How to handle SSN request?
jmritenour
Member Posts: 565
I've got a background investigation coming up, and I've been asked to provide my social security number. The intended method of delivery is print the form, fill it out, scan it, and email email it back. I'm not about to send my SSN over email. I've let my point of contact at this organization know I won't be doing that - I've offered to leave it blank and provide it to her over the phone, or utilize any other option they have available; sending an encrypted zip/pdf, and giving them the password out of band, sftp, etc.. She said she'd check with her superior and get back to me.
Long story short, I need to get this stuff in by midnight tonight, and I'm trying to figure out what I'll do if I haven't gotten an answer by COB today. What would you do? This IS a large, reputable tech company that I trust, I just think this is a case of non-technical HR people not really considering the security implications. TBH, I'm surprised this is the first time this has come up.
Anyway, big news coming later this week...
Long story short, I need to get this stuff in by midnight tonight, and I'm trying to figure out what I'll do if I haven't gotten an answer by COB today. What would you do? This IS a large, reputable tech company that I trust, I just think this is a case of non-technical HR people not really considering the security implications. TBH, I'm surprised this is the first time this has come up.
Anyway, big news coming later this week...
"Start by doing what is necessary, then do what is possible; suddenly, you are doing the impossible." - St. Francis of Assisi
Comments
2014 Goals: [ ] CCDP, [ ] CCNA Security, [ ] CCNP Security
2015 Goals: [ ] Finish BS in CIS, [ ] CCIE R&S Written
2016 Goals: [ ] CCIE R&S
I'm willing to bet they have no issue taking you up on one of the other methods you offered.
Indeed redz, looks like we're just paranoid...
Started: 10-1-13
Completed: 9-21-14
Transferred: 67 CU Completed: 54 CU
Also keep in mind that if all your sending is a SSN and no other PII, your probably fairly safe. Though the idea from a privacy and confidentiality aspect makes me question HR's mettle a bit. That is to say if they are willing to compromise you on something as simple as this what else are they doing with PII?
All nice and compliant like.
- B Eads
If you deep dive the domain you'll find it right under Security Unicorns and Rainbows. Page 413, Paragraph 4.
- B Eads
I would just send it. The chances that your SSN gets compromised over email rather than through some insecure transmission or storage method at another organization seems pretty unlikely. Since they're asking you for it over email, they're going to be sending it and storing it insecurely elsewhere anyway. Of course sending it over email increases the risk, but I think you've got to be pragmatic.
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340
You run greater risk having a waitress run your credit card.
This message was brought to you by a CISSP who did helpdesk for a long time.
Back to the OP
I would just email it. If this is a big name tech company like you said, I would think their email is safe (as safe as email can be). If you tell it to them over the phone, they are probably just writing it down on some paper. Where does that paper go after they fill out the form? Did they shred it? Where does the form go after they put all your information on it? I get what your saying, but there comes a point to have to weigh the risk.
If you don't want to provide it, I'm sure there are plenty of other candidates willing to provide it in your place.
My SSN was used for everything on a near daily basis for 4 years in the military and I never had anything suspicious happen.
Blog: www.network-node.com
+1
Im buying a house in another state and have therefore been corresponding with my mortgage broker almost entirely through email. Every document I sign and return gets put into a password protected zip file. It might not be the most secure but it is more secure than clear text.
That being said, while I understand your concern (yes, another paranoid CISSP), the only reason I am bothering to do that is because of the sheer volume of documents being sent and the fact that those documents consist of not just my social security number, name, address and signature but bank statements and account numbers too.
For a single document containing only some personally identifiable information, I would send it without encrypting it. Especially to HR because, as cyberguypr points out, inconveniencing the HR person could see the process slow significantly as they re-prioritize your correspondence in a negative manner.
Add to that they are unlikely storing this information in the most secure manner and it really doesnt matter what you do to encrypt it before sending, it still going to be left unencrypted somewhere.
Ultimately, as Iris (and others) points out, your SSN gets used in so many places that true security/secrecy of it is impossible. Yes you can exercise due diligence and not post it publicly but there are so many ways and places it can become compromised that you should be monitoring for identity theft as a matter of course not just when you suspect something.
Finally, your talking about a single document in a single email and while it could be compromised, that assumes that:
A. Someone is listening and capturing your traffic
B. They have the time to sort through all the noise to recompile the data which would be like finding a needle in a haystack or a few flecks of gold dust in the river
There are easier ways to get the information being sought.
2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP
To be honest, if you're going to send an employer, one who has interest in YOU and is taking time out of their schedule to give you an opportunity, an email stating, "I don't feel comfortable sending you my SSN over email regularly, so here is an encryption program that you must install on your WORK computer, a file attached that has my SSN encrypted, and I will call you at a later time to relay the password for the file, you are doing nothing more than turning them off and sending them towards other candidates.
If you don't feel comfortable with a potential employer handling your SSN, then you surely won't feel comfortable with them handling your bank account number, routing number, address, birthday, favorite color, primary foot, first pet's name, first elementary school, favorite teacher, or any other PII, right? Then why bother seeking employment with them? Geeeeezzzz.....
Some of you people are horrendously paranoid.
Stealing SSNs is so 1998, back when all you needed was your mother's maiden name to verify identity.
If you think an elaborate, well timed, and targeted sniff against your singular email is against your favor, then maybe you should consider playing the lottery.
If this was the case, ISC would overlook the experience requirements and grand me two CISSPs(however that is supposed to work).
A self extracting password protected/encrypted zip file does not require any special encryption software to be installed, even the built-in windows unzip program has the ability to unzip the file with the proper password. Come to think of it, you could even use Adobe or Word and password protect the file which are also built in functions. Something is better than nothing and it might be appreciated if you were going for a security role.
Then again, I usually dont bother for a few pieces of information. The only reason Ive been using it lately is because it contains other sensitive documents. Ultimately, there is no truly "secure" transmission method short of PKI encryption with the employers public key or hand delivery.
I also disagree with your belief in the benevolence of employers "taking time out of their schedule to give you an opportunity" this says it best
1.00 FTE - Death to the thank-you letter.
But really, employment in general is a 2 way business agreement, not a benevolent act worthy of gratitude.
2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP
I get where you're coming from, but I think a lot of the security people here are insane. Sending important personal information to a person you don't know, at an organization you don't know, with unknown security practices. What exactly is the point? It's like all these people switching over to encrypted email, when 99.9% of the people they get sent emails from or send emails to are not using it. Partial security is just a waste of everyone time.
^^^This!
Calm down Francis.
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?
Exactly. Even if you make them jump through hoops to get it they are likely to just shoot it off in an email to the company doing the background check anyway.
Is there a risk? Sure, but there is a risk in everything. You just have to weigh the risk.
Companies have to treat regulated or unregulated sensitive data appropriately to be able to show due diligence and due care in the event of a compromise resulting in a lawsuit. My issue with everyone thinking "it's not a big deal, whatever" isn't in disagreement with the statement that there are easier ways to obtain it, and in practice, just sending an SSN really isn't that big of a deal.
My problem is, in the event of a breach, business practices like this are what cause companies to lose lawsuits and cost them hundreds of millions of dollars because they prefer to cut corners than to protect themselves, their clients, and their employees.
JP Morgan is well on their way to a loss of over nine figures for mishandling SSNs right now (admittedly, different circumstances).
I doubt anyone here would disagree with this. We're not discussing good policies for organizations. I've helped HR come up with secure ways to get this information at my own organization, and I'm sure others have been involved in some of these policy decisions or technical implementations. That's not really what we're discussing, however, because that would just be an exercise in agreeing with each other. For jmritenour's situation, not sending his SSN through email to a prospective employer is an excessive measure that doesn't materially enhance his own information security.
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340
There is a huge difference between how you handle information pertaining to yourself and the risks you take as an individual and how a company handles information pertaining to many people and the risks they take as a business.
2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP
Not really. It was in response to a couple people apparently thinking that me not wanting them near sensitive data was unfair. Lackadaisical treatment of sensitive data that is under your control, simply because "eh they'll do it anyways" or "eh it's out there anyways" does not give me the impression that one would be competent to protect it in the future.
EDIT: Therefore, I still don't want any of you near sensitive data.
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340