←back to thread

273 points aaln | 5 comments | | HN request time: 0.852s | source
Show context
kojeovo ◴[] No.42149815[source]
The privacy and security part is not inspiring confidence. Scrolling to the next section got me thinking "Don't get scammed at closing, get scammed before closing after uploading your mortgage documents to a random website."

Cool idea though.

replies(2): >>42150061 #>>42150121 #
aaln ◴[] No.42150061[source]
Hey, Aaron the builder here.

The scamming that happens to homebuyers is not even comparable to the risk in uploading docs to a website which promises they won't share user data with anyone. This is genuinely a pro buyer tool with no association with any 3rd party.

The tool has already helped many people negotiate and get a better deal on their mortgage. Please before judging understand that 70% of buyers overpay in their mortgage 1-3% in closing costs and bad rates. It's mind boggling how much lenders get away with profiting in junk fees from stressed out homebuyers.

replies(15): >>42150103 #>>42150132 #>>42150169 #>>42150219 #>>42150406 #>>42151085 #>>42151198 #>>42151240 #>>42151281 #>>42151328 #>>42151929 #>>42152370 #>>42153139 #>>42154561 #>>42164650 #
WaitWaitWha ◴[] No.42150219[source]
Allow me to expound on @kojeovo's remark. Please take this as a constructive criticism to improve your success potential. Much of it is from a quick glance, and am sure there are many other facets to improve.

A business is not just about the product.

Your Privacy Policy. There is no default way to download it (see 9.), and since it is window-ed cannot print entire doc. That means I cannot keep a copy of it for myself.

> We collect the following types of information:

> Mortgage Documents: Loan Estimates and Closing Disclosures you upload for analysis.

Okay, but

> 4. Data Security

> We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction.

This means nothing. Are you ISO 27001:2022, NIST SP 800-53, CIS, CE+, Essential Eight, or something else? Have you been audited, and proof? Who is your ISP? What regs do you follow around data sovereignty?

Terms of Service. Again, no default way of download. Overall, I would never agree to this ToS. It demands all kinds of requirements on the user, but takes no responsibility for anything - or as described above, explain how you will protect your customers.

You have no reference anywhere where you are geographically. No address, no about us, no who you are. I would be very leery on uploading anything.

replies(3): >>42150822 #>>42150852 #>>42150889 #
adamtaylor_13 ◴[] No.42150852[source]
Legitimately curious, what’s the worst they could do with this data?
replies(2): >>42150989 #>>42151079 #
AntiRush ◴[] No.42151079[source]
The most common scams around home buying are wire fraud - contact the buyer pretending to be the title company and steal their money. The data in a mortgage is exactly what you need to enable these scams and you're getting people to hand it to you and at the same time tell you they are about to wire money.
replies(3): >>42151215 #>>42152057 #>>42152237 #
lolinder ◴[] No.42152237[source]
Yep. When we closed on our house we got a whole lecture from the title company about how frequently data breaches lead to wire fraud and to not trust anyone. Mortgage originators are constantly under attack to try to get at the information that OP is asking people to just casually upload.

Their aggressive dismissal of the concern is not a good look.

replies(1): >>42152835 #
1. aaln ◴[] No.42152835[source]
I am not dismissing the concern, I was stating the tool solves an even larger concern. I'm doing everything I can to setup it up to be secure, private, and worthy of trust and addressing the feedback points.

If you have suggestions more than "don't trust this random internet tool even if it gives you free advice, regardless of the value it offers", please let me know [thanks emoji]

replies(2): >>42154977 #>>42156281 #
2. stouset ◴[] No.42154977[source]
With all due respect, that is the fundamental problem here. Your tool may provide value to your users but uploading mortgage documents to random third parties is de facto dangerous and encouraging users to act irresponsibly.

A great analogy would be a website that asks users to provide their usernames and passwords for sites to see if it’s a strong password or if it’s been compromised. “Sorry, the credentials stouset / hunter2 were found in our database for Hacker News.”

Sure maybe you’re a saint and don’t store or misuse this data. But such a site would in the best case be training users to do a very wrong and dangerous thing. In the worst case you get breached by attackers who do use the collected data to do evil.

replies(1): >>42156489 #
3. taxcoder ◴[] No.42156281[source]
On a per individual basis, I think most individuals would prefer to overpay mortgage fees slightly rather than lose the entirety of the money they wire.
4. lolinder ◴[] No.42156489[source]
> A great analogy would be a website that asks users to provide their usernames and passwords for sites to see if it’s a strong password or if it’s been compromised. “Sorry, the credentials stouset / hunter2 were found in our database for Hacker News.”

This is actually a really good analogy because it does illustrate that it's not a completely crazy ask—people do trust Troy Hunt to run such a site. But OP should be much more understanding of how dangerous the concept is and offer options to resolve concerns (Troy allows downloading the passwords list to check locally), especially while they're not Troy Hunt-level famous and still are trying to build up trust.

replies(1): >>42157437 #
5. vel0city ◴[] No.42157437{3}[source]
Troy's site isn't actually handling the user's real password to check, its doing a lookup of hashes to see if a similar hash is there. The password and final hash checks never leave the client side. Still a lot of trust involved in a site like that, and yeah he encourages you use the API to do the comparisons yourself.

This is actually uploading all the information to the backend and storing it in a database. Like a page that is asking for a service URL, a username, a password, a TOTP secret, sending it all to the server, and having the server check if the credentials have been pwned and saving it all.