The esteemed Texas philosopher George Strait sang the great truth of:
“If you leave me, I won’t miss you,
And I won’t ever take you back.
Girl, your mem’ry won’t ever haunt me
‘Cause I don’t love you, and now if you’ll buy that…”
I happened to have this song flash into my head after a lunch conversation with friends. We were talking about PII (Personal Identifiable Information), without a doubt a truly fascinating topic at any time. I reflected on how often the people we are sharing our most sensitive information with don’t understand the value of that information and the ramifications of handling it poorly. So let me set the stage, I bought a house. Well, more accurately, a mortgage broker worked with me to find the financing to allow me to pseudo own this new house.Since my goal is not to shame a specific company, but to point out a gap in basic common sense PII security I shall not name the companies in question. I started the process of purchase by working with two mortgage brokers. For the sake of anonymity let’s call them Frank Foolish and Sam Secure.
When I contacted Frank’s company I was directed to a web site to fill out some basic info. The site was secured via HTTPS (TLSv1.0). Yes, I did run an SSLtest on the site to verify it’s security. Certainly not the best security levels, but not totally unacceptable. I’ll spare all the other nerdy details on the test output. Wow, within 12 hours Frank has called me to set up a time to talk about what I’m looking at buying. So the next day Frank calls, and emails me a list of all the information I need to provide:
- Social Security Number
- Address
- Date of Birth
- Address
- Previous Address
- Drivers License(s)
- Pay stubs for like 2 years
- W2 Statements for the last 5 years
- IRS 1040 for the last 2 years, including all schedules, ALL SCHEDULES- I don’t do the EZ form
- Offer Letter from new employer
- Information about every property I owned
- Bank statements going back to like 2013
- Signed release forms to allow a “deep dive” credit check, and other scandalous releases of information
- Seems like DNA samples, fingerprints, and Iris scans were optional?
The instructions were to gather all the required information and check back when I had it together. Days passed, frustrations amassed, then the package was complete. So I asked Frank how shall I submit this to you? I’m thinking there will be a secure upload site used, maybe they have to be printed and sent via a secure courier? No Frank short statement to me is, “Just email them to me. That’s how we do it….” At this point frank just hears crickets from me. Email it really? Doe he know how much of my life is in this documentation? Of course he does, he does this every day. His company thinks this is a perfectly secure way to send what I consider my most secure information- my identity. I ask how they secure this email information from leaking by a bad actor internally, or via a email compromise, or any other evil I could imagine. Franks response, ” this is how everyone does this…” My response, ” Frank, let me get back to you on this…”
Now to Sam Secure, who won my business. Not only because of security, but speed and interest rate factored heavily as well. The process for Sam starts the same, but gets really much better:
- Go to web site fill out interest form
- Review security FAQ on site.
- Gold stars for having this as an easy reference.
- Multiple stars for addressing data life cycle
- Get call from broker (Sam)
- Talk about information required
- Tell Sam I got this already 🙂
- Sam sends link to Secure site for uploading information.
- Test site via ssltest
- Site using TLSv1.2 or v1.2
- Other nerdy details omitted
- Test site via ssltest
- Go to secure site and setup account
- Setup username (email address)
- Create complex Password( 5 Characters minimum, upper, lower, numbers and symbols)
- Setup second factor auth via SMS (Ok, not the most secure but it is a step above others)
- Upload files, which are MD5 hashed on upload.
- They matched the hashes I had created already
- I asked to compare them. They agreed. They matched.
- Sign required documents online
- Email verification of all files being submitted
Now we wait… A bit over two weeks later we closed.
So what’s this rambling all about? It’s about it has to do with a line of the lyrics.
If you leave me, I won’t miss you, And I won’t ever take you back.
In the day of computer breaches, system attacks, and the global market for stolen identities may be lyrics should be more like
If it leaves me, I can’t secure it, And I won’t ever get it back.
Your PII is who you are in so many facets of life. Loss of your PII can cause financial ruin, legal troubles, credit destruction, general embarrassment, and sleepless night. Imagine paying your bills on time for years, seeing your credit score approach the mythical 850, and with a careless slip 850 becomes 250. Imagine the dismay when your credit score keeps your from being able to access financing for a home or car. Your auto insurance rate can be tied, in part, to your credit score. What if you found your dream job, and they pass on you because of that PII leakage.
My Kosovar friends might say, “What to do? what to do?” I think the best course of action is to be proactive about your PII. Assert yourself, ask the questions? Use some common sense.
For example: Never, NEVER, NEVER send anything via personal email that you would not want to share with the whole world. Email works like this-
Using my mortgage example :
Your email with your PII attached –> Goes into the wide open Internet to your recipient ( During this transit there is NO Guarantee of security or privacy—> Email received. Once your reader has it how do they handle it? Deleting it doesn’t really make it go away. What stops the reader form copying your information for nefarious purposes? Do you trust someone to protect your PII like you would? I hope not. What happens if next week that email were to be accessed by an evil doer that “hacked” into the readers email account. Everything you sent is now in the hands of actors that don’t care about your privacy, they want to sell the information. They want to sign you up for new credit cards where they will buy the stuff they want leaving you to unpack the wreckage of your identity.
Repeat after me: If it leaves me, I can’t secure it, And I won’t ever get it back.