How to handle SSN request?

I've got a background investigation coming up, and I've been asked to provide my social security number. The intended method of delivery is print the form, fill it out, scan it, and email email it back. I'm not about to send my SSN over email. I've let my point of contact at this organization know I won't be doing that - I've offered to leave it blank and provide it to her over the phone, or utilize any other option they have available; sending an encrypted zip/pdf, and giving them the password out of band, sftp, etc.. She said she'd check with her superior and get back to me.

Long story short, I need to get this stuff in by midnight tonight, and I'm trying to figure out what I'll do if I haven't gotten an answer by COB today. What would you do? This IS a large, reputable tech company that I trust, I just think this is a case of non-technical HR people not really considering the security implications. TBH, I'm surprised this is the first time this has come up.

Anyway, big news coming later this week...
"Start by doing what is necessary, then do what is possible; suddenly, you are doing the impossible." - St. Francis of Assisi
«1

Comments

  • networker050184networker050184 Posts: 11,962Mod Mod
    I'd just email it as I have in the past.
    An expert is a man who has made all the mistakes which can be made.
  • tjh87tjh87 Posts: 66Member ■■□□□□□□□□
    My SSN has been thrown around so much in the past 8 years that I don't even hesitate to give it out anymore. Honestly, today, you are probably taking a bigger risk by saying it over the phone than you are sending via email. I wouldn't worry about it. If someone wants your SSN, they'll get it. I may be being too lax about it, but it hasn't bitten me yet.
    2013 Goals: /COLOR][COLOR=#ff0000]x[/COLOR][COLOR=#0000cd CCNP, [ ] CCDA, [ ] VCA-DCV
    2014 Goals: [ ] CCDP, [ ] CCNA Security
    , [ ] CCNP Security
    2015 Goals: [ ] Finish BS in CIS,
    [ ] CCIE R&S Written
    2016 Goals:
    [ ] CCIE R&S
  • Danielm7Danielm7 Posts: 2,268Member ■■■■■■■■□□
    Yeah I just wouldn't be all that concerned about it honestly. When I was in college your SSN was your student ID number. You'd walk up to the register to pay and if you wanted you could sit there and hear 50 other people in line loudly say their SSN. One email to a company about a job? Yeah, not too worried.
  • redzredz CISSP-ISSAP, ISSEP, ISSMP, CAP (& others) Posts: 265Member ■■■□□□□□□□
    Am I just paranoid...? Cuz... I agree with jmritenour...
  • AkaricloudAkaricloud Posts: 938Member
    I'd personally have no problem giving it to them through email although it is best practice to avoid doing so.

    I'm willing to bet they have no issue taking you up on one of the other methods you offered.
  • jmritenourjmritenour Posts: 565Member
    redz wrote: »
    Am I just paranoid...? Cuz... I agree with jmritenour...

    Indeed redz, looks like we're just paranoid...
    "Start by doing what is necessary, then do what is possible; suddenly, you are doing the impossible." - St. Francis of Assisi
  • -hype-hype Posts: 165Member
    I'm laughing because the only people in here that are worried are the people with the CISSP.
    WGU BS IT:Network Administration
    Started: 10-1-13
    Completed: 9-21-14
    Transferred: 67 CU Completed: 54 CU
  • redzredz CISSP-ISSAP, ISSEP, ISSMP, CAP (& others) Posts: 265Member ■■■□□□□□□□
    Paranoia is one of the domains.
  • beadsbeads Posts: 1,442Member ■■■■■■■■□□
    Easiest way to send via email is to encrypt with a self executing WinZip file. Provided of course you have a full copy of WinZip and can handle telling HR a password - preferably over the phone - not in a separate email.

    Also keep in mind that if all your sending is a SSN and no other PII, your probably fairly safe. Though the idea from a privacy and confidentiality aspect makes me question HR's mettle a bit. That is to say if they are willing to compromise you on something as simple as this what else are they doing with PII?

    All nice and compliant like.

    - B Eads
  • beadsbeads Posts: 1,442Member ■■■■■■■■□□
    redz wrote: »
    Paranoia is one of the domains.

    If you deep dive the domain you'll find it right under Security Unicorns and Rainbows. Page 413, Paragraph 4.

    - B Eads
  • ptilsenptilsen Posts: 2,835Member ■■■■■■■■■■
    beads wrote: »
    Easiest way to send via email is to encrypt with a self executing WinZip file. Provided of course you have a full copy of WinZip and can handle telling HR a password - preferably over the phone - not in a separate email.
    Is this a joke?

    I would just send it. The chances that your SSN gets compromised over email rather than through some insecure transmission or storage method at another organization seems pretty unlikely. Since they're asking you for it over email, they're going to be sending it and storing it insecurely elsewhere anyway. Of course sending it over email increases the risk, but I think you've got to be pragmatic.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • cyberguyprcyberguypr Senior Member Posts: 6,842Mod Mod
    Concur. I would give it out over email. The HR pawn has no idea what encryption is and if he/she is inconvenienced will end up putting your application on hold and calling Helpdesk. Being a low priority thing, it could take a while for someone to help decrypt the file.

    You run greater risk having a waitress run your credit card.

    This message was brought to you by a CISSP who did helpdesk for a long time.
  • J_86J_86 Posts: 262Member ■■□□□□□□□□
    cyberguypr wrote: »
    This message was brought to you by a CISSP who did helpdesk for a long time.

    icon_lol.gif

    Back to the OP
    I would just email it. If this is a big name tech company like you said, I would think their email is safe (as safe as email can be). If you tell it to them over the phone, they are probably just writing it down on some paper. Where does that paper go after they fill out the form? Did they shred it? Where does the form go after they put all your information on it? I get what your saying, but there comes a point to have to weigh the risk.
  • jvrlopezjvrlopez Posts: 911Member ■■■■□□□□□□
    Just send it. Your SSN is out there already.

    If you don't want to provide it, I'm sure there are plenty of other candidates willing to provide it in your place.

    My SSN was used for everything on a near daily basis for 4 years in the military and I never had anything suspicious happen.
    And so you touch this limit, something happens and you suddenly can go a little bit further. With your mind power, your determination, your instinct, and the experience as well, you can fly very high. ~Ayrton Senna
  • jmritenourjmritenour Posts: 565Member
    Bah, I guess I'll just send it. Thanks for the input, everyone.
    "Start by doing what is necessary, then do what is possible; suddenly, you are doing the impossible." - St. Francis of Assisi
  • IristheangelIristheangel CCIEx2 (Sec + DC), CCNP RS, CCNA V/S/R/DC, CISSP, CEH, MCSE 2003, A+/L+/N+/S+, and a lot more from m Pasadena, CAPosts: 4,117Mod Mod
    I agree with sending it. Every time you submit your SSN to open a utilities account for electric, gas, cell phone, water, cable, internet, etc, you've just created a way for someone to easily gain access to your SSN through social engineering. IMHO, it's a lot easier to social engineer that information out of someone than it is to sniff packets which isn't that hard at all. There's always risk in everything you do.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • apr911apr911 Posts: 379Member ■■■■□□□□□□
    beads wrote: »
    Easiest way to send via email is to encrypt with a self executing WinZip file. Provided of course you have a full copy of WinZip and can handle telling HR a password - preferably over the phone - not in a separate email.

    +1

    Im buying a house in another state and have therefore been corresponding with my mortgage broker almost entirely through email. Every document I sign and return gets put into a password protected zip file. It might not be the most secure but it is more secure than clear text.

    That being said, while I understand your concern (yes, another paranoid CISSP), the only reason I am bothering to do that is because of the sheer volume of documents being sent and the fact that those documents consist of not just my social security number, name, address and signature but bank statements and account numbers too.

    For a single document containing only some personally identifiable information, I would send it without encrypting it. Especially to HR because, as cyberguypr points out, inconveniencing the HR person could see the process slow significantly as they re-prioritize your correspondence in a negative manner.

    Add to that they are unlikely storing this information in the most secure manner and it really doesnt matter what you do to encrypt it before sending, it still going to be left unencrypted somewhere.

    Ultimately, as Iris (and others) points out, your SSN gets used in so many places that true security/secrecy of it is impossible. Yes you can exercise due diligence and not post it publicly but there are so many ways and places it can become compromised that you should be monitoring for identity theft as a matter of course not just when you suspect something.

    Finally, your talking about a single document in a single email and while it could be compromised, that assumes that:
    A. Someone is listening and capturing your traffic
    B. They have the time to sort through all the noise to recompile the data which would be like finding a needle in a haystack or a few flecks of gold dust in the river

    There are easier ways to get the information being sought.
    Currently Working On: Openstack
    2017 Goals: MCSE Refresh, CCDP & CCIE:Security
  • jvrlopezjvrlopez Posts: 911Member ■■■■□□□□□□
    beads wrote: »
    Easiest way to send via email is to encrypt with a self executing WinZip file. Provided of course you have a full copy of WinZip and can handle telling HR a password - preferably over the phone - not in a separate email.

    Also keep in mind that if all your sending is a SSN and no other PII, your probably fairly safe. Though the idea from a privacy and confidentiality aspect makes me question HR's mettle a bit. That is to say if they are willing to compromise you on something as simple as this what else are they doing with PII?

    All nice and compliant like.

    - B Eads

    apr911 wrote: »
    +1

    Im buying a house in another state and have therefore been corresponding with my mortgage broker almost entirely through email. Every document I sign and return gets put into a password protected zip file. It might not be the most secure but it is more secure than clear text.

    That being said, while I understand your concern (yes, another paranoid CISSP), the only reason I am bothering to do that is because of the sheer volume of documents being sent and the fact that those documents consist of not just my social security number, name, address and signature but bank statements and account numbers too.

    For a single document containing only some personally identifiable information, I would send it without encrypting it. Especially to HR because, as cyberguypr points out, inconveniencing the HR person could see the process slow significantly as they re-prioritize your correspondence in a negative manner.

    Add to that they are unlikely storing this information in the most secure manner and it really doesnt matter what you do to encrypt it before sending, it still going to be left unencrypted somewhere.

    Ultimately, as Iris (and others) points out, your SSN gets used in so many places that true security/secrecy of it is impossible. Yes you can exercise due diligence and not post it publicly but there are so many ways and places it can become compromised that you should be monitoring for identity theft as a matter of course not just when you suspect something.

    Finally, your talking about a single document in a single email and while it could be compromised, that assumes that:
    A. Someone is listening and capturing your traffic
    B. They have the time to sort through all the noise to recompile the data which would be like finding a needle in a haystack or a few flecks of gold dust in the river

    There are easier ways to get the information being sought.

    To be honest, if you're going to send an employer, one who has interest in YOU and is taking time out of their schedule to give you an opportunity, an email stating, "I don't feel comfortable sending you my SSN over email regularly, so here is an encryption program that you must install on your WORK computer, a file attached that has my SSN encrypted, and I will call you at a later time to relay the password for the file, you are doing nothing more than turning them off and sending them towards other candidates.

    If you don't feel comfortable with a potential employer handling your SSN, then you surely won't feel comfortable with them handling your bank account number, routing number, address, birthday, favorite color, primary foot, first pet's name, first elementary school, favorite teacher, or any other PII, right? Then why bother seeking employment with them? Geeeeezzzz.....

    Some of you people are horrendously paranoid.

    Stealing SSNs is so 1998, back when all you needed was your mother's maiden name to verify identity.

    If you think an elaborate, well timed, and targeted sniff against your singular email is against your favor, then maybe you should consider playing the lottery.
    And so you touch this limit, something happens and you suddenly can go a little bit further. With your mind power, your determination, your instinct, and the experience as well, you can fly very high. ~Ayrton Senna
  • Master Of PuppetsMaster Of Puppets Posts: 1,210Member
    redz wrote: »
    Paranoia is one of the domains.

    If this was the case, ISC would overlook the experience requirements and grand me two CISSPs(however that is supposed to work).
    Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
  • apr911apr911 Posts: 379Member ■■■■□□□□□□
    jvrlopez wrote: »
    To be honest, if you're going to send an employer, one who has interest in YOU and is taking time out of their schedule to give you an opportunity, an email stating, "I don't feel comfortable sending you my SSN over email regularly, so here is an encryption program that you must install on your WORK computer, a file attached that has my SSN encrypted, and I will call you at a later time to relay the password for the file, you are doing nothing more than turning them off and sending them towards other candidates.


    A self extracting password protected/encrypted zip file does not require any special encryption software to be installed, even the built-in windows unzip program has the ability to unzip the file with the proper password. Come to think of it, you could even use Adobe or Word and password protect the file which are also built in functions. Something is better than nothing and it might be appreciated if you were going for a security role.

    Then again, I usually dont bother for a few pieces of information. The only reason Ive been using it lately is because it contains other sensitive documents. Ultimately, there is no truly "secure" transmission method short of PKI encryption with the employers public key or hand delivery.


    I also disagree with your belief in the benevolence of employers "taking time out of their schedule to give you an opportunity" this says it best
    1.00 FTE - Death to the thank-you letter.

    But really, employment in general is a 2 way business agreement, not a benevolent act worthy of gratitude.
    Currently Working On: Openstack
    2017 Goals: MCSE Refresh, CCDP & CCIE:Security
  • redzredz CISSP-ISSAP, ISSEP, ISSMP, CAP (& others) Posts: 265Member ■■■□□□□□□□
    Yeah, I don't want the majority of you anywhere near regulated or sensitive unregulated data types.
  • pertpert Posts: 250Member
    redz wrote: »
    Yeah, I don't want the majority of you anywhere near regulated or sensitive unregulated data types.

    I get where you're coming from, but I think a lot of the security people here are insane. Sending important personal information to a person you don't know, at an organization you don't know, with unknown security practices. What exactly is the point? It's like all these people switching over to encrypted email, when 99.9% of the people they get sent emails from or send emails to are not using it. Partial security is just a waste of everyone time.
  • RouteMyPacketRouteMyPacket Posts: 1,104Member
    I'd just email it as I have in the past.


    ^^^This!

    redz wrote: »
    Yeah, I don't want the majority of you anywhere near regulated or sensitive unregulated data types.

    Calm down Francis.
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
  • TerrieTerrie Posts: 19Member ■□□□□□□□□□
    I'm in the middle. Is it a risk? Yes. While your SSN is out there (I could tell you about commercial background information databases that would make your hair stand on end), every time you put it out there, you are upping the risk of it falling into the wrong hands. However, if you're concerned about sending them this information via email, consider that no matter what you do, HR will likely be sending your information back and forth via... email.
  • networker050184networker050184 Posts: 11,962Mod Mod
    Terrie wrote: »
    However, if you're concerned about sending them this information via email, consider that no matter what you do, HR will likely be sending your information back and forth via... email.

    Exactly. Even if you make them jump through hoops to get it they are likely to just shoot it off in an email to the company doing the background check anyway.

    Is there a risk? Sure, but there is a risk in everything. You just have to weigh the risk.
    An expert is a man who has made all the mistakes which can be made.
  • redzredz CISSP-ISSAP, ISSEP, ISSMP, CAP (& others) Posts: 265Member ■■■□□□□□□□
    pert wrote: »
    unknown security practices.
    Their security practices aren't all that unknown if they're asking you to send a full social security number via unencrypted email.
    Calm down Francis.
    I got a great laugh out of this reference, and I understand everyone's points, however...

    Companies have to treat regulated or unregulated sensitive data appropriately to be able to show due diligence and due care in the event of a compromise resulting in a lawsuit. My issue with everyone thinking "it's not a big deal, whatever" isn't in disagreement with the statement that there are easier ways to obtain it, and in practice, just sending an SSN really isn't that big of a deal.

    My problem is, in the event of a breach, business practices like this are what cause companies to lose lawsuits and cost them hundreds of millions of dollars because they prefer to cut corners than to protect themselves, their clients, and their employees.

    JP Morgan is well on their way to a loss of over nine figures for mishandling SSNs right now (admittedly, different circumstances).
  • ptilsenptilsen Posts: 2,835Member ■■■■■■■■■■
    redz wrote: »
    Their security practices aren't all that unknown if they're asking you to send a full social security number via unencrypted email.
    This only furthers the idea that avoiding email will be an ineffective security measure in this instance.
    redz wrote: »
    Companies have to treat regulated or unregulated sensitive data appropriately to be able to show due diligence and due care in the event of a compromise resulting in a lawsuit. My issue with everyone thinking "it's not a big deal, whatever" isn't in disagreement with the statement that there are easier ways to obtain it, and in practice, just sending an SSN really isn't that big of a deal.

    My problem is, in the event of a breach, business practices like this are what cause companies to lose lawsuits and cost them hundreds of millions of dollars because they prefer to cut corners than to protect themselves, their clients, and their employees.

    JP Morgan is well on their way to a loss of over nine figures for mishandling SSNs right now (admittedly, different circumstances).
    I doubt anyone here would disagree with this. We're not discussing good policies for organizations. I've helped HR come up with secure ways to get this information at my own organization, and I'm sure others have been involved in some of these policy decisions or technical implementations. That's not really what we're discussing, however, because that would just be an exercise in agreeing with each other. For jmritenour's situation, not sending his SSN through email to a prospective employer is an excessive measure that doesn't materially enhance his own information security.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • apr911apr911 Posts: 379Member ■■■■□□□□□□
    See now you're talking about something different entirely.

    There is a huge difference between how you handle information pertaining to yourself and the risks you take as an individual and how a company handles information pertaining to many people and the risks they take as a business.
    Currently Working On: Openstack
    2017 Goals: MCSE Refresh, CCDP & CCIE:Security
  • redzredz CISSP-ISSAP, ISSEP, ISSMP, CAP (& others) Posts: 265Member ■■■□□□□□□□
    I wrote in there that just sending an SSN really isn't that big of a deal. Whenever you IT people are confronted with business you get all defensive.
    apr911 wrote: »
    See now you're talking about something different entirely.
    Not really. It was in response to a couple people apparently thinking that me not wanting them near sensitive data was unfair. Lackadaisical treatment of sensitive data that is under your control, simply because "eh they'll do it anyways" or "eh it's out there anyways" does not give me the impression that one would be competent to protect it in the future.

    EDIT: Therefore, I still don't want any of you near sensitive data.
  • ptilsenptilsen Posts: 2,835Member ■■■■■■■■■■
    redz wrote: »
    I wrote in there that just sending an SSN really isn't that big of a deal.
    redz wrote: »
    Lackadaisical treatment of sensitive data that is under your control, simply because "eh they'll do it anyways" or "eh it's out there anyways" does not give me the impression that one would be competent to protect it in the future.
    Don't want yourself near sensitive data either, right?
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
Sign In or Register to comment.