I was just paying my mortgage online, at the website of my note-holder. Their online-payment system is set up so that once you log in, you are presented with an on-screen facsimile of a check, where you fill in the amount, routing number, and account number of the paying bank. Below that is a field for the last four digits of your SSN and an e-mail address to send a confirmation notice to.

Well, I actually fat-fingered my SSN today, and the page immediately popped up an alert that I had entered my SSN wrong. It seemed that there had been no round-trip to the server to check that, so I checked the page’s source code. Sure enough, I saw this:
function validateSSN1()
{
if (document.Form1.txtssn.value != "the actual last four digits of my SSN here" && document.Form1.txtssn.value != "the actual last four digits of Gwen's SSN here" )
{
document.Form1.txtssn.value = ""
document.Form1.txtssn.focus();
alert("Your entry did not match our records. Please enter the last four digits of your social security number.");
return false;
}
else
{
return true;
}
}

Embedded right there in the page asking my for the information is the very information it is asking me for. That’s just a bad security practice in general, but it’s especially bad considering the information in question. Now, admittedly, nobody should be able to get access to my account in the first place, but if they do, the damage they should be able to do should be limited to that website. But the last four digits of the SSN are so widely used as a shorthand identifier these days that the potential for mischief is much more widespread.

I have notified the bank, and will not mention their name just yet.