First American Financial Sucks Customer Reviews and Feedback

From Everything.Sucks

Revision as of 06:16, 5 September 2020 by Jo41 (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

First American Financial Corporation is a United States financial services company that provides title insurance and settlement services to the real estate and mortgage industries.

On May 26, 2019, EDT contributor AJ Dellinger wrote about millions of confidential documents posted online by insurance giant First American Financial for review by FORBES:

"Memorial Day weekend got off to a rocky start for millions of Americans when security researcher Brian Krebs reported the discovery of more than 885 million confidential documents posted online by insurance giant First American Financial. Those files stored on the company's website, firstam.com, contained bank account numbers, bank statements, mortgage records, tax documents, bank transfer receipts, social security numbers, and driver's license photos. All of that information, which Dating back to 2003, it was available without any protection and could be accessed without even a password, as long as a person knows where to look. When a data leak like this occurs, it can be hard to tell just how severe it is. Without question, it's a troubling occurrence and does not inspire confidence in First American's capabilities to protect customer data. What makes it challenging to fully understand how widespread the effect of this leak is the fact that this information simply sat exposed online. There wasn't a clear breach of the company's servers or evidence that a malicious third-party gained access to files without permission. This isn't an Equifax situation, though it certainly has the capacity to be every bit as devastating if someone with bad intentions discovered this data first. What happened in the case of First American Financial is a relatively common website design error called Insecure Direct Object Reference (IDOR), according to Dave Farrow, Senior Director of Information Security at Barracuda Networks. Essentially, a link to a webpage with sensitive information is created and intended to only be seen by a specific party, but there is no method to actually verify the identity of who is viewing the link. As a result, anyone who discovers a link to one document can view it—and can discover any of the other documents hosted on the site by simply modifying the link. "No end-user compromise is necessary," Farrow said. "The hacker has simply identified an authorization error on the website and walked through the front door." Even after discovering the IDOR issue, accessing documents manually is a time-intensive task that requires a bit of guesswork and pattern identification—though, given the information that is exposed here, it may well be worth the time for an attacker to put in that labor. However, things get significantly easy for an attacker (and significantly worse for potential victims) if the information is somehow mass harvested. It's possible that information from First American could have been collected and indexed by bots. Done carelessly, such an effort might tip off the defenses of First American and result in the company deflecting the malicious attempts to access documents. But carried out through a "low and slow" attack, which uses fewer requests to avoid detection, it's possible that someone could have scooped up a considerable chunk of the sensitive documents hosted on the site. According to data provided by Distil Networks, advanced persistent bots (APBs) are often used to carry out these types of attacks. They also made up 73.6 percent of all "bad bot" traffic in 2018. According to the company, these bots often avoid typical triggers that malicious attacks would hit, like failed login attempts and excessive traffic from a single IP address. While Krebs said in his report that there is no clear indication such an attack did happen, he noted that even a "novice attacker" could carry out such a scheme and could go undetected. Even if this information existed online, undetected by anyone, at least some of it was still captured by search engines. According to First American, cached versions of at least 6,000 exposed documents were still readable online. The company is making efforts to remove them, but those documents simply exist online with sensitive information readily available to anyone who finds them. With a considerable amount of valuable information both still online and potentially collected by a bad actor, there now looms the threat that someone may use that information in a malicious way. That will most likely manifest in a Business Email Compromise (BEC), according to Barracuda Networks' Farrow. These types of attacks are typically phishing and social engineering schemes used to gain access to a company's network or other sensitive information. With a trove of customer data out there, it wouldn't be difficult for an attacker to impersonate a First American client and either attempt to change details or an agreement, ask for additional information that could lead to financial gain, or even redirect a wire transfer to their own account. Barracuda Networks estimates these types of attacks represent over $12 billion in losses to businesses”


Farrow explained: We are seeing an increasing trend in BEC attacks where hackers take over legitimate accounts, learn about organizational details, and any deals in the process. They then launch a well-timed BEC attack from compromised accounts asking for wire transfers or introducing last-minute changes to account details to defraud organizations. Because these attacks originate from legitimate accounts and often target internal employees many email security solutions will struggle to detect and block the attack. The trouble with a data exposure like the one at First American is that it's hard to pinpoint exactly how many people are actually affected. If everyone got lucky, this huge cache of sensitive files sat online, undetected and most everyone is in the clear. But the worst-case scenario is that every last one of those files was captured, saved, and could be used in the future to target individuals and companies. First American has yet to provide any assistance to help its customers protect themselves. If you've done business with First American at any point since 2003, it may be best to freeze your credit at major credit bureaus for the time being. Doing so will prevent any unauthorized parties from taking out loans or starting a line of credit in your name without your permission”

Reviews

Tell the world why First American Financial sucks!
CLICK TO RATE

I certify that this review is based on my own experiece and is my opinion of this person or business. I have not been offered any incentive or payment to write this review.

Refresh

Enter Code

Former Employee - Underwriter says

"I was hired with one interview. At the HR screening she asked me my asking salary. When i told her I'm sure she has a number in mind for this position she still insisted on me giving her a number instead. So I gave her one. She said to me, "oh that's a notch below than what we usually pay." But then only met my asking salary. She did not offer me any more than that. I knew walking in that I was getting paid less than my colleagues. Once I got there, I knew immediately that this place was toxic full of age, race and gender discrimination. People made comments like, "oh I thought you were an intern" to me. My own manager made comments that had racial undertones all the time around me. My expectations were never clarified. I was pulled off a team when everyone else had a team. All the other underwriters had assistants, even the new ones. I was told they didn't have any resources for me at the time and I would have to share someone else's assistant. My work was never prioritized by the assistants and I ended up having to work twice as hard and do all my own work. I was brought into the office for a review by a manager who wasn't even my direct manager. I was told I am simply not getting it. When I asked her for specific examples, she told me she didn't have any for me. Which was obvious that she did not want to actually offer feedback she just wanted to criticize and build a record. Every time I would ask a question, the managers would start screaming at me telling me they didn't have time to train me. I was let go in 4 months. Other people who started with me knew less than me and are still there because they "look" like they would be a good fit. Save your time, don't leave a job for these people. Not worth it. I went on to having a phenomenal career elsewhere. I do not "not get it" and have been profoundly successful with a more reasonable employer."

Former Employee - Title Examiner says

"Lack of training, micromanagement, too many supervisors and managers"

Former Employee - Insurance Adjuster says

"The managers do illegal and unethical claim handling. They no nothing about policies yet they ran a dictatorship. I saw them treat temporary employees so poor that knew more then them. When COVID hit they didn’t include them to our meetings although WE WERE ALL EXPOSED!"

Former Employee - Anonymous Employee says

"Working for managers who only care about numbers not people will walk all over whomever to stay on top. Even if it means creating fraudulent documentation."

Former Employee - Software Engineer says

"No management Very lonely life and no communication what so ever Poor project management and horrible deadlines Everything is late and behind Tons of legacy apps.. I don’t mean old asp or java code.. I mean DOS apps"

Former Employee - Escrow Assistant says

"Overworked. Lied to. No chance for advancement."

Former Employee - Information Technology says

"Got fired. Beware the contract job. You will be gone the next day. This company will continue to consolidate due to free information on the internet and Zillow."

Social Media

In The News

Everything.sucks is a non-profit organization and communications forum for social activism. This website allows users a voice to share their point of view online about what sucks in the world.

We occasionally buy a dot sucks domain and point it at a specific page. We do this to bring awareness to our site and because, well, we love the dot sucks domain. If you ask us if we would sell the domain, our answer is simple. Absolutely not. We will give it to you.

If the domain pointing at this page inspires passion in you and you want to build a fuller site around it, you can have it. That’s right, we will simply give it to you. We want to promote more sites on the Internet where people can share their voices.

To make it as simple as possible for you to have this domain, simply take this Authorization Code to your favourite domain name registrar, and they can transfer it right to you.

AUTH CODE: ]m6L_JbA[!PQd]ah

We are all about feedback. If you have some thoughts for us, you can email us at feedback@everything.sucks