1

I am working on a platform that does temp labor and we are needing to run background checks. That means collecting scary data like SSNs, Names, Addresses, Dates Of Birth, and sending them to the background check service that we are using. They require all API calls to include basic credentials. (A username and password)

I can basically see two options:

  1. Make the call to the background check API from the browser...but that puts those API credentials IN the browser....not good at all. Somebody could go through our completed background checks. Lots of sensitive info there! (This is fairly unlikely...but possible nonetheless)

  2. Send the information to my server, which will pass it on to the background check API....but that means a SSN is on my server for a brief amount of time. (Barring any logging that I'd need to unhook)

I am leaning towards the latter, especially since I've been told a mobile app will be in the future. That begs the main question: What is the correct way to treat a SSN that is simply passing through a server on its way somewhere else?

Mizmor
  • 153
  • 4
  • I'm guessing the answer is yes but, just for completeness, are you also sending other PII with the SSN that can link the SSN to a specific person (directly or indirectly)? – DarkMatter Mar 05 '19 at 15:54
  • @AnthonyT How would that solve the OP question? He'd still have to deal with the fact that a system of his will receive the sensitive information PLUS he'll have to implement and secure two separate systems and two sets of credentials. Doesn't looks like an improvement to me – Stephane Mar 05 '19 at 16:07
  • @DarkMatter Yes, it includes address, DOB, full legal name, everything needed for a background check – Mizmor Mar 05 '19 at 16:18
  • `(This is fairly unlikely...but possible nonetheless)` - I guarantee that, if you expose an API key of any sort that allows anything more than a submit, it will be abused within an hour of publishing. Unless the background check service itself provides a "submit for this company" endpoint (a bunch of credit card input APIs work _exactly_ this way, for exactly the same reason), you have to handle it yourself. – Clockwork-Muse Mar 06 '19 at 00:52

0 Answers0