Mask first 6 digits with javascript when writing to a list

Question

I have a search form that when the user searches by name, it returns account numbers, full name and SSN. I am using Ajax to POST the form and handle the data return. In the Ajax post, it builds a list and the list is written to the screen in a div . Is there a way to mask the first 6 digits of the SSN when the list is being written?

Here is the POST:

//Submit form
$(function submit() {
    $('form').submit(function (e) {
        e.preventDefault();
        $.ajax({
            url: 'Home/TAPost',
            data: $('form').serialize(),
            dataType: "json",
            type: 'POST',
            success: function (data) {
                var options = data;
                $each(options, function (index, option) {
                    $("#resultsList").append('<li>' + response[option] + '</li>');
                });
               }
        });
        return false;
    });
});

DIV being written to:

<section id="searchResults">
    <h2>Search Results</h2>
    <ul id="resultsList"></ul>
</section>

Answer 1

When dealing with Social Security Numbers you need to be careful. Sending this data to the browser leaves it vulnerable. Even if we're using HTTPS, and have browser caching disabled, most browsers include a network window that lets me see the traffic coming to my browser. As a result, I could see the result of your AJAX call and all of the unmasked SSNs. In IE, for example, I press F12, and go to the Network tab and boom, an identity thief's dream!

You should mask the data as close to the point of origin as possible. Meaning, if all I need is the last 4, why even send the full SSN from the DB to my web server? That means it's stored in my web-server unmasked. Someone examining the memory of the web server could see it. What you should do is only send the last 4 from the DB or whatever the point of origin is. That way you expose the data to the least amount of exposure possible.

In the past I've stored the SSN and the Masked SSN in separate fields. That way it's not up to the person writing the stored procedure to mask it. They should just select the masked field. You could even create a view called "view_UserDataMasked" and give your IIS/web-server username access to this view, but not access to the "table_UserData" which would have the full SSN. That would help prevent the potential of a SQL injection from ever revealing SSNs too.

Also, I hope it goes without saying, the SSNs should be stored in the DB encrypted along with encrypted DB backups. When you're dealing with protected personal information you need to be careful. A hack could cost you/your company millions of dollars in damages.