Sean Reiser

As I've been engaged in a job hunt I've been dealing more and more with applying for jobs online and I've begun to notice a disturbing trend. A number of sites from reputable firms have been asking for the last 4 digits of my SSN as well as my birthday. Now that these firms also require you to have an account on their site to apply for a job, they ask you to answer "personal questions" so they can reset your password, commonly your place is birth is used. I understand that some companies (including a major financial services provider) are using last name + last 4 SSN digits as a unique identifier. I won't discuss the potential for collisions in that keyspace here because I don't want to bore you with math, let me just say there's a possibility that there's 2 people out there who have last names and last 4 digits of their SSN and apply to the same company.

Some people have pointed out that I should trust the larger recruiting firms and financial companies. It feels like at least once a week there's a story on the front page of the Wall Street Journal featuring some large firm who's had data loss of our sort or another. Today, for example, HSBC was fined over £3,000,000 for data loss. In a world where companies are leaking this information like a sieve, why would I trust them with this information before we have a relationship? Also these job application sites tend to be outsources so I'm not trusting this firm's reputation but some small firm they've subcontracted this out to.

When I discuss this I've heard, "even if it leaks out, it's only the last 4 digits an attacker would need to guess the first five" . That's not entirely the case. Given someone's place of birth one can accurately guess the first 3 digits of a Social Security Number. Limiting it down to 1 in a hundred. Some students at CMU identified a vulnerability in SSNs using pace of birth and date of birth and where it required some serious computing muscle, if you gave these folks the last 4 digits of someone's SSN, which are the most significant digits these guys could probably guess the SSN using my Apple ][e (I have a 1 in 100 shot without doing any processing).

I also hear "you're going to give it to them when you get the job". That's another matter entirely. I've accepted the job or am far enough into the process that I'm getting a background check must different from the first thing you ask me. Also I'm probably providing it in person, on paper not in little bits scattered across the internet. I'd like to think that most companies HR systems are firewalled off from the internet.

So, not only am I not providing the last 4 digits of my SSN online, early in an application process, as I won't open myself up to that level of risk. On some level I'd also like to suggest that you think about this. Would you want a technologist working for you who either didn't consider this or is willing to open himself up to that level of loss? Personally, if I were the hiring manager, answering that question would disqualify a candidate, not get them through the process.