecureReceipts.

 

I've talked with lots of appraisers who feel that clients won't use it if they have to log in to anything. Right now, maybe not. So you'll be able to send a report as an attachment to a PDF. But, the FTC has begun to crack down on the mortgage lending business much more harshly in the last several years for violations of the Gramm-Leach- Bliley Act. Technically, sending a report as an attachment to an e-mail is a violation of GLB. E-mail is a non-secure means of sending a report. Tools like SecureReceipts are secure because they require a username and password to be entered before anyone can retrieve the report. Same with XSites delivery. Both are GLB compliant. So back to the original question. Will client's use it? If they're both responsible and concerned with security they will.

 

Will it work with plugins?

Yes. We'll make sure the SureDocs signed reports can be used when delivering via any of the plugins you use now in WinTOTAL and XSite Order Manager.

 

Can I sign with SureDocs but still attach the PDF to an e-mail?

Yes. You'll be able to download the SureDocs signed PDF to your local machine.

 

Can I sign with SureDocs but upload the PDF to clients like the VA?

Yes. You'll be able to download the SureDocs signed PDF to your local machine, so that you can then securely log in to the VA's site (or any other client with the same setup), and upload the file directly.

 

Can I give my username and password to a trainee or supervisor?

Sure, but this defeats the whole purpose of secure signatures. Banks try to make their online services secure by verifying your identity, but you could still give your login to someone else and let them look into your bank accounts. This is no different.

 

When talking to appraisers about SureDocs, I've been told on several occasions, "But Adam, my supervisor or trainee works from their house and I work from mine. We apply each other's signature when it's time to deliver the report. It's faster and easier that way. "

 

We know it is. And no one is looking down their nose at anyone either because there really hasn't been a better solution offered. But it's important to at least acknowledge that signing as someone else is the same thing as lying (don't shoot the messenger!). If you sign for someone else, they didn't sign their signature to the document. You signed their signature, whether you had their permission or not. If they got called into a courtroom and asked, "Did you sign that report? " they would have to say they did not. Again, bad juju.

 

So what do you think?

• Can appraisers make the mental shift and get used to the idea that signing and locking reports are different?
  
• Will it blow your mind to NOT see your signature on the report in WinTOTAL, but only on the PDF instead? Will appraisers rise up in the streets against this idea?
• Can you get your mind around any PDF can be altered?
  
• What are we right about and where are we missing the boat? What other uses does this need to be adaptable to?
  
• Thoughts? Comments? Questions? Concerns?