• Go to page :
  • 1 23
  • Text Only
Voting History
rated:
When applying for a mortgage, has anyone been asked or expected to send documents via regular email, unprotected?

I strongly dislike the careless approach to securing your documents that most mortgage companies use. Some have asked me to email sensitive documents (tax returns, pay stubs with SSN, bank account numbers next to the balances, etc.) unencrypted, or have even sent me documents with my SSN "encrypted" with something dumb like the last four digits of a social security number as the password. (As if it would take more than 0.001 seconds to crack a four digit numeric password on an old laptop).

When I declined to email some documents, a broker asked me to fax them instead. Then I asked him how he received the faxes. He said via email! He couldn't tell me if the fax to email server was internal to his network (which would still be bad enough), but it sounded like a third party provider which could be anywhere.

I'm curious of what experiences others have had exchanging sensitive documents and how you dealt with it. In years past, I did everything via overnight courier; now companies want to use email instead, even though they don't protect it. I think it is time for standards involving sending documents that include your social security number or personal info with mortgage companies and brokers.

And substitute mortgage companies with any other finance company as needed.

An obvious approach would be to have a secure server for document uploading/downloading, but without knowing who is operating the secure server and what security it actually has, it is hard to be assured.

Member Summary
Most Recent Posts

NEDeals (Apr. 20, 2013 @ 9:41p) |

I don't think we disagree in principle. But thinking beyond a mere SSN, unfortunately there have been numerous cases of... (more)

NEDeals (Apr. 20, 2013 @ 10:31p) |

The discussion in this thread is interesting. Recent article in PC World that discusses sending private information over... (more)

bighitter (Apr. 20, 2013 @ 11:58p) |


not a problem for me --- then can email my social security number all they want

if I had a problem, I would deal directly with a local bank or credit union and do everything inside the building (of course they might be e-mailing your stuff to their HQ after you leave their office )

I pay for everything in cash so I can't relate to your problem.

Fax or email , or fax that goes to email is the standard .

You probably aren't going to singlehandedly change the way the industry operates unless are a class action attorney and round up a couple lead plaintiffs who have actually had their identities stolen due to this practice

Your ssn is about as secure as your cell phone number. The first 5 digits can be figured out based on the year and location of your birth, and the last 4 is on a ton of general documents that can be requested via any data provider for like $10.

I used to do everything I can to keep it secure, but in the last 3 years I've still received 5 data breach notifications from companies that my data "may have been compromised". Of course this means some idiot lost a laptop with my info(along with thousands or millions of others), and/or some hacker accessed account info that SHOULD have been secured.

It's not worth going out of your way to protect it. You're better off just paying attention to your credit report and credit cards to look for new accounts or charges you didn't make.

SUCKISSTAPLES said:   Fax or email , or fax that goes to email is the standard .

You probably aren't going to singlehandedly change the way the industry operates unless are a class action attorney and round up a couple lead plaintiffs who have actually had their identities stolen due to this practice


Banks use (presumably) encrypted web pages for logins and to collect social security numbers, I'm surprised they feel it is acceptable to email SSNs around the Internet unencrypted at the same time.

And it would be very hard to prove that identity theft is caused by such a poor practice, because the identity theft can be done far away from the bank/broker. But it can happen just the same.

I dealt with this by being very vigilant and refusing to send anything sensitive across the Internet without encryption (using a strong password with PDF makes it somewhat easy and secure), but most people don't seem to care much. Would they feel alright emailing the debit card number and details in the clear?

RealEstateMatt said:   Your ssn is about as secure as your cell phone number. The first 5 digits can be figured out based on the year and location of your birth, and the last 4 is on a ton of general documents that can be requested via any data provider for like $10.

I used to do everything I can to keep it secure, but in the last 3 years I've still received 5 data breach notifications from companies that my data "may have been compromised". Of course this means some idiot lost a laptop with my info(along with thousands or millions of others), and/or some hacker accessed account info that SHOULD have been secured.

It's not worth going out of your way to protect it. You're better off just paying attention to your credit report and credit cards to look for new accounts or charges you didn't make.


I agree that it is nuts that just knowledge of a number in the wrong hands can cause so many problems, but that is the way it is. I have been vigilant about protecting my numbers and so far have not had identity theft. I would prefer to prevent the hassle proactively, rather than wait for a problem so I can see it on my credit report.

And yes if some clown loses a laptop, that's out of my control, but hopefully that laptop is encrypted or the finder doesn't know how or doesn't care to reveal the contents.

Actually the SSN is coded to a year and location of the SSN issuance, not birth, unless they are the same. But it is not a 1:1 match.

I never use a debit card , but I've faxed and emailed my credit card info many times

NEDeals said:   SUCKISSTAPLES said:   Fax or email , or fax that goes to email is the standard .

You probably aren't going to singlehandedly change the way the industry operates unless are a class action attorney and round up a couple lead plaintiffs who have actually had their identities stolen due to this practice


Banks use (presumably) encrypted web pages for logins and to collect social security numbers, I'm surprised they feel it is acceptable to email SSNs around the Internet unencrypted at the same time.

And it would be very hard to prove that identity theft is caused by such a poor practice, because the identity theft can be done far away from the bank/broker. But it can happen just the same.

I dealt with this by being very vigilant and refusing to send anything sensitive across the Internet without encryption (using a strong password with PDF makes it somewhat easy and secure), but most people don't seem to care much. Would they feel alright emailing the debit card number and details in the clear?




Had same experience a couple years ago. I pointed it out to the settlement company and it was apparent they were clueless to the obvious security issue making statements like "e-mail is secure". I convinced them to obtain a PDF generator with password protection. Of course, they made the password "1111" and included it in the same e-mail the PDF was attached to [bangs forehead against wall...] lol

Most of the info the OP is worried about is easily already in the public domain. Put it in some kind of encrypted file and email that instead if it will give you peace of mind. Or mail the docs via USPS. I personally think the speed outweighs the potential risks. Especially for a loss like identity theft, in which the risk of hassle is high but the risk of permanent financial loss is low.

SUCKISSTAPLES said:   I never use a debit card , but I've faxed and emailed my credit card info many times

If it were supposed to be secret, then why is it printed in raised letters on the card itself?

Seriously, they can't do a lot of damage without the billing address and cvc code, and the charges are easily reversed after the fact.

Many order forms , membership applications , etc ask you to fax over your cc number , address ,Ccv etc

We're fortunate our creditors eat the fraud risk for us. Or at least pass it off on customers who carry a balance.

Don't worry... your info is probably inadvertently released every single day without your knowledge. Someone trying to steal it from the mortgage processing department of a Federally-chartered bank is not very likely.

Use encrypted email! I can relate as I am 90% down a refi, just waiting to close this Friday. But I don't have the worry since both my broker and I used gmail which is https and SSL encryption standard. So I know these files are near impossible to crack even if intercepted.

zip or rar the files and lock them with a long 20+ alpha numeric code + odd character password before you email them. Call the broker, leave a message (he'll never pickup when you cold-call him), and leave a message saying you have to give him a password to get to the files. When he does call you back, give him the password over the phone. The probability of someone intercepting YOUR emails AND YOUR phone calls is near 0%. The broker might be irritated, but who cares; if security is a concern, then the hurt feelings of the lender are least of your concern - in fact you should probably giggle if he states it's an inconvenience to him you should probably tell him that he should "get with the times."

This is how I did my last refinance to a T. When the mortgage broker got my documents he said something along the lines of "durr I dont even know how to make a zip file..." I just laughed it off and told him to relax. In my experience, it's not uncommon for people in the lending business to get sensitive with you, act like you're causing a major headache with getting this loan etc.

I will stress that long passwords, multiple cases, numbers, characters, absolutely nothing dictionary related are the best passwords. The capability of GPU's (gaming graphics video cards) to brute force password combinations is extremely high. As the complexity of the password increases, the time to crack it becomes exponentially greater.


The next level up for encryption is PGP encryption. This starts to get complicated, 99% of the population wont want to deal with this.

I had a mortgage company send my mortgage refinance packet Federal Express to my rental property address instead of my mailing address. Included return of all my tax info, pay stubs, etc. I use a property manager for my rental properties and one of the major reasons I pay for the property manager is so I remain anonymous to my tenants.
Tenant signed for the Fed Ex package, but said he lost it and had no clue where it was..."may have thrown it away"
I was FURIOUS with the mortgage company.
After much research I found out there was absolutely nothing I could do as I suffered no damages. Some states have laws on protecting consumer information (MA is one that does). Most states don't have any laws regarding protection of information - however, many companies have started encrypting certain info such as social security numbers.

I'm going through this now with Wells Fargo. They accept documents electronically via email, however I explained my security concerns to them and asked them to provide a secure method of electronic communication. Their answer was a secure WF email portal that kept my documents from sitting in my free inbox. The process is a little cumbersome, but it does appear to be an extra layer.

nanotube said:   Use encrypted email! I can relate as I am 90% down a refi, just waiting to close this Friday. But I don't have the worry since both my broker and I used gmail which is https and SSL encryption standard. So I know these files are near impossible to crack even if intercepted.

Yep that is all well and good until the gmail admin account gets hacked and they get access to everything in the company's gmail. The only time you are going to be in serious danger not using encryption is if you are at a computer security conference. Any other times the odds of someone going through that amount of effort to intercept things when there are far easier ways to get that same info on a much larger group of people is miniscule.

That said as others have said worrying about this stuff is pointless. Just make sure to be pro-active about monitoring your credit report etc. I would assume that someone somewhere has already stolen your info.

lorymills1 said:   I had a mortgage company send my mortgage refinance packet Federal Express to my rental property address instead of my mailing address. Why would you send it to your rental if you knew it was occupied by a tenant? You wouldn't be able to go into their mailbox, but FedEx might be different.

There are 3 general "secure" methods of transport: Mail, Encrypted Email, and Fax.
Zip your files encrypted with a password then send a regular email and be done with it.
I've had issues with some from that, but that is the easiest and usually has the best results. I've had some retrieve it from my box.com site. SFTP would be another good method.

On the same note, PDF passwords are NOT secure. I can crack a pdf password of any strength within 2 minutes.

Regardless, I don't feel it's that big of a deal. As many have mentioned, your personal information is out there in public domain already -- up until a few years ago most county courthouses filed documents with SS#'s attached. Many still haven't redacted that information from their archived documents.

Fixed:

UAIron said:   I will stress that long passwords, multiple cases, numbers, characters, absolutely nothing dictionary related are the best passwords. As the complexity of the password increases, the likelihood of me forgetting it becomes exponentially greater.Seriously, the more complex passwords become, the more likely you are to find them written down on little notes all over my desk.

TravelerMSY said:   Most of the info the OP is worried about is easily already in the public domain.

I'm not a tax exempt organization, so my tax returns are definitely NOT in the public domain. Neither are my brokerage and savings account numbers and balances, pay stubs, and credit reports. Would you feel comfortable posting the same to fatwallet? Unencrypted email offers the same protection.

rufflesinc said:   lorymills1 said:   I had a mortgage company send my mortgage refinance packet Federal Express to my rental property address instead of my mailing address. Why would you send it to your rental if you knew it was occupied by a tenant? You wouldn't be able to go into their mailbox, but FedEx might be different.

I didn't ask for it to be sent there. They used the property address instead of my mailing address. That's why I wanted to hold them liable for the leak of information.

Crazytree said:   Don't worry... your info is probably inadvertently released every single day without your knowledge. Someone trying to steal it from the mortgage processing department of a Federally-chartered bank is not very likely.

I'm not worried about the processing department of a federally chartered bank, that's not what I was referring to. I'm concerned that the same bank that employs Extended Validation certificates and TLS on its website, might then allow sensitive information to be emailed through the Internet unencrypted or do business with mortgage originators that do the same.

Anything sent in the clear on the Internet has the same privacy as a postcard. Fortunately there are a lot of secure options, but they only work if they are used and used properly.

nanotube said:   Use encrypted email! I can relate as I am 90% down a refi, just waiting to close this Friday. But I don't have the worry since both my broker and I used gmail which is https and SSL encryption standard. So I know these files are near impossible to crack even if intercepted.

Gmail (and a lot of competing services) uses https for user access, but this only protects the final link between you and gmail. It doesn't protect the message and documents as they flow across the Internet or are stored on any other server along the way.

RealEstateMatt said:   Your ssn is about as secure as your cell phone number. The first 5 digits can be figured out based on the year and location of your birth <snip>

It is not location of birth but where SSN was issued

invisible said:   RealEstateMatt said:   Your ssn is about as secure as your cell phone number. The first 5 digits can be figured out based on the year and location of your birth <snip>

It is not location of birth but where SSN was issued

For many/most people, this is the same.

Some lenders (Box Home Loans for sure) accept documents via a https web portal.

Like the other posters said, this goes on every single day. Are you single handledly going to change the mortgage business?

Do you want your mortgage to be easy or hard?

stanolshefski said:   invisible said:   RealEstateMatt said:   Your ssn is about as secure as your cell phone number. The first 5 digits can be figured out based on the year and location of your birth <snip>

It is not location of birth but where SSN was issued

For many/most people, this is the same.


For some perhaps, but many are not. I wouldn't rely on this for accuracy either. Even the President's SSN is coded to Connecticut, a state where he never lived. The Social Security office says that the numbers match the state where the original SSN card was mailed, not where the application was made from.

dcwilbur said:   Fixed:

UAIron said:   I will stress that long passwords, multiple cases, numbers, characters, absolutely nothing dictionary related are the best passwords. As the complexity of the password increases, the likelihood of me forgetting it becomes exponentially greater.Seriously, the more complex passwords become, the more likely you are to find them written down on little notes all over my desk.


I use a password manager for everything that requires a password. I have the password manager auto-generate random passwords then add additional characters. There's very few passwords for any of my accounts that I actually know off the top of my head.

Store the password manager files in a google drive or dropbox folder for access at home, work and smart phone.

some good articles
http://arstechnica.com/security/2012/08/passwords-under-assault/
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-ev...

UAIron said:   Store the password manager files in a google drive or dropbox folder for access at home, work and smart phone.I hear ya, but saying is easier than doing. Also worth pointing out that many corporate networks - mine included - restrict access to google docs and similar resources. I can't even pull attachments from my gmail messages when at the office.

I've had the same issues and complained. It drove me crazy to know your broker holds all this information electronically without any real security methods in place. It seems most dentist/doctor offices would be a treasure trove for identity thieves as well. While they don't ask for SSNs anymore, some still have your records from years past.

I think this creates an opportunity for a startup business where it would be the intermediary for secure document exchange. Obviously, it would not protect the documents once it leaves their systems, but there has to be a better process for this. We guard our info securely and one loose endpoint is all it takes.

Yes, and when I tried to send an encrypted zip file, the rep told me that their security software automatically removes all zip files from attachments.

The level of ignorance with these banks / brokers is astounding, what people may not realize is any transmission over the internet that is not encrypted can be intercepted and viewed. I'd be surprised if they operated like that with their own documents. Maybe some laws already apply to transmission of sensitive personal information?

PhaseBlue said:   Yes, and when I tried to send an encrypted zip file, the rep told me that their security software automatically removes all zip files from attachments.

The level of ignorance with these banks / brokers is astounding, what people may not realize is any transmission over the internet that is not encrypted can be intercepted and viewed. I'd be surprised if they operated like that with their own documents. Maybe some laws already apply to transmission of sensitive personal information?


And it's not just mortgage brokers, I've found that many attorneys are just as bad too. They like to stamp legally privileged on everything, then email documents (including very sensitive documents) around on the Internet. I worked out a system where I encrypt my documents with a PDF passwords, but it's hard to convince others to encrypt sensitive information.

For some reason, a lot of people think that email is secure, when you have absolutely no control over who reads it and where it goes.

Also, if someone attacks a secure server password, hopefully the server will shut them down (or significantly slow down attempts) after so many tries. But with an encrypted document in somebody's hands, they have unlimited attempts to get past the password and are only limited to the computing power they wish to use.

Yes attorneys do the same
So do accountants
So do mortgage professionals
So do life insurance professionals (ever see how much personal info is in a life insurance application ? More than your mortgage app!)

As I said you aren't going to change these industries so just forget about trying to encrypt this info - it was never private and ssn was publicly used up till a few years ago as your account number for insurance and other things

In one of my recent mortgage dealings I had a broker that had e-sign and encrypted email but that is not the norm. I have had big bank mortgage professionals, CPAs, attorneys that even when you send them encrypted email or password protected files they don't know what to do with them or don't want to be bothered with the inconvenience.

NEDeals said:
And it's not just mortgage brokers, I've found that many attorneys are just as bad too. They like to stamp legally privileged on everything, then email documents (including very sensitive documents) around on the Internet. I worked out a system where I encrypt my documents with a PDF passwords, but it's hard to convince others to encrypt sensitive information.


SUCKISSTAPLES said:   Yes attorneys do the same
So do accountants
So do mortgage professionals
So do life insurance professionals (ever see how much personal info is in a life insurance application ? More than your mortgage app!)

As I said you aren't going to change these industries so just forget about trying to encrypt this info - it was never private and ssn was publicly used up till a few years ago as your account number for insurance and other things


You are stating the attorney-client documents are not private and do not deserve protection from sending through the Internet in the clear? Interesting.

When I asked one of my attorneys about this, he had no clue at all that information sent via email can be easily intercepted and recorded without any effort at all. After a quick demonstration, he now encrypts all of his privileged documents and thanked me for the heads up.

Life insurance professionals may be subject to HIPAA, depending on the information. And yes, they have been good about protecting it, in my experience.

As far as ssn goes, what it was used for in the past is less relevant in today's environment.

On the other hand, I've never had any accountants try to send any sensitive documents without protecting them through encryption.

So while I can't "change an industry," I can certainly be vigilant about my own data and give a heads up to my own partners, such as my attorney who changed to encrypting sensitive documents.

Skipping 44 Messages...
The discussion in this thread is interesting. Recent article in PC World that discusses sending private information over the internet: here

I don't have the technological expertise to weigh the likely risks of not sending vs. sending, but it sounds as if it may be like roulette.



Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.

Thanks for visiting FatWallet.com. Join for free to remove this ad.

TRUSTe online privacy certification

While FatWallet makes every effort to post correct information, offers are subject to change without notice.
Some exclusions may apply based upon merchant policies.
© 1999-2014