I am designing a web site that contains external suppliers to register and keep

Question

I am designing a web site that contains external suppliers to register and keep their information with the company up to date. We already have a db with EIN, SSN numbers and their addresses.

One of the enhancements users wanted is to display a list of addresses when a known ein/ssn is entered during registration.

This avoids creating a duplicate address in the back end for the same address. It also gives them a more fluid registration process. Architect is objecting to this on the grounds of security.

I can implement a lock feature if you enter more than 3 unsuccessful attempts at guessing ein/ssn, your account is locked for an hour/day.

Is this good enough? Any alternative ways you can think of without letting somebody try ssns and display addresses. Are there any established standards?

Explanation / Answer

Address information is at least mostly in the phone book. There are plenty of other sources, such as local property tax records; I can find my own address with a name search of my county's on line property tax database. I'd assert that address information is not "sensitive" in the way an SSN or credit card number is sensitive.

You might be able to appease the system architect and make life easier for users if you ask for EIN/SSN and ZIP code. That would let you display only appropriate addresses and require that a user know a part of the address to see the rest of it.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.