Most active commenters
  • aaln(5)
  • ziddoap(4)
  • kojeovo(4)
  • gruez(3)
  • (3)
  • ryandrake(3)
  • lolinder(3)

←back to thread

273 points aaln | 75 comments | | HN request time: 0.002s | source | bottom
Show context
kojeovo ◴[] No.42149815[source]
The privacy and security part is not inspiring confidence. Scrolling to the next section got me thinking "Don't get scammed at closing, get scammed before closing after uploading your mortgage documents to a random website."

Cool idea though.

replies(2): >>42150061 #>>42150121 #
1. aaln ◴[] No.42150061[source]
Hey, Aaron the builder here.

The scamming that happens to homebuyers is not even comparable to the risk in uploading docs to a website which promises they won't share user data with anyone. This is genuinely a pro buyer tool with no association with any 3rd party.

The tool has already helped many people negotiate and get a better deal on their mortgage. Please before judging understand that 70% of buyers overpay in their mortgage 1-3% in closing costs and bad rates. It's mind boggling how much lenders get away with profiting in junk fees from stressed out homebuyers.

replies(15): >>42150103 #>>42150132 #>>42150169 #>>42150219 #>>42150406 #>>42151085 #>>42151198 #>>42151240 #>>42151281 #>>42151328 #>>42151929 #>>42152370 #>>42153139 #>>42154561 #>>42164650 #
2. gruez ◴[] No.42150103[source]
>The scamming that happens to homebuyers is not even comparable to the risk in uploading docs to a website which promises they won't share user data with anyone.

Well as long as you promise, my privacy fears are allayed!

/s

3. mannyv ◴[] No.42150132[source]
Ignore the haters, they will probably never be your customer.
replies(3): >>42150217 #>>42151022 #>>42151071 #
4. bredren ◴[] No.42150169[source]
It is fair to describe the pains of not getting analysis on mortgage loan estimates, but what I think folks are looking for is some kind of authentic answer to the problem posed.

For example, you could advise the person uploading to remove PII prior to the upload, and link to pdf editing tools that allow them to do that.

You could say that not including PII like full name(s) found on just about every loan estimate does not take away from the value of the tool.

Another thing that could be done is to provide clear means for removing any data uploaded, or opt-out pre-upload of any data being used for training.

For example by creating an account first.

Providing some skin in the game such as putting the removal behavior in the terms of service and a personal guarantee to do everything to ensure sensitivity to privacy of this information will be handled carefully staking your reputation, probably would help.

replies(1): >>42162120 #
5. ◴[] No.42150217[source]
6. WaitWaitWha ◴[] No.42150219[source]
Allow me to expound on @kojeovo's remark. Please take this as a constructive criticism to improve your success potential. Much of it is from a quick glance, and am sure there are many other facets to improve.

A business is not just about the product.

Your Privacy Policy. There is no default way to download it (see 9.), and since it is window-ed cannot print entire doc. That means I cannot keep a copy of it for myself.

> We collect the following types of information:

> Mortgage Documents: Loan Estimates and Closing Disclosures you upload for analysis.

Okay, but

> 4. Data Security

> We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction.

This means nothing. Are you ISO 27001:2022, NIST SP 800-53, CIS, CE+, Essential Eight, or something else? Have you been audited, and proof? Who is your ISP? What regs do you follow around data sovereignty?

Terms of Service. Again, no default way of download. Overall, I would never agree to this ToS. It demands all kinds of requirements on the user, but takes no responsibility for anything - or as described above, explain how you will protect your customers.

You have no reference anywhere where you are geographically. No address, no about us, no who you are. I would be very leery on uploading anything.

replies(3): >>42150822 #>>42150852 #>>42150889 #
7. swatcoder ◴[] No.42150406[source]
FYI, this reads as a very aggressive response to someone raising legitimate privacy concerns and doesn't engender the trust you very likely deserve.

Rather than talking up the value of the tool as superceding the concerns, a more constructive approach might acknowledge the concerns and emphasize how you already do minimize risk or commitments you're willing to make towards doing so.

Being dismissive doesn't help worried or skeptical people feel more secure, and worried and skeptical people make perfectly good users too.

replies(1): >>42157730 #
8. mmh0000 ◴[] No.42150822[source]
Would it matter if they had a "perfect" privacy policy? I don't believe there's anything legally that enforces it. So they can promise the moon then turn around and sell your data.

Maybe I'm wrong here, but, My mental model of privacy policies and the like has always been: This is a lie, the company will do whatever it wants with my data. And I will have no recourse.

As such I've always acted accordingly. And very few websites have legit info on me.

replies(1): >>42151436 #
9. adamtaylor_13 ◴[] No.42150852[source]
Legitimately curious, what’s the worst they could do with this data?
replies(2): >>42150989 #>>42151079 #
10. aaln ◴[] No.42150889[source]
Thanks for the constructive feedback.

I just added a way to easily download the entire privacy policy and terms of service, also quickly added an about page with some info about me - https://closing.wtf/about

Eventually I'm going to get a certification and will keep your other points in mind.

replies(3): >>42153451 #>>42156603 #>>42156750 #
11. b1ngb0n1 ◴[] No.42150989{3}[source]
Aside from the personal details (name, address, etc), they can collect pricing info on houses, run analytics, and swoop the deal with a slightly better offer or better yet, sell it to wholesale buyers, reits, and whoever is interested in stealing the deal.
replies(3): >>42151088 #>>42151092 #>>42151174 #
12. effingwewt ◴[] No.42151022[source]
Ah the Disney approach.

Bold strategy Cotton.

Owner did the smart thing and listened to the constructive criticism which made me feel infinitely better about using his tool.

Which I will now do, and would not have before. I am also his exact customer.

replies(1): >>42154743 #
13. ziddoap ◴[] No.42151071[source]
People are trying to increase the potential customer base of the author by pointing out where there is room to improve. That is incredibly valuable, and one of the major reasons to do a Show HN.

That is not being a "hater".

replies(2): >>42151693 #>>42151841 #
14. AntiRush ◴[] No.42151079{3}[source]
The most common scams around home buying are wire fraud - contact the buyer pretending to be the title company and steal their money. The data in a mortgage is exactly what you need to enable these scams and you're getting people to hand it to you and at the same time tell you they are about to wire money.
replies(3): >>42151215 #>>42152057 #>>42152237 #
15. jjav ◴[] No.42151085[source]
> not even comparable to the risk in uploading docs to a website which promises they won't share user data with anyone. This is genuinely a pro buyer tool with no association with any 3rd party.

I have no reason to think you're not completely sincere in this!

But, realize it doesn't mean anything.

Unless that promise is backed by some ironclad contract, it means nothing. Companies grow and hire new people who don't care about the original values. Or they get acquired and all bets are off. Or they start running low on cash and suddenly decide monetizing all that data is a good idea after all. Or it becomes visible enough to attract attention of the government who shows up demanding copies of data. And so on.

I've been in one or more startups where all of these things have happened.

16. scottishbee ◴[] No.42151088{4}[source]
That...is not how mortgage servicing companies operate.
replies(1): >>42151128 #
17. Kiro ◴[] No.42151092{4}[source]
> name, address, etc

In my country all that plus your social security number and tax declarations etc are public information. What's your opinion on that?

18. gruez ◴[] No.42151128{5}[source]
People aren't concerned about giving their details to a mortgage servicing company, they're concerned about giving their details to a random website called "closing.wtf", which promises to provide mortgage advice for free with no other obvious revenue source.
replies(1): >>42152767 #
19. gruez ◴[] No.42151174{4}[source]
>they can collect pricing info on houses, run analytics

AFAIK house sale prices (ie. property transactions) are open in many (most?) jurisdictions.

>and swoop the deal with a slightly better offer

How does that even work? The winning bidder is presumably someone who gave the highest offer. Why would another company pay above and beyond that, considering that there's probably several other serious buyers who aren't willing to pay more?

replies(2): >>42151505 #>>42151879 #
20. ◴[] No.42151198[source]
21. SoftTalker ◴[] No.42151215{4}[source]
I have never done a wire transfer at a residential closing. I come to the closing at the title company office with a cashier's check from my bank for the amount they told me to bring.
replies(3): >>42151734 #>>42151756 #>>42152686 #
22. dylan604 ◴[] No.42151240[source]
Also, you have no control over decisions that any future owner might have, and you won't care because you've already cashed out.

What happens when you get hacked? Not if. To come back at someone with valid concerns with a "no, you don't understand my point of view" does nothing but a disservice to you.

Expecting people to just accept things is just not a good way to operate. When you receive push back, you need better responses than this. Will the vast majority of your users push back, sadly, probably not. However, you did post this to HN and then reacted poorly to valid criticism. Tsk tsk

23. datavirtue ◴[] No.42151281[source]
I love this idea (haven't tried it) and it seems like a killer app for AI. I can think of a lot of other things like health insurance, home owners insurance, and many other types of contracts for which an AI advisor can be built for. Imagine being able to rake over a complex document and make decisions that clearly benefit you. That's a rare privilege.
24. egorfine ◴[] No.42151328[source]
I am genuinely surprised by the comments in this thread.

Privacy concerns are real but the importance of that matter in your project is overestimated here by an absurd level.

What I read is not a constructive criticism and the suggestions laid down are not realistic nor business relevant at all. I feel like this is some sort of mass wishful thinking.

replies(3): >>42152098 #>>42152211 #>>42152261 #
25. T4iga ◴[] No.42151436{3}[source]
I think acting 'as if' is the safe option here but encouraging change for the better in someone willing to engage in dialog is still better than not doing it. Maybe you didn't intend to make a counterpoint, i just wanted to point that out.
26. dumbfounder ◴[] No.42151505{5}[source]
The terms are not public until the house is sold. In the contract pending state you don’t know how much it is going to sell for. Theoretically if they saw a buyer accepting a crazy low offer they could alert the troops.

But it doesn’t need a lot of the data in that document, so really they need a way to redact all the unnecessary data to require less trust.

Edit: words.

27. cj ◴[] No.42151693{3}[source]
The percentage of regular people who care about any of the risks discussed in this thread is approximately zero. For better or worse.

Your typical home buyer isn't reading the contract they sign when they buy a home, let alone the privacy policy of a simple tool they use to check if they have a mortgage with decent terms.

replies(1): >>42152136 #
28. takeda ◴[] No.42151734{5}[source]
Did you bought enough houses to assume that's always the case?

My experience was that I was told to send the cashier's check using overnight FedEx because they did not have office in my area.

replies(1): >>42151888 #
29. jvanderbot ◴[] No.42151756{5}[source]
The only method available to me at closing was a wire transfer. It is dumb.
30. fragmede ◴[] No.42151841{3}[source]
https://news.ycombinator.com/item?id=42150219 was highly constructive. It was direct and actionable.

kojeovo's original comment was less so. When you build a product, you're going to get random, in-actionable comments from people who just like to complain. Separating the signal from noise is difficult, and while there is a underlying concern about privacy, not giving anything actionable moves it towards to the noise side of the spectrum.

replies(2): >>42152069 #>>42164897 #
31. gsharma ◴[] No.42151879{5}[source]
The deal isn’t always about the price. For example, a $1M house bought with $100K down and $900K mortgage is a worse deal for the seller as compared to $500K down and $500K financed. Assumption here is that it is more likely to get a $500K loan irrespective of the appraised value of the house.

A lower all cash offer (say $975K) is likely a better offer for the seller because it reduces the risk for them and closes the transaction much quicker than a mortgage transaction.

I have been a buyer in two transactions where my offer was slightly lower than the highest bidder, but with better terms.

replies(2): >>42152155 #>>42152645 #
32. SoftTalker ◴[] No.42151888{6}[source]
No, fair enough. I would not close anywhere other than a local title company though. I've had a few odd things surface at the last minute that were resolvable because everyone was sitting around the same table.
33. bastloing ◴[] No.42151929[source]
Doesn't matter your promise, even though you may or may not be trusted, hackers can get it and steal it all. So it's not necessarily you or your service.
34. zie ◴[] No.42152057{4}[source]
Wire Transfers are not undoable and instant, much like Zelle. So I always recommend people send $10 first, and confirm everything works, before sending real money. When doing the confirmation, try using a different channel of communication, to ensure you are getting the right person. i.e. call them directly from known good phone numbers or something.

Yes many banks charge $30 or more for a wire transfer, but I'd rather just pay the $60 than have a large sum wire transfer lost, stolen, etc.

Some banks/Brokerages are sane and do not charge extra for wire transfers. Fidelity is one such. BOA also(if you have enough assets there, $100k will do it).

replies(1): >>42154509 #
35. ziddoap ◴[] No.42152069{4}[source]
Absolutely agree.

Neither are "haters", though. And, speaking on quality of feedback, "ignore the haters" seems fairly low.

replies(1): >>42152244 #
36. sangnoir ◴[] No.42152098[source]
Title deposit wire fraud is a very big risk. The amounts are devastating to the victims, so the operator has to go above and beyond to secure the data because of the huge risks involved. Would you risk losing a 5-/6-digit amount to fraud in order to potentially save on a 4-digit closing fee?
37. ziddoap ◴[] No.42152136{4}[source]
When people who do care about privacy and security make their voices heard, such as the case here where the owner has committed to improving their policy & processes, it benefits everyone using the product or service.
replies(1): >>42152331 #
38. ryandrake ◴[] No.42152155{6}[source]
As a home buyer, I've been beaten many times by an all-cash offer that was significantly lower than my financed offer. For example, a $450K all-cash offer where they'd close in 7 days beat my $525K 80/20 offer where it would have taken me 25+ days to close.
replies(2): >>42155180 #>>42156660 #
39. ryandrake ◴[] No.42152211[source]
I think it's actually refreshing to see the top comments and constructive criticism be about privacy concerns. It shows that even for little "Show HN" projects, there is growing intolerance of half-assing it. Not saying OP in particular is half-assing it, but it's good to see these questions being regularly asked front and center. I honestly wish the Tech Media paid more attention to privacy and security instead of just copy-pasting companies' PR statements as "articles."
replies(1): >>42156758 #
40. lolinder ◴[] No.42152237{4}[source]
Yep. When we closed on our house we got a whole lecture from the title company about how frequently data breaches lead to wire fraud and to not trust anyone. Mortgage originators are constantly under attack to try to get at the information that OP is asking people to just casually upload.

Their aggressive dismissal of the concern is not a good look.

replies(1): >>42152835 #
41. ryandrake ◴[] No.42152244{5}[source]
Yea, "ignore the haters" is terrible advice. It basically means "stay in a bubble where the only feedback you listen to is positive".

I won't even get into how ridiculous it is to consider anyone who disagrees with you a "hater."

42. lolinder ◴[] No.42152261[source]
> Privacy concerns are real

This isn't about privacy, it's a security concern. People's life savings are on the line here, and the information OP is requesting is enough to pull off very sophisticated social engineering attacks. It's entirely reasonable to ask what they're going to do with that information and how they're keeping it secured, and their reaction to the questions is entirely inappropriate for someone who's asking for this degree of trust.

43. cj ◴[] No.42152331{5}[source]
It’s not in the spirit of a “Show HN” to attack the guy’s privacy policy and shut down the idea over security concerns that the general public wouldn’t think twice about.
replies(1): >>42152349 #
44. ziddoap ◴[] No.42152349{6}[source]
No one "attacked" the author.

The first comment said "not inspiring confidence" and then WaitWaitWha gave a very thoughtful comment with actionable advice, based on that comment and the reply. These are not attacks.

45. chourobin ◴[] No.42152370[source]
Great idea and execution. I understand the privacy concerns, but I believe implementing a client-side redaction step could alleviate some of them. This step would allow users to preview their uploaded content before submitting it. While designing this feature, it’s crucial to ensure user trust and convince them of its benefits. Personally, I would feel more comfortable uploading a PDF knowing that it will be anonymized or redacted before being submitted.
46. jogjayr ◴[] No.42152645{6}[source]
> a $1M house bought with $100K down and $900K mortgage is a worse deal for the seller as compared to $500K down and $500K financed.

Do sellers in the US know how large your down payment is? AFAIK that's not a thing in Canada. Offers either have a financing condition, or don't. If the offer doesn't have a financing condition, the buyer might be paying cash. But they could just be trying to present an offer with better terms, gambling that they'll definitely find financing somewhere or the other.

replies(1): >>42153112 #
47. nijave ◴[] No.42152686{5}[source]
Cashier's check was only accepted for amounts less than $10k at our closing by our title company. This seems common to require wire. The title company contracted with a 3rd party escrow service so the money was required into the title company's account at the escrow service. I assume a cashier's check would need to be mailed to the escrow company
replies(2): >>42154712 #>>42156948 #
48. aaln ◴[] No.42152767{6}[source]
Lol no revenue source and a promise to never sell or share their data.

Gotta figure this one out...

replies(1): >>42157019 #
49. aaln ◴[] No.42152835{5}[source]
I am not dismissing the concern, I was stating the tool solves an even larger concern. I'm doing everything I can to setup it up to be secure, private, and worthy of trust and addressing the feedback points.

If you have suggestions more than "don't trust this random internet tool even if it gives you free advice, regardless of the value it offers", please let me know [thanks emoji]

replies(2): >>42154977 #>>42156281 #
50. happyopossum ◴[] No.42153112{7}[source]
Yup, the seller is (at least should be) made aware of the financing structure, as it’s part of the offer.

Every time I’ve sold a house it’s been a factor in deciding which offer(s) to pick or counter.

replies(1): >>42154722 #
51. mgaunard ◴[] No.42153139[source]
How can you get scammed on a mortgage? They're typically standard products from nationwide banks.
52. doctorpangloss ◴[] No.42153451{3}[source]
I think based on your responses so far, it’s disappointing, but people should not upload these docs.

There isn’t anything actionable in them. It seems like you are running some kind of scheme to collect these documents. And it’s not clear why you need them at all: you could provide the same advise to everyone regardless of their contents, which is to compare options, or to ask for more lender refunds.

53. davchana ◴[] No.42154509{5}[source]
Is it too paranoid that even for first time Zelle (with people I know in real life) I send a $ and ask them to see if they received it, before sending anything else?
replies(2): >>42155655 #>>42156591 #
54. stevebmark ◴[] No.42154561[source]
Your response is a lighthouse sized red flashing light to never use your tool.
55. ◴[] No.42154712{6}[source]
56. KPGv2 ◴[] No.42154722{8}[source]
That's interesting. My last house was $$$ and I had no RE agent. Negotiated with the seller's agent myself. Never once disclosed financing info.
57. KPGv2 ◴[] No.42154743{3}[source]
> Ah the Disney approach. Bold strategy Cotton.

The Disney approach, if successful, would make you very rich. Their approach has made them one of the most powerful companies in the world.

58. stouset ◴[] No.42154977{6}[source]
With all due respect, that is the fundamental problem here. Your tool may provide value to your users but uploading mortgage documents to random third parties is de facto dangerous and encouraging users to act irresponsibly.

A great analogy would be a website that asks users to provide their usernames and passwords for sites to see if it’s a strong password or if it’s been compromised. “Sorry, the credentials stouset / hunter2 were found in our database for Hacker News.”

Sure maybe you’re a saint and don’t store or misuse this data. But such a site would in the best case be training users to do a very wrong and dangerous thing. In the worst case you get breached by attackers who do use the collected data to do evil.

replies(1): >>42156489 #
59. t0mas88 ◴[] No.42155180{7}[source]
This makes sense for the seller depending on how often a financed offer falls through. Our agent mentioned that in Amsterdam for example over 1/3rd of the offers with a financing condition fall through. And they do so weeks after the signing of the agreement so it costs the seller significant time and money.

With such a high chance of not actually getting the sale done, sellers are motivated to take 475 immediate cash instead of 525 with a 1/3rd risk of having to do it all over. Especially if they need the cash to buy their next home.

60. blitzar ◴[] No.42155655{6}[source]
I do / did this between my own bank accounts when entering details the first time.
61. taxcoder ◴[] No.42156281{6}[source]
On a per individual basis, I think most individuals would prefer to overpay mortgage fees slightly rather than lose the entirety of the money they wire.
62. lolinder ◴[] No.42156489{7}[source]
> A great analogy would be a website that asks users to provide their usernames and passwords for sites to see if it’s a strong password or if it’s been compromised. “Sorry, the credentials stouset / hunter2 were found in our database for Hacker News.”

This is actually a really good analogy because it does illustrate that it's not a completely crazy ask—people do trust Troy Hunt to run such a site. But OP should be much more understanding of how dangerous the concept is and offer options to resolve concerns (Troy allows downloading the passwords list to check locally), especially while they're not Troy Hunt-level famous and still are trying to build up trust.

replies(1): >>42157437 #
63. zie ◴[] No.42156591{6}[source]
100% not paranoid. I do this for basically all payments.
64. meowster ◴[] No.42156603{3}[source]
> industry-standard security measures

The industry-standard is to get hacked and have your info leaked online.

"Industry-standard" is like saying "military-grade"

65. JumpCrisscross ◴[] No.42156660{7}[source]
> I've been beaten many times by an all-cash offer that was significantly lower than my financed offer

Note that all cash commonly means no financing contingency. I put in an all-cash offer and financed it. I just didn’t have an out if I couldn’t find financing I liked. (Legally.)

66. paulcole ◴[] No.42156750{3}[source]
Just replace the entire contents of the privacy policy with the word “None.”

You’ll never ever please the privacy commenters on HN who are armchair security enthusiasts. They’re never going to use your product and they’re never going to stop complaining if you show your product to them.

Normal people just don’t care. For a tiny side project spend your time on the thing that’s potentially useful to people not trying to appease the privacy crowd on HN.

67. paulcole ◴[] No.42156758{3}[source]
My opinion is that the OP shouldn’t even half-ass it. Ignore anybody who has complaints about privacy and 0-ass it. People just love complaining and telling other people The Right Way To Do Things.
replies(1): >>42164602 #
68. telgareith ◴[] No.42156948{6}[source]
3rd party. ROFLMAO.
69. baldeagle ◴[] No.42157019{7}[source]
At least put a patron link on there or something, so people can have a legitimate way to pay for the cost associated with running the website. Perhaps make a suggested amount of 10% of the savings.

This gives you a obvious profit motive, and makes you seem more sketchy because you now have more skin in the game to keep it operating as a valid and useful business service

70. vel0city ◴[] No.42157437{8}[source]
Troy's site isn't actually handling the user's real password to check, its doing a lookup of hashes to see if a similar hash is there. The password and final hash checks never leave the client side. Still a lot of trust involved in a site like that, and yeah he encourages you use the API to do the comparisons yourself.

This is actually uploading all the information to the backend and storing it in a database. Like a page that is asking for a service URL, a username, a password, a TOTP secret, sending it all to the server, and having the server check if the credentials have been pwned and saving it all.

71. monktastic1 ◴[] No.42157730[source]
Interesting. I didn't read it as aggressive, and certainly not "very" aggressive. I read it as polite and perhaps mildly defensive. What about the response suggests aggression to you?
72. aaln ◴[] No.42162120[source]
Thank you for these suggestions, I'm going to advise users to remove PII before uploading and eventually allow users to purge their data.
73. kojeovo ◴[] No.42164602{4}[source]
As the OP, I wasn't even complaining about privacy of the app or site per se. It was just feedback on how that part of the landing page copy made me, a potential consumer of the product (I'm in the process of buying a house rn) made me feel in the moment. Could be a quick copy change to fix.
74. kojeovo ◴[] No.42164650[source]
Hey. I really don't care to compare the level of scamming nor the usefulness of the tool. I'm in the process of buying right now so I know it could be useful. That's besides the point. To clarify, here's a different thought. Reading the following copy, I am wondering "whats gonna happen to my data / file I upload?":

> We never sell or share data with third parties. All information is used solely to generate analyses to help borrowers analyze and optimize their mortgages.

I even looked further into the privacy policy, just to be diligent here.

> We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction.

With how much info I have been provided, I'm just not gonna upload a document to your site. Like I said, just doesn't inspire confidence as I scroll your landing page. Could just be a copy change to fix this.

75. kojeovo ◴[] No.42164897{4}[source]
It was not my intent to be highly constructive with my initial comment but if you read between the lines it's around how the landing page copy made me feel. Quick copy change could alleviate that. When the user's primary action in the app is uploading a private document then it may be good to have more than a quick sentence on privacy. Definitely something to split test.