4

In my app I will need to collect the social security number of the user during registration, sort of like uber. This is strictly as a security measure. I understand that simply keeping the user's social security number as a child of a Firebase database is no way legal as I would have access to it at all times. Is there a way to implement a secure way of storing social security numbers for my app? Is there a way one could outsource the storage but import a package that has the social security number form? I seem to be getting a lot of questions about why I would need this information. Essentially it would be to run a background check on the user if needed.

Stradtdog
  • 1,490
  • 2
  • 7
  • 13
  • How is collecting the social security number a "security measure"? – arcy Jan 30 '20 at 21:42
  • @arcy user verification, I would imagine – zbee Jan 30 '20 at 21:43
  • I do not understand how that's any more 'user verification' than a password, and it exposes the user to identity theft. And using last 4 doesn't help, the first 5 are easily guessed for Social Security numbers handed out before something like 2013. I'm very skeptical of someone that says they "need" to collect a Social Security number, I've refused to use some services that require it, don't any of these people worry about making identity theft easier? I still want to know how this is a "security measure". – arcy Jan 30 '20 at 22:50
  • @arcy It is important to collect this information as the people who will be using my app are those who need to have a clean record in which I would need to check – Stradtdog Jan 31 '20 at 02:10
  • Oh, so you're going to need the entire SSN, and you're going to be passing it on to other people. Great. Someday someone's going to realize that using Social Security numbers for this purpose always was and continues to be a REALLY bad idea. – arcy Jan 31 '20 at 03:45
  • Think about employers who require SSNs for background checks, they often collect them on paper - what do they do with the paper records after they do a background check? What are they supposed to do with the paper records after doing a background check? Digital isn’t all that different than physical, destroy the number as soon as possible and always make sure it’s collected over HTTPS. – Adam Jenkins Feb 01 '20 at 18:10
  • If your question has been answered then accepting an answer with the check mark can help others find an answer as well as helping to direct community effort. If your question has not been answered then please add a comment requesting more information and update your question to request more specific or different information. – zbee Feb 21 '20 at 22:05

2 Answers2

1

You may consider other answers on the network.

However, you may also look into whether you need to store the SSN. If you only need to the Social Security Number as a "safety measure," then you could feasibly verify the user and leave it at that - not burdening yourself with having to securely store SSNs; you are responsible for keeping that secure.

zbee
  • 959
  • 1
  • 7
  • 29
-1

Or you save the last 4 number or if you really need to save it completely the encrypt it and save it, its the same than for example if you are using a bank account, you encrypt it and save it.

José A Pérez
  • 66
  • 8
  • Even the last 4 should be encrypted, but in practice probably rarely are. The last 4 is a common security question and if they are compromised it could put your user's other services at risk. – SephB Jan 30 '20 at 21:38
  • Storing just the last 4 in no way makes it acceptable to leave it plain text, with just the last 4 number of an SSN is all you'd need to conduct high levels of identity theft. SSNs in any length should be fully encrypted. – zbee Jan 30 '20 at 21:39