Cotality mandates MFA requirements for all Matrix customers

A message from Kevin Greene, SVP & General Manager of Cotality Real Estate Solutions:

Cotality provided a security update to its MLS clients, focusing on recent phishing attacks exploiting 48 compromised real estate agent accounts across 13 MLSs. The executive leadership team emphasized the importance of having multi-factor authentication (MFA) in place as a critical added layer of protection. From banking to health care to online shopping, MFA has become table stakes. It’s not optional any longer, it’s essential.  

To protect client systems and data, Cotalilty informed its MLS clients that system-wide MFA must be available across all Matrix systems by October 31st. If an MLS does not have system-wide MFA enabled by October 31, CAPTCHA will be activated, and agents will be challenged with a CAPTCHA authentication step when sending emails from Matrix.

Key Points

• In the recent phishing attacks 48 Matrix user accounts from 13 MLSs were compromised, using five different IDP’s to send spam emails. There were no data breaches or data loss during the attacks. Phishing attempts were disguised as common scams, such as account expiration or payment alerts to mislead recipients.

• 47 of the compromised user accounts lacked MFA; the one account with MFA was accessed via a stolen device.

• 8-character passwords are no longer enough to protect an account. With today’s computing power even a complex 8-character password can be cracked in as little as two minutes. Please read our article on Better Password Habits to learn more.  

• To provide a critical additional layer of security, MFA will be mandatory across all Matrix systems by October 31; organizations without system-wide MFA will have their agents face CAPTCHA challenges on direct emails starting the week of November 3rd.

• CAPTCHA applies to direct emails only; auto emails are unaffected. Examples of direct emails would be sending a CMA or a list of properties to a client. Once CAPTCHA is prompted, emails can be sent for 60 minutes before the user is rechallenged.

Action Items

• All Matrix accounts must have an IDP implemented by December 31st.

• System-wide MFA must be enabled on all Matrix accounts by October 31st to avoid CAPTCHA challenges.

• Organizations without MFA should contact Cotality or their IDP provider to enable MFA before the deadline.

• Organizations that choose an IDP with MFA that is not Clareity will be required to complete an attestation, provided by your Cotality Client Service Manager, by October 31st. The attestation must confirm that you have enabled system-wide MFA through your provider.

• If MFA is not implemented by the October 31st deadline, CAPTCHA will be activated on your Matrix system the week of November 3rd for direct emails.

Thank you for your commitment to protecting our systems, your organization, your members, and your data. Please prioritize system-wide MFA enablement ahead of the October 31st deadline. If you have any questions, reach out to your Cotality account representative. Together we can significantly reduce risk across the industry.