How to handle SSN request?

jmritenour

I've got a background investigation coming up, and I've been asked to provide my social security number. The intended method of delivery is print the form, fill it out, scan it, and email email it back. I'm not about to send my SSN over email. I've let my point of contact at this organization know I won't be doing that - I've offered to leave it blank and provide it to her over the phone, or utilize any other option they have available; sending an encrypted zip/pdf, and giving them the password out of band, sftp, etc.. She said she'd check with her superior and get back to me.

Long story short, I need to get this stuff in by midnight tonight, and I'm trying to figure out what I'll do if I haven't gotten an answer by COB today. What would you do? This IS a large, reputable tech company that I trust, I just think this is a case of non-technical HR people not really considering the security implications. TBH, I'm surprised this is the first time this has come up.

Anyway, big news coming later this week...

networker050184

I'd just email it as I have in the past.

tjh87

My SSN has been thrown around so much in the past 8 years that I don't even hesitate to give it out anymore. Honestly, today, you are probably taking a bigger risk by saying it over the phone than you are sending via email. I wouldn't worry about it. If someone wants your SSN, they'll get it. I may be being too lax about it, but it hasn't bitten me yet.

Danielm7

Yeah I just wouldn't be all that concerned about it honestly. When I was in college your SSN was your student ID number. You'd walk up to the register to pay and if you wanted you could sit there and hear 50 other people in line loudly say their SSN. One email to a company about a job? Yeah, not too worried.

redz

Am I just paranoid...? Cuz... I agree with jmritenour...

Akaricloud

I'd personally have no problem giving it to them through email although it is best practice to avoid doing so.

I'm willing to bet they have no issue taking you up on one of the other methods you offered.

jmritenour

redz wrote: »

Am I just paranoid...? Cuz... I agree with jmritenour...

Indeed redz, looks like we're just paranoid...

-hype

I'm laughing because the only people in here that are worried are the people with the CISSP.

redz

Paranoia is one of the domains.

beads

Easiest way to send via email is to encrypt with a self executing WinZip file. Provided of course you have a full copy of WinZip and can handle telling HR a password - preferably over the phone - not in a separate email.

Also keep in mind that if all your sending is a SSN and no other PII, your probably fairly safe. Though the idea from a privacy and confidentiality aspect makes me question HR's mettle a bit. That is to say if they are willing to compromise you on something as simple as this what else are they doing with PII?

All nice and compliant like.

- B Eads

beads

redz wrote: »

Paranoia is one of the domains.

If you deep dive the domain you'll find it right under Security Unicorns and Rainbows. Page 413, Paragraph 4.

- B Eads

ptilsen

beads wrote: »

Easiest way to send via email is to encrypt with a self executing WinZip file. Provided of course you have a full copy of WinZip and can handle telling HR a password - preferably over the phone - not in a separate email.

Is this a joke?

I would just send it. The chances that your SSN gets compromised over email rather than through some insecure transmission or storage method at another organization seems pretty unlikely. Since they're asking you for it over email, they're going to be sending it and storing it insecurely elsewhere anyway. Of course sending it over email increases the risk, but I think you've got to be pragmatic.

cyberguypr

Concur. I would give it out over email. The HR pawn has no idea what encryption is and if he/she is inconvenienced will end up putting your application on hold and calling Helpdesk. Being a low priority thing, it could take a while for someone to help decrypt the file.

You run greater risk having a waitress run your credit card.

This message was brought to you by a CISSP who did helpdesk for a long time.

J_86

cyberguypr wrote: »

This message was brought to you by a CISSP who did helpdesk for a long time.

Back to the OP
I would just email it. If this is a big name tech company like you said, I would think their email is safe (as safe as email can be). If you tell it to them over the phone, they are probably just writing it down on some paper. Where does that paper go after they fill out the form? Did they shred it? Where does the form go after they put all your information on it? I get what your saying, but there comes a point to have to weigh the risk.

jvrlopez

Just send it. Your SSN is out there already.

If you don't want to provide it, I'm sure there are plenty of other candidates willing to provide it in your place.

My SSN was used for everything on a near daily basis for 4 years in the military and I never had anything suspicious happen.

jmritenour

Bah, I guess I'll just send it. Thanks for the input, everyone.

Iristheangel

I agree with sending it. Every time you submit your SSN to open a utilities account for electric, gas, cell phone, water, cable, internet, etc, you've just created a way for someone to easily gain access to your SSN through social engineering. IMHO, it's a lot easier to social engineer that information out of someone than it is to sniff packets which isn't that hard at all. There's always risk in everything you do.

apr911

beads wrote: »

Easiest way to send via email is to encrypt with a self executing WinZip file. Provided of course you have a full copy of WinZip and can handle telling HR a password - preferably over the phone - not in a separate email.

+1

Im buying a house in another state and have therefore been corresponding with my mortgage broker almost entirely through email. Every document I sign and return gets put into a password protected zip file. It might not be the most secure but it is more secure than clear text.

That being said, while I understand your concern (yes, another paranoid CISSP), the only reason I am bothering to do that is because of the sheer volume of documents being sent and the fact that those documents consist of not just my social security number, name, address and signature but bank statements and account numbers too.

For a single document containing only some personally identifiable information, I would send it without encrypting it. Especially to HR because, as cyberguypr points out, inconveniencing the HR person could see the process slow significantly as they re-prioritize your correspondence in a negative manner.

Add to that they are unlikely storing this information in the most secure manner and it really doesnt matter what you do to encrypt it before sending, it still going to be left unencrypted somewhere.

Ultimately, as Iris (and others) points out, your SSN gets used in so many places that true security/secrecy of it is impossible. Yes you can exercise due diligence and not post it publicly but there are so many ways and places it can become compromised that you should be monitoring for identity theft as a matter of course not just when you suspect something.

Finally, your talking about a single document in a single email and while it could be compromised, that assumes that:
A. Someone is listening and capturing your traffic
B. They have the time to sort through all the noise to recompile the data which would be like finding a needle in a haystack or a few flecks of gold dust in the river

There are easier ways to get the information being sought.

jvrlopez

beads wrote: »

Easiest way to send via email is to encrypt with a self executing WinZip file. Provided of course you have a full copy of WinZip and can handle telling HR a password - preferably over the phone - not in a separate email.

Also keep in mind that if all your sending is a SSN and no other PII, your probably fairly safe. Though the idea from a privacy and confidentiality aspect makes me question HR's mettle a bit. That is to say if they are willing to compromise you on something as simple as this what else are they doing with PII?

All nice and compliant like.

- B Eads

apr911 wrote: »

+1

Im buying a house in another state and have therefore been corresponding with my mortgage broker almost entirely through email. Every document I sign and return gets put into a password protected zip file. It might not be the most secure but it is more secure than clear text.

That being said, while I understand your concern (yes, another paranoid CISSP), the only reason I am bothering to do that is because of the sheer volume of documents being sent and the fact that those documents consist of not just my social security number, name, address and signature but bank statements and account numbers too.

For a single document containing only some personally identifiable information, I would send it without encrypting it. Especially to HR because, as cyberguypr points out, inconveniencing the HR person could see the process slow significantly as they re-prioritize your correspondence in a negative manner.

Add to that they are unlikely storing this information in the most secure manner and it really doesnt matter what you do to encrypt it before sending, it still going to be left unencrypted somewhere.

Ultimately, as Iris (and others) points out, your SSN gets used in so many places that true security/secrecy of it is impossible. Yes you can exercise due diligence and not post it publicly but there are so many ways and places it can become compromised that you should be monitoring for identity theft as a matter of course not just when you suspect something.

Finally, your talking about a single document in a single email and while it could be compromised, that assumes that:
A. Someone is listening and capturing your traffic
B. They have the time to sort through all the noise to recompile the data which would be like finding a needle in a haystack or a few flecks of gold dust in the river

There are easier ways to get the information being sought.

To be honest, if you're going to send an employer, one who has interest in YOU and is taking time out of their schedule to give you an opportunity, an email stating, "I don't feel comfortable sending you my SSN over email regularly, so here is an encryption program that you must install on your WORK computer, a file attached that has my SSN encrypted, and I will call you at a later time to relay the password for the file, you are doing nothing more than turning them off and sending them towards other candidates.

If you don't feel comfortable with a potential employer handling your SSN, then you surely won't feel comfortable with them handling your bank account number, routing number, address, birthday, favorite color, primary foot, first pet's name, first elementary school, favorite teacher, or any other PII, right? Then why bother seeking employment with them? Geeeeezzzz.....

Some of you people are horrendously paranoid.

Stealing SSNs is so 1998, back when all you needed was your mother's maiden name to verify identity.

If you think an elaborate, well timed, and targeted sniff against your singular email is against your favor, then maybe you should consider playing the lottery.

Master Of Puppets

redz wrote: »

Paranoia is one of the domains.

If this was the case, ISC would overlook the experience requirements and grand me two CISSPs(however that is supposed to work).

apr911

jvrlopez wrote: »

To be honest, if you're going to send an employer, one who has interest in YOU and is taking time out of their schedule to give you an opportunity, an email stating, "I don't feel comfortable sending you my SSN over email regularly, so here is an encryption program that you must install on your WORK computer, a file attached that has my SSN encrypted, and I will call you at a later time to relay the password for the file, you are doing nothing more than turning them off and sending them towards other candidates.

A self extracting password protected/encrypted zip file does not require any special encryption software to be installed, even the built-in windows unzip program has the ability to unzip the file with the proper password. Come to think of it, you could even use Adobe or Word and password protect the file which are also built in functions. Something is better than nothing and it might be appreciated if you were going for a security role.

Then again, I usually dont bother for a few pieces of information. The only reason Ive been using it lately is because it contains other sensitive documents. Ultimately, there is no truly "secure" transmission method short of PKI encryption with the employers public key or hand delivery.


I also disagree with your belief in the benevolence of employers "taking time out of their schedule to give you an opportunity" this says it best
1.00 FTE - Death to the thank-you letter.

But really, employment in general is a 2 way business agreement, not a benevolent act worthy of gratitude.

redz

Yeah, I don't want the majority of you anywhere near regulated or sensitive unregulated data types.

pert

redz wrote: »

Yeah, I don't want the majority of you anywhere near regulated or sensitive unregulated data types.

I get where you're coming from, but I think a lot of the security people here are insane. Sending important personal information to a person you don't know, at an organization you don't know, with unknown security practices. What exactly is the point? It's like all these people switching over to encrypted email, when 99.9% of the people they get sent emails from or send emails to are not using it. Partial security is just a waste of everyone time.

RouteMyPacket

networker050184 wrote: »

I'd just email it as I have in the past.

^^^This!

redz wrote: »

Yeah, I don't want the majority of you anywhere near regulated or sensitive unregulated data types.

Calm down Francis.

Terrie

I'm in the middle. Is it a risk? Yes. While your SSN is out there (I could tell you about commercial background information databases that would make your hair stand on end), every time you put it out there, you are upping the risk of it falling into the wrong hands. However, if you're concerned about sending them this information via email, consider that no matter what you do, HR will likely be sending your information back and forth via... email.

networker050184

Terrie wrote: »

However, if you're concerned about sending them this information via email, consider that no matter what you do, HR will likely be sending your information back and forth via... email.

Exactly. Even if you make them jump through hoops to get it they are likely to just shoot it off in an email to the company doing the background check anyway.

Is there a risk? Sure, but there is a risk in everything. You just have to weigh the risk.

redz

pert wrote: »

unknown security practices.

Their security practices aren't all that unknown if they're asking you to send a full social security number via unencrypted email.

RouteMyPacket wrote: »

Calm down Francis.

I got a great laugh out of this reference, and I understand everyone's points, however...

Companies have to treat regulated or unregulated sensitive data appropriately to be able to show due diligence and due care in the event of a compromise resulting in a lawsuit. My issue with everyone thinking "it's not a big deal, whatever" isn't in disagreement with the statement that there are easier ways to obtain it, and in practice, just sending an SSN really isn't that big of a deal.

My problem is, in the event of a breach, business practices like this are what cause companies to lose lawsuits and cost them hundreds of millions of dollars because they prefer to cut corners than to protect themselves, their clients, and their employees.

JP Morgan is well on their way to a loss of over nine figures for mishandling SSNs right now (admittedly, different circumstances).

ptilsen

redz wrote: »

Their security practices aren't all that unknown if they're asking you to send a full social security number via unencrypted email.

This only furthers the idea that avoiding email will be an ineffective security measure in this instance.

redz wrote: »

Companies have to treat regulated or unregulated sensitive data appropriately to be able to show due diligence and due care in the event of a compromise resulting in a lawsuit. My issue with everyone thinking "it's not a big deal, whatever" isn't in disagreement with the statement that there are easier ways to obtain it, and in practice, just sending an SSN really isn't that big of a deal.

My problem is, in the event of a breach, business practices like this are what cause companies to lose lawsuits and cost them hundreds of millions of dollars because they prefer to cut corners than to protect themselves, their clients, and their employees.

JP Morgan is well on their way to a loss of over nine figures for mishandling SSNs right now (admittedly, different circumstances).

I doubt anyone here would disagree with this. We're not discussing good policies for organizations. I've helped HR come up with secure ways to get this information at my own organization, and I'm sure others have been involved in some of these policy decisions or technical implementations. That's not really what we're discussing, however, because that would just be an exercise in agreeing with each other. For jmritenour's situation, not sending his SSN through email to a prospective employer is an excessive measure that doesn't materially enhance his own information security.

apr911

See now you're talking about something different entirely.

There is a huge difference between how you handle information pertaining to yourself and the risks you take as an individual and how a company handles information pertaining to many people and the risks they take as a business.

redz

I wrote in there that just sending an SSN really isn't that big of a deal. Whenever you IT people are confronted with business you get all defensive.

apr911 wrote: »

See now you're talking about something different entirely.

Not really. It was in response to a couple people apparently thinking that me not wanting them near sensitive data was unfair. Lackadaisical treatment of sensitive data that is under your control, simply because "eh they'll do it anyways" or "eh it's out there anyways" does not give me the impression that one would be competent to protect it in the future.

EDIT: Therefore, I still don't want any of you near sensitive data.

ptilsen

redz wrote: »

I wrote in there that just sending an SSN really isn't that big of a deal.

redz wrote: »

Lackadaisical treatment of sensitive data that is under your control, simply because "eh they'll do it anyways" or "eh it's out there anyways" does not give me the impression that one would be competent to protect it in the future.

Don't want yourself near sensitive data either, right?