I strongly recommend you don't put your SSN on the EUC and email or mail it

[kfrosty]

I'm on my second Hmmwv transaction and the first I had my wife send in the paperwork. This time I went through it and noticed them asking for a SSN. I put the last 4 and asked them to call if they needed the rest.

The GovPlanet rep would not call and said all the data had to be typed in. During the process they debated that only 2 people access the email accounts and came across as uninformed as to real problems sending SSN's unsecure and worse storing them.

To their credit, I encrypted and password protected the document in winzip, emailed it and then faxed the password separately and they accepted it that way.

I asked them to look at a more secure way but my guess it feel on deaf ears.

So hence, I'm sharing this with everyone here. I'm not here to debate it, just more so offer some advice.

• Fill out the form, print it out. I would then clear my browser cache.
• Sign it, scan it to whatever form and then take Winzip and password encrypt the document and send that.
• Go into your sent email folder, delete the email. Then delete the scanned document and I'd delete the winzip version as well for peace of mind. Make sure it's not in a recycle folder either.
• Fax them the password separately. (Use a secure password, min 6 alpha numeric chars with a capital letter and symbol if possible. Not 123 or password)

Hopefully they aren't printing those out and storing long term copies in a filing cabinet for a disgruntled employee, cleaning crew etc to have a look at.

 

[aleigh]

At this point my SSN is so many places and on so many things I don't see how giving it to GP really makes anything worse. On the upside there have been so many data breaches I pretty much have free credit monitoring for life...

 

[kfrosty]

I'm not sure where all you're giving it out. There are just a few places can legally require you to do so.

Either way, I didn't say not to give it to them if you want an HMMWV, I'm suggesting to securely get it to them and just not email it to them insecurely in an email.

 

[aleigh]

Every time I fill out a W4 or 1099 w/o an EIN, every time I do a credit check, stock brokers/banks, every property I have ever rented, when I deal with the FCC, DMV, my insurance companies, every cell phone deal I've ever had, amazon publishing, blah blah blah

 

[kfrosty]

On the web, SSL can be used to encrypt the data. W4, hopefully you're doing where you work and not emailing the form.

Insurance company, in person or at least over the phone.

Again, I'm saying don't just give it out insecurely.

 

[aleigh]

You give reasonable advice that is common sense and anyone could do no worse to follow. I think I am reacting more to the fear they are storing them long-term and they are sitting around for someone to find down the road. Sure, they probably are. And if not, all these other companies are too. What you say makes good sense, just information governance is something I do professionally, and after seeing how poorly companies manage identifying data, the handling and long-term storage, I'm just here to say, it's not worth going to any trouble at a personal level. It's like sticking your finger in the leaking dyke. And sure enough despite any best efforts I might a have made, I've been the subject of a handful of breaches, including SSN. I wasn't joking about the free credit monitoring. So I'm somewhat cynical.

Related are all the people who are worried about sending their CC# in an open email, which is surprisingly hard to intercept because most people have email clients which are encrypted at least as far as their central server - mine is - but then they hand them to waiters without blinking, the latter being the biggest source of fraud by the numbers the last time I looked followed probably by skimmers. In very few cases are things like CC#s or SSNs stolen in transit on the Internet, it's usually when they are at rest. i.e. GPs big database somewhere.

Anyways sorry not meaning to argue, more like my 2 cents from being inside the industry is it's worse than you imagine in ways not easy to guard against.

The problem is not the SSN anyways. It's the fact you can go get a credit card by knowing just a few little details. This is why I advocate credit freezes. You can't solve the SSN distribution problem, but you can prevent people from stealing your identity trivially.

 

[kfrosty]

Good points. The way I see it, I don't give my info out anymore. I haven't changed phones in 20 years, my family does my insurance, W4/1099 I do in person. The places i do use it like filing taxes, the companies have secure sites. They get hacked it's on them.

However, sending a SSN through an email, it's as much on the person sending it than the company asking. At least that's how I see it from a legal standpoint.

 

[aleigh]

You mention liability and that's a really interesting point. For my part I've never heard of someone successfully suing a vendor/etc for identity theft / fraud damages in connection with the vendor losing their identity. Seems tricky to prove. Not like I'm a lawyer or have gone looking for past cases either! Somehow if my identity gets stolen though I don't see myself winning a case against T-Mobile. Wonder if it has ever happened.

 

[Action]

Why can't you just fax the completed EUC or mail it to them with a signature required? Avoid email all together.

 

[kfrosty]

I'm not a lawyer either, but put yourself in the shoes of owning a company. If you follow secure procedures and do the best you can to secure information, then I agree most likely nothing will happen to them other than fixing what they are responsible.

However, if you blatantly ignore best practices such asking customers to send SSN #'s unsecured, then there is neglect.

If it only happens to one person, then most likely that person unless they are a lawyer or has the means push it will not accomplish anything.

However, take 10, 100, 1,000 or whatever the number of customers then I think the risk grows. IT would not be unreasonable for them to owe for any time, expenses incurred correcting the issues their negligence caused.

 

[aleigh]

I think a challenge is that nobody makes you whole when there is identity theft unless you already had insurance. In the case of CC# fraud, the banks make you whole - which is why Target ended up having to pay a settlement to the banks, who were in turn reimbursing fraudulent charges. The banks obviously had the resources to litigate. But identity theft is such a long, drawn out, ugly process. It's a very personal crime. And so difficult to say that the information used to steal your identity came from one particular vendor or another. If it happened to me, would I blame my land lord, GP, the hospital, the last place I bought a gun from, etc? Who knows.

So my advice is, really, if someone is worried about this, the credit freeze is the way to go. It's cheap and pretty easy and instantly removes (most) of the economic incentive on the part of the thieves for identity theft when they do somehow get your information - regardless of who was responsible.

 

[kfrosty]

Why can't you just fax the completed EUC or mail it to them with a signature required? Avoid email all together.

Where's the fax machine on their end? Who has access to it? How are the faxes stored versus an encrypted copy sent in an email? (Of course if they are printing out the emails and storing them the same as faxes, then that part of it ends up being the same.)

As far as mail, would you mail $10 cash in the mail, $1,000 even if it were one bill wrapped in paper?

I wouldn't personally because it goes through too many hands, could get lost etc. You could send UPS or something requiring a signature but where does it go, who signs for it, what does it go through afterward. Plus why pay to send it when there are more secure methods?

Again, just suggesting to not just send your SSN insecurely. If you send it via email, I suggest you password encrypt the file after you sign it and scan it. Then delete the files off your computer and out of your sent mail folder.

 

[aleigh]

Prolly just get the fax and promptly type it into a computer...

 

[99nouns]

Since you two are the only one that are talking I thought would drop in and say hi, I also have a program which can brake passwords both on Zip Rar or pdf files, I dont even know why I even downloaded it?

Oh I remember, in case I forget my own password, you know something better to have it than not needed than needed not have it.

 

[Jwade]

I can say that all EUC's our locked nightly in fireproof safe/filing cabinet. I can also verify there are 3 people who have access to the EUC inbox, all have a government performed background check as they hold government electronic equipment as well.

 

[tage]

Bank and employer are the only ones who have my ssn.

 

[patracy]

While we're talking security. When using steel soldiers remember:

Do not post any information out on the forums you don't want bots or anyone to find. For example phone numbers.

Do not post any pictures you do not want others to find.

Do not use the PM system to send ANY sensitive information. That means, don't send scans of checks, SSN, account numbers/exc, via PM.

If you need to send any of that information, do so by your own means.

 

[tim292stro]

A good free open source software replacement for WinZip I've been using for years is 7-zip. Good compatibility with WinZip, plugs into Windows to give you the right-click context options in the file browser, also works with Tarball files (*.tar).

Supports not only compression, but also AES encryption (both file contents and file name).

To Patracy's above comment on using a secure transmission method for exchanging "stuff", take a look at DemonSaw.

 

[1 Patriot-of-many]

You give reasonable advice that is common sense and anyone could do no worse to follow. I think I am reacting more to the fear they are storing them long-term and they are sitting around for someone to find down the road. Sure, they probably are. And if not, all these other companies are too. What you say makes good sense, just information governance is something I do professionally, and after seeing how poorly companies manage identifying data, the handling and long-term storage, I'm just here to say, it's not worth going to any trouble at a personal level. It's like sticking your finger in the leaking dyke. And sure enough despite any best efforts I might a have made, I've been the subject of a handful of breaches, including SSN. I wasn't joking about the free credit monitoring. So I'm somewhat cynical.

Related are all the people who are worried about sending their CC# in an open email, which is surprisingly hard to intercept because most people have email clients which are encrypted at least as far as their central server - mine is - but then they hand them to waiters without blinking, the latter being the biggest source of fraud by the numbers the last time I looked followed probably by skimmers. In very few cases are things like CC#s or SSNs stolen in transit on the Internet, it's usually when they are at rest. i.e. GPs big database somewhere.

Anyways sorry not meaning to argue, more like my 2 cents from being inside the industry is it's worse than you imagine in ways not easy to guard against.

The problem is not the SSN anyways. It's the fact you can go get a credit card by knowing just a few little details. This is why I advocate credit freezes. You can't solve the SSN distribution problem, but you can prevent people from stealing your identity trivially.

When I first signed up for GP, there was a tab on the left that said finance....I typed in my info, they only asked for last 4 digits, name address ect...... I don't know whether it was something on my computer or GP had been hacked. A month later my wife notices my visa card had the address changed!!!!! Luckily we caught it before the new chip cards had been mailed out. ID thieves need the same treatment spies got in WWII.