• Go to page :
  • 1 2 3
  • Text Only
I'm taking the OP's advice just for geek cred rather than privacy and enabling S/MIME in all my email clients. Surprisingly easy now that all the Apple stuff has it built in. Now if I could just get even one person I correspond with to bother with it.

Uggh. Here's the darkside. No more searching of archived messages or http webmail once it's all encrypted. Definitely use it sparingly!

http://www.infoworld.com/d/security-central/trouble-smime-e-mail...

NEDeals said:   NEDeals said:
And it's not just mortgage brokers, I've found that many attorneys are just as bad too. They like to stamp legally privileged on everything, then email documents (including very sensitive documents) around on the Internet. I worked out a system where I encrypt my documents with a PDF passwords, but it's hard to convince others to encrypt sensitive information.


SUCKISSTAPLES said:   Yes attorneys do the same
So do accountants
So do mortgage professionals
So do life insurance professionals (ever see how much personal info is in a life insurance application ? More than your mortgage app!)

As I said you aren't going to change these industries so just forget about trying to encrypt this info - it was never private and ssn was publicly used up till a few years ago as your account number for insurance and other things


You are stating the attorney-client documents are not private and do not deserve protection from sending through the Internet in the clear? Interesting.

When I asked one of my attorneys about this, he had no clue at all that information sent via email can be easily intercepted and recorded without any effort at all. After a quick demonstration, he now encrypts all of his privileged documents and thanked me for the heads up.

Life insurance professionals may be subject to HIPAA, depending on the information. And yes, they have been good about protecting it, in my experience.

As far as ssn goes, what it was used for in the past is less relevant in today's environment.

On the other hand, I've never had any accountants try to send any sensitive documents without protecting them through encryption.

So while I can't "change an industry," I can certainly be vigilant about my own data and give a heads up to my own partners, such as my attorney who changed to encrypting sensitive documents.


Your attorney is likely a decision maker within his company and has the ability to implement such changes . The average mortgage rep is a low level "no authority employee " of a large financial institution and has no say in company processes or IT security . That's handled by an entirely different department

And yes attorneys routinely email and fax privileged communications. They don't go to some secure fax , that the janitor and receptionist can't see .

Like I said your SSN was never private . Trying to encrypt it now is a joke as it hasn't been encrypted for the last 20-40 years of your life's dealings

SUCKISSTAPLES said:   NEDeals said:   NEDeals said:
And it's not just mortgage brokers, I've found that many attorneys are just as bad too. They like to stamp legally privileged on everything, then email documents (including very sensitive documents) around on the Internet. I worked out a system where I encrypt my documents with a PDF passwords, but it's hard to convince others to encrypt sensitive information.


SUCKISSTAPLES said:   Yes attorneys do the same
So do accountants
So do mortgage professionals
So do life insurance professionals (ever see how much personal info is in a life insurance application ? More than your mortgage app!)

As I said you aren't going to change these industries so just forget about trying to encrypt this info - it was never private and ssn was publicly used up till a few years ago as your account number for insurance and other things


You are stating the attorney-client documents are not private and do not deserve protection from sending through the Internet in the clear? Interesting.

When I asked one of my attorneys about this, he had no clue at all that information sent via email can be easily intercepted and recorded without any effort at all. After a quick demonstration, he now encrypts all of his privileged documents and thanked me for the heads up.

Life insurance professionals may be subject to HIPAA, depending on the information. And yes, they have been good about protecting it, in my experience.

As far as ssn goes, what it was used for in the past is less relevant in today's environment.

On the other hand, I've never had any accountants try to send any sensitive documents without protecting them through encryption.

So while I can't "change an industry," I can certainly be vigilant about my own data and give a heads up to my own partners, such as my attorney who changed to encrypting sensitive documents.


Your attorney is likely a decision maker within his company and has the ability to implement such changes . The average mortgage rep is a low level "no authority employee " of a large financial institution and has no say in company processes or IT security . That's handled by an entirely different department

And yes attorneys routinely email and fax privileged communications. They don't go to some secure fax , that the janitor and receptionist can't see.


To be clear, the concern here is not for receptionists and employees *inside* the firm. The concern is protecting private information before it is sent across the Internet. Email works on a store and forward basis, the sender has no way of knowing where it will end up outside of their control and how many copies might be made, for how long, or where.



Like I said your SSN was never private.

Does anyone care to post their non-private SSN here?

Trying to encrypt it now is a joke as it hasn't been encrypted for the last 20-40 years of your life's dealings

I disagree, protecting your information in transit is a good idea. And SSN is only a tiny portion of other personal information used for mortgages and legal matters that all deserve encryption when sent on the open Internet.

TravelerMSY said:   Uggh. Here's the darkside. No more searching of archived messages or http webmail once it's all encrypted. Definitely use it sparingly!

http://www.infoworld.com/d/security-central/trouble-smime-e-mail...


Encrypting the documents rather than the entire email message (assuming it itself is not sensitive) is probably a better idea for this reason.

I recently backed a Kickstarter project called "myIDkey"... you can google it, it won't let me put the link. It's a neat hardware tool to keep your passwords safe, so long as you don't lose the device, of course.

The average mortgage worker won't be able to figure out how to open an encrypted email. Like others have said, these docs are sent all over the world, day in and day out, with no encryption and no security. Doesn't make it right, but it happens. You can refuse to comply, but what's the alternative? Are you going to send it by US Mail? That's certainly not any more reliable.

I had no problem with that. I recently bought a new home and almost all my documents went to the processor through email.

Look at it this way. 99% of the population is clueless about this stuff. As you keep running into with all the examples of bankers and lawyers using unsecure methods. Yes 1% of the population could snoop your email. 90% of them have no inclination to do such a thing. 0.1% of the population who knows how to snoop your email and might be interested in stealing your data is still too busy sorting through the 200,000 credit card numbers they got off the unsecured Sony network.

FYI - Chase uses secure email when transmitting mortgage information.

NEDeals said:   ...all that information sent via email can be easily intercepted and recorded without any effort at all.Intercepted? Yes. Easily and without any effort at all? That's a stretch.

I feel the same way and refuse to email the raw documents. We can only really control how we deliver the documents to the mortgage person, not what they do with it afterwards. This is our 2nd house and we closed on it 4 years ago. Since then we've refi'd 4 times. Four of those five closings I've locally scanned the documents they requested and packed them into a self-decrypting archive with a shared password. There are numerous programs to do this. I then rename the extension so it will get through most email filters that only check for extension. I then call the broker and tell them the password to unpack the documents (after he/she renames the file with the proper extension) I did say four of the five, because the fourth closing I was in the area and dropped them off physically.

For those that say SSN is out there, that may be true, but not in one gift basket with all of the other sensitive data that we include. (Tax returns, bank statements, paychecks, credit history, financial accounts, copy of driver's license, current accounts with balances, etc, etc). I agree with the OP it's a poor way to handle our personally identifiable data. Any malicious person that can get their hands on it could do damage pretty easily.

After many years doing white collar criminal defense, I can guarantee you Very Little is secure over the internet. For example unless an Intel processor is older than the first Core 2 processors through the Nehalam there are at least 120 unfixed "errata" that allow an intruder to take over and remotely control Intel based machines. Hack in the Box claims at least 35 unfixed vulnerabilities for Sandy Bridge. The easiest fix is to eliminate Javascript and Java from all code on the machine. These are vulnerabilities I know about from representing hackers. 24th Air Force HQ and NSA have data centers here. So we did get a disproportionate number of cybersecurity cases.

States have to be the dumbest of all. Up until 1996 I think 2/3 of the states used your SSN as your DL number. Texas put the SSN of both husband and wife and all children in divorce decrees until the Feds made Gov. Perry change. Property tax records for years had the owners SSN or TIN posted on line.

There are two classes of citizens on SSN. I am older than my brother by several years and we were born in different states. Our SSN's are one digit different. We were born before SS computerized the SSN system in the 1980's to prevent parents from claiming their dogs, cats, gerbils etc as dependents on their tax returns. The President is coded to Connecticut because he was living outside the US when he got his first passport and needed the SSN. The NY Passport Center assigned all SSNs for overseas. His number looks like one of the Connecticut numbers but belongs to a special group of people getting their passports and SSN at the same time from outside the US.

As for security there is no such thing as security on line. The oil companies have learned the hard way that any encryption can be broken and their encryption software is the best money can buy. If you need total security use an armored courier service (Brinks, Wells Fargo come to mind). Cheaper and probably better protected is the USPS registered mail. That is routinely used by diamond dealers. Hope Diamond was sent to the Smithsonian by registered mail. There are no internet crawlers that can intercept the registered mail.

You mean like millions of people do every tax season?

dcwilbur said:   NEDeals said:   ...all that information sent via email can be easily intercepted and recorded without any effort at all.Intercepted? Yes. Easily and without any effort at all? That's a stretch.

tcpdump, wireshark, firesheep plugin, and dozens of other tools make it easy. It takes more effort to create a new fatwallet account than to intercept emails sent in the clear with a little knowledge.

I use YouSendIt.com to send documents like that. I scan the documents, create a password-protected zip file, then use that service to upload to the server. I then email the lender a link to the file. Then in a separate email I send the password to the zip file. Totally secure.

markbyte said:   I use YouSendIt.com to send documents like that. I scan the documents, create a password-protected zip file, then use that service to upload to the server. I then email the lender a link to the file. Then in a separate email I send the password to the zip file. Totally secure.

Sounds like a good service, but I would give the password via phone, not another email. If one email can be intercepted, so can the second email containing the password.

What I have done in the past was I uploaded the documents to a password protected folder on my web server. I sent the location to the documents to the loan processor through email, and then I called him up and gave him the password over the phone.

The loan processor took it in stride although I think he thought I was a paranoid tinfoil hatter.

I once received e-mail from my broker's assistant. He send me a re-typed application in unprotected PDF and ask me to verify things. The ironic part is it is not my application.

RealEstateMatt said:   Your ssn is about as secure as your cell phone number. The first 5 digits can be figured out based on the year and location of your birth

I have 3 kids, all born in the same hospital and living in the same house when their SSN #s were issued and they don't share any of the first 5 digits in common including the first one. They were born within 15 months of each other down the line.

I think your post is a slight exaggeration that SSNs are as secure as a cell phone number.

markbyte said:   I use YouSendIt.com to send documents like that. I scan the documents, create a password-protected zip file, then use that service to upload to the server. I then email the lender a link to the file. Then in a separate email I send the password to the zip file. Totally secure.

Similarly, I always send password protected zip files for stuff like this and then text message the password to the zip file. The problem with your (and my) approach though is that the mortgage company probably puts that information in the clear on an insecure network and emails it all over the place.

NEDeals said:   dcwilbur said:   NEDeals said:   ...all that information sent via email can be easily intercepted and recorded without any effort at all.Intercepted? Yes. Easily and without any effort at all? That's a stretch.

tcpdump, wireshark, firesheep plugin, and dozens of other tools make it easy. It takes more effort to create a new fatwallet account than to intercept emails sent in the clear with a little knowledge.


Yes, the tools are the easy part. Getting into the position of seeing traffic of the device that transmits the sensitive information is the hard part.

If computers are plugged into a switch, you don't see their traffic. If computers are connected wirelessly and use encryption on the connection you have to beat the encryption to see their traffic.

It's not as easy as firing up your favorite WinPCap wrapper application (ex: Wireshark, formerly Ethereal) from home and watching the SSNs fly by.

FinancialAnalyst said:   RealEstateMatt said:   Your ssn is about as secure as your cell phone number. The first 5 digits can be figured out based on the year and location of your birth

I have 3 kids, all born in the same hospital and living in the same house when their SSN #s were issued and they don't share any of the first 5 digits in common including the first one. They were born within 15 months of each other down the line.

I think your post is a slight exaggeration that SSNs are as secure as a cell phone number.


SSNs WERE assigned in a manner that could be somewhat figured out. On June 25, 2011, they began to be assigned in a random manner. http://www.socialsecurity.gov/employer/randomization.html

Why the change? For the very reasons cited.

3 kids all born with 15 months, i.e. the oldest was 2 1/2 when the youngest was born? Yikes!

It is appalling the lack of security that exists everywhere. People store things on their computers they shouldn't, they click on links they shouldn't, and they give out info they shouldn't.

As noted by others, faxes USED TO BE somewhat secure, you faxed to a machine that printed a fax. Then, the machines got memory added to them, so you could reprint faxes - just like copiers got memory and you can reprint what someone just copied. Then, people started getting faxes directed right into their company computer systems, and stored on servers in the company.

A few years back, companies that accept credit cards had to make big changes to secure this kind of info, or Mastercard and Visa would stop letting them take their cards. This was called PCI DSS. So if you were doing business with an internet site or catalog company, your information became more secure a few years back - assuming they really did, and keep doing, what they were told to do.

You can take steps to protect yourself, some of which have been mentioned already. When you fax, don't put your SSN in the boxes. Call and have the recipient fill in the boxes over the phone. Same with date of birth and other sensitive data. Or, if the info isn't needed but is on the form (i.e. someone wants your tax return), black it out and then fax it.

Note that sending a "secure" file, like a PDF with a password, is a good step but can be broken if someone wants to get into it.

SUCKISSTAPLES said:   Fax or email , or fax that goes to email is the standard .

You probably aren't going to singlehandedly change the way the industry operates unless are a class action attorney and round up a couple lead plaintiffs who have actually had their identities stolen due to this practice


If you are working with an unshaved mortgage broker driving 1992 Pontiac Grand AM, then anything goes. However, no respectable financial services company will ask you to email them any NPI ( nonpublic personal information) or email the docs to you. This is illegal under GLBA. My recent refi was 100% electronic with a bank in a different state. They use DocuSign for e-signing the contract and a secure message box (similar to dropbox) for all supplemental documentation. I would refuse working with them if they ever asked me to email any sensitive documents.

FinancialAnalyst said:   RealEstateMatt said:   Your ssn is about as secure as your cell phone number. The first 5 digits can be figured out based on the year and location of your birth

I have 3 kids, all born in the same hospital and living in the same house when their SSN #s were issued and they don't share any of the first 5 digits in common including the first one. They were born within 15 months of each other down the line.

I think your post is a slight exaggeration that SSNs are as secure as a cell phone number.


If your children were born after 1988 and before 2011, their SSN' are about as secure as a 3 digit PIN. Dr Allesandro Acquisti and Dr Ralph Gross of Carnegie Mellon University published a numbers theory paper showing how easy it is to determine a persons SSN from a birth certificate. Your postulate is blown up byt eh the fact that SS is not dumb enough to use a progressive sequence in a geographic area year after year. The full paper is no longer available on line but can be obtained through the abstract here. http://www.pnas.org/content/106/27/10975.abstract Predicting Social Security numbers from public data Here is an article posted on the Washington Post among many others about the flaw. http://money.usnews.com/money/blogs/planning-to-retire/2009/07/1...

NEDeals said:   
To be clear, the concern here is not for receptionists and employees *inside* the firm. The concern is protecting private information before it is sent across the Internet. Email works on a store and forward basis, the sender has no way of knowing where it will end up outside of their control and how many copies might be made, for how long, or where.


Although email was originally based on store and forward out of necessity, it rarely is implemented that way anymore, at least in the US and other major developed countries. Virtually all mail servers these days connect directly to the mail server that is in the MX record for a domain. Today it is a much bigger concern with your email being peeped by employees inside the firm or hacked email accounts than it is to get peeped in transit.

chibimike said:   

Although email was originally based on store and forward out of necessity, it rarely is implemented that way anymore, at least in the US and other major developed countries. Virtually all mail servers these days connect directly to the mail server that is in the MX record for a domain. Today it is a much bigger concern with your email being peeped by employees inside the firm or hacked email accounts than it is to get peeped in transit.


Connecting to the MX record server is a component of the forward part of store and forward.

In the early days of email, your email used to hop from server to server working its way from one location to the other. These days, your email server is almost always talking directly to the recipients server.

chibimike said:   In the early days of email, your email used to hop from server to server working its way from one location to the other. These days, your email server is almost always talking directly to the recipients server.

I'm not sure what your point is. When you send something outside of your network, you no longer have control over the data who sees it, records it, searches it etc. That's why you encrypt things that you don't wish to share. Even in your example, you've listed at least two servers with both store and forward. If the connection is good, the first server might only store for a few milliseconds. Or longer, depending on how things are going. Personally, I would never allow external connections to an internal mail server, so that is at least one more stop, plus virus checking, load distribution, anti-spam services, local servers distributed across an enterprise, archiving, etc. But that is not relevant to protecting data, because one it is outside your network, the only thing left to protect it is encryption.

FinancialAnalyst said:   NEDeals said:   dcwilbur said:   NEDeals said:   ...all that information sent via email can be easily intercepted and recorded without any effort at all.Intercepted? Yes. Easily and without any effort at all? That's a stretch.

tcpdump, wireshark, firesheep plugin, and dozens of other tools make it easy. It takes more effort to create a new fatwallet account than to intercept emails sent in the clear with a little knowledge.


Yes, the tools are the easy part. Getting into the position of seeing traffic of the device that transmits the sensitive information is the hard part.

If computers are plugged into a switch, you don't see their traffic. If computers are connected wirelessly and use encryption on the connection you have to beat the encryption to see their traffic.

It's not as easy as firing up your favorite WinPCap wrapper application (ex: Wireshark, formerly Ethereal) from home and watching the SSNs fly by.


Some things to consider:

1.) How do you know that all machines are plugged into a switch throughout the entire path from sender to recipient?
2.) How do you know who has access to those switches that you are sure are there or their SPANs?
3.) Assuming shared key encryption for wireless, anybody with the shared key has access to everything. It's a hub in the sky. If the encryption is WEP or WPA, they don't even need the key in advance.
4.) When I did pen testing, making a switch send data to arbitrary ports was a favorite technique. For some reason, some folks still think that switches provide security in this manner and other measures are not needed.
5.) Protecting sensitive data sent across the Internet should not depend on a particular network topology in use at the moment.

It is great that more mortgage companies are taking steps to protect their customers' data.

Just for kicks I've pm'ed NE deals with my real actual SSN (i left off the last digit but theres only 10 posdibilities)

ive bet him $100 he can't get my credit report

I also bet $1000 he can't actually open a credit account in my name .


This is a private bet I've made to him, but just posting to show I'm serious in my commitment to honor this bet .

SUCKISSTAPLES said:   Just for kicks I've pm'ed NE deals with my real actual SSN (i left off the last digit but theres only 10 posdibilities)

ive bet him $100 he can't get my credit report

I also bet $1000 he can't actually open a credit account in my name .


This is a private bet I've made to him, but just posting to show I'm serious in my commitment to honor this bet .

Putting your money (& SSN) where your mouth is. Awesome.

I'll add that while Massachusetts has probably the best law attempting to help protect SSN, it's sort of sad that nobody actually pays attention to it.

NEDeals said:   
I agree that it is nuts that just knowledge of a number in the wrong hands can cause so many problems, but that is the way it is. I have been vigilant about protecting my numbers and so far have not had identity theft. I would prefer to prevent the hassle proactively, rather than wait for a problem so I can see it on my credit report.


That's confirmation bias.

Gmail (and a lot of competing services) uses https for user access, but this only protects the final link between you and gmail. It doesn't protect the message and documents as they flow across the Internet or are stored on any other server along the way.


https is supposed to prevent man-in-the-middle attacks by encrypting the entire content - of course, it is possible these days to break the SSL encryption.

ryoung81 said:   On the same note, PDF passwords are NOT secure. I can crack a pdf password of any strength within 2 minutes.

Given a sufficiently long and complex password involving letters, numbers, and special characters, you would not be able to crack a PDF in many multiples of your lifetime, given current computing limits. AES-128 is still completely secure when used with a complex password. Don't fear monger.

nsdp said:   

If your children were born after 1988 and before 2011, their SSN' are about as secure as a 3 digit PIN.

The full paper is no longer available on line...


online

SUCKISSTAPLES said:   Just for kicks I've pm'ed NE deals with my real actual SSN (i left off the last digit but theres only 10 posdibilities)

ive bet him $100 he can't get my credit report

I also bet $1000 he can't actually open a credit account in my name .


This is a private bet I've made to him, but just posting to show I'm serious in my commitment to honor this bet .


I appreciate the bet, but to follow through would involve me committing a crime of identity theft. I'm not willing to commit a crime, even if somebody on the Internet states that he will pay me some money afterwards if I do so.

My larger point isn't what one can or can't do with a SSN or even part of an SSN alone. It is about the importance protecting personal information, of which SSN is just one possible item of many. In a mortgage application, documents sent might not only be an SSN, but tax returns, bank balances and accounts, etc. The information would also likely include a name and address, not just eight digits of an SSN.

The Point I'm making is that these numbers , in connection with your name dob etc have been used publicly for decades . They were never private, and even today they are out there. Old court records , old deeds, birth and death certificates etc

My college id had my SSN name and dob on it , so did my insurance card . As you note , there is liability for unauthorized use so why should I be scared ? And why should you? And btw since I authorized you to open a credit account for me , that would not be considered Id theft . I would simply find a new card in my mail. I didnt tell you to divert the card to your house , that would be id theft

Trying to protect other personal info like dob address etc is really pointless . There are numerous data services online that have this info on you. New ones are popping up every day . Most people share their name and dob on Facebook . If you have an uncommon last name you can be located in seconds on the Internet . It's fruitless to waste your time trying to protect all this

Let the financial institutions implement whatever procedures they want, or dont want. its the FI who take the loss when id theft occurs. I have no interest in helping them do their job or reducing their liability

I don't get it. If you don't want to send documents via unsecure channels, then don't do it. I'm sure that there are several mortgage companies that use secure https sites. I know Quicken Loans has a secure portal that you can use to upload docs.



Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.

Thanks for visiting FatWallet.com. Join for free to remove this ad.

TRUSTe online privacy certification

While FatWallet makes every effort to post correct information, offers are subject to change without notice.
Some exclusions may apply based upon merchant policies.
© 1999-2014