Sean Reiser

Hi I'm Seán Reiser, this is my Personal Blog

#NewYorker #DrupalDeveloper #InfoSec #Photographer #GEEK #Whovian #MYSTie #LetsGoYankees #LongSufferingJetsFan #NAKnight #Quinquagenarian #CommitAwesome

Hack

I’ve commented on this blog about the trend recruiters have where they ask for the last 4 digits of a candidate’s SSN in their first contact email (Along with name, dob, location and other PII).  I thought I’d consolidate my thoughts on a post.

Let me explain the format of a SSN:

The first 3 digits are tied to the state where the applicant applied for their SSN.  Since most people in the US are born, live and die within a 50 mile radius this becomes guessable.

The next 2 are a group number and can be tied to the year the applicant applied for their SSN.  States only issue from a few group numbers a year.  Most Americans are issued their SSN in the first couple of years of their life.   Where a recruiter doesn’t know a candidate’s age / year of birth, it can estimated  from info on a candidate’s resume (graduation year or when the candidate entered the workforce).

The last 4 are assigned in sequence while isn’t really derivable from a candidate’s information.

So for a large portion of candidates, someone can whittle SSNs down to 1-100 possible options.  You can see when I am concerned that this could be a fishing attack.  Someone I don’t know asking for information that can lead to identity theft.  Also the thought that you’re submitting the info via email which is insecure by design which adds another vector for possible theft..

I understand that firms are using Candidate Tracking Systems where the last 4 digits of a SSN are used to ensure candidates don’t get double submitted, but there are risks involved that I think many people are unaware of.

Image

Posts like this are popping up across my facebook feed and I want to say, I think you're all looking at this wrong.

Many people already know this information about you already. Friends from your school days who are no longer in your life, Ex-Lovers, that cousin of yours who's less then desirable. Some questions like High School Mascot can be derived from your resume. Others like Mother's maiden name are a matter of public record.

  1. Passwords should be random eg &Rtbpb4WWS9G (not my password on any system) can't be guessed no matter how well you know me.
  2. Don't use your personal information to answer security questions, no one is validating the information. You just need to know what the right answers are. You can use a fictional character and answer as them, (What street did you grow up on? "Baker Street", Who is your best friend "John Watson", etc.) Alternately, you can just respond with non-sense (Favorite Color: "Eighteen", Where did you go to Middle School: "The Piggly Wiggly". Etc.). You don't need too be "correct",  you just need to be consistent.

 

     

    Wow, it appears that John McAfee is dead.

    So if you follow this link from NYC.gov it brings you to a site that demonstrates ranked choice voting using pizza toppings as an example, I believe the mayor mentioned in a news conference yesterday. I took a look at it and I have to wonder ... Why are they including libraries from credit card processor stripe.com?

    All of the layered protocols (SPF, DMARC, DKIM) on top of email to make it spoof resistant make me angry.

    Tech Recruiter Who I don't know and called me cold: I need your DoB and last 5 of your SSN.

    Me : Nope

    Them: Why?

    Me: With the year I was born, the state I was born in and the last 5 of my SSN you can narrow it down to less than 50 SSNs. Why do you need it?

    Them: To prevent bias we can strip your name off and still Identify you. We can't proceed without it.

    Me: You're not doing a background check?

    Them: Nope

    Me: OK my birthday is X and the last 5 of my SSN is 14338 (the last 5 of my google voice number).

    If it is real and I get the gig, I'm sure it can be fixed in the hiring process.

    I’ve read a few articles in the last couple of days from different parts of the country all of which have the same basic theme.: A young boy (around 8 or 9 years old) is in a virtual classroom.  Somewhere in the child’s room there’s a toy gun, BB gun or a nerf gun which is in his shot. A teacher sees the gun, kicks the kid out of class (by blocking his Zoom connection) and reports the child to school authorities. In 2 cases the police were called to the home, in another the school wanted to expel the child and settled for suspension and counseling.

    This reminds me of a news story from a couple of years back. A teen aged student had a school provided device. One evening, after school hours, this student is sitting in front the machine using it while eating M&Ms. Unknown to the student his Assistant Principal using the remote viewing software to “check up” on his students at night. Seeing his student doing what looked like popping pills, he took a screen shot an confronted the student the next day for his behavior at home.

    I have a client who wants all of their staff to be on a video conference call all the hours they are working so management can see and hear what everyone is doing. I have problems with this because my better half and I share a workspace in the apartment. She needs to spend a chunk of her day talking finances with the people at her organization and neither one of us feel it’s appropriate to share her side of the conversation with everyone an my client’s staff.

    All this leads to a question:

     In these times when we are merging our personal space with our scholastic / professional space, are we inviting teachers, students and coworkers into our home or are we expanding the class room and office into our homes and as such are subject to school / office rules?