The "AI and MLS Security: The New Battleground" panel at CMLS Open House Toronto 2025 brought into sharp focus the urgent need for a shift in how the industry approaches security, especially in the age of Artificial Intelligence. Panelists Richard Haggerty (One Key MLS), David Hamilton (Cotality), Lucie Fortier (ICE), and Eric Stegemann (Solid Earth) engaged in a candid discussion about protecting members and data.
The Escalating Threat Landscape
The data confirms the panelists' warnings: MLS security is no longer about simple safeguards, but combating an accelerating, technologically advanced adversary.
The Financial Devastation
The surge in financial crime targeting real estate is staggering:
- Fraud is Accelerating: Financial losses from wire fraud in the real estate sector have dramatically increased, rising from under $9 million in 2015 to $446 million in 2022. This dramatic spike underscores the critical need for robust, proactive security measures.
- Vulnerable Credentials: The foundation of nearly all breaches is weak security; stolen/compromised credentials remain the most common initial attack vector in data breaches across all industries.
The AI-Driven Scams
AI is rapidly lowering the bar for sophisticated fraud:
- Deepfakes in Transactions: Scammers are using AI tools, like voice cloning and synthetic audio, to impersonate professionals, especially during high-pressure wire transfer scenarios. As Eric Stegemann noted, it takes just three seconds of audio to clone a voice.
- AI-Enhanced Phishing: Generative AI is now capable of writing smart, personalized phishing emails that are reportedly three times more likely to get clicks than those written by humans.
Security as a Culture, Not a Chore
The core of the panelists' solution is a cultural shift. This is essential because the majority of breaches exploit the human element:
- The Human Element: The majority of security breaches 74% are the result of human interaction and manipulation (socially engineered scams), underscoring the need for the cultural and communications changes the panelists discussed.
Addressing the Speed of AI Change
A key question posed was: Are we able to adapt to the speed of AI change?
Eric Stegemann offered a stark perspective, stating that the pace of technological advancement demands an immediate and communal response:
"It's a problem we have to fix at light speed. I heard somebody say, 'It's the younger demographic,' and I said, 'No, it's actually Gen Xers that we see that has the biggest problem with it.' If you bring them along communication-wise, 'It's the same as logging into your phone that you do every day,' they'll understand that, and a Passkey is far more secure than a password and a username that can get compromised. So, if you change that culture, communicate with members, tell them why you're doing this, what you're doing to protect them, and why these items are being put into place, you'll get the vast majority of your membership to come along with that concept."
The solution is moving beyond traditional, cumbersome security:
- Adaptive MFA: Adaptive MFA (Multi-Factor Authentication), which uses built-in AI to only require a second factor when a deviation (suspicious device, location, or behavior) is detected, is the next step in improving security without sacrificing the member experience.
- Phishing Resistance: The shift to newer technologies like Passkeys and FIDO2 WebAuthn is growing because they are considered more secure and user-friendly than traditional password and SMS-based MFA.
The Power of Community and Collaboration
All three panelists, Richard Haggerty, David Hamilton, and Lucie Fortier, agreed that to stay ahead of these evolving threats, the industry's best path forward is to work together on security. We must all be asking our vendors: "Tell me what your security posture is. What do you do to protect us? What do you do to protect our data?"
In the spirit of collective action, the panel advocated for a unified front. The need for open discussion and collaboration is crucial, regardless of competitive concerns. As Eric eloquently put it:
"We can absolutely work together, whether you're competitors in one thing or in everything. We all need to work together as a community. This is a real problem, and it's only going to get worse."
Moving Forward: An Offer to Help
We sincerely hope that the Council of Multiple Listing Services (CMLS) puts a formal task force or workgroup together to address these critical security challenges. Our organization is committed to seeing this through, and we are offering to help in any way possible to contribute to these collaborative efforts. The security of our members and the integrity of the data we manage depend on it.