Internet Safety: do NOT use an online resume generator

There may be some innocent online resume generators out there, but tread carefully. I recently had a look at resume.io for an acquaintance, and there is a security issue to address. Do NOT use resume.io, and if you have used it, please consider one remedial step (below).

cute kids fence curiosity

Personal Info

resume.io wants you to do the following:

  • create an account
  • provide a photograph
  • provide your birthdate

Those last two items should raise a red flag because in the U.S., at least, no resume should contain your photograph or birthdate. This is common knowledge, I think, and if you know it, you can skip the rest of this paragraph. If you don’t know it, let me assure you by saying that I have served multiple times on hiring committees and also performed the entire hiring process from start to finish while employed at an SMB. No one has ever included these data on a resume that I have received. I have been to multiple resume-building workshops in the last 20 years, and no one has ever suggested that these be included; in fact, some presenters have indicated that you must not include them. It is inappropriate to bias the employer, positively or negatively, based on your appearance or age.

So why would resume.io ask you to put these data on your resume? Because to generate the PDF of your resume, you submit these data to their server, and then they can do what they want with them, including selling them.

Dangers

Let’s look at the dangers of each of the items mentioned above, starting with account creation. This might not be a problem for you, but many people re-use passwords when signing up for services, so the owner of any site where you have created an account can run a bot that tries to login automatically to many high-value web sites using the password (and email) that you just provided. Most sites are not malicious, but a site that also unnecessarily asks for personal information such as a birthdate and photo is suspicious. Whatever the case, take this security lesson to heart: do not re-use passwords; each website gets its own unique password.

The security problems become compounded when we add your birthdate to the situtation: a birthdate is used by some institutions to confirm your identity. A pharmacy, for example, will often require you to give your birthday, so a hypothetical attacker might reach out to your pharmacy and ask for the status of your prescriptions because knowing what drugs a person is taking may be of use for malicious acts, such as blackmail in cases where a parent or spouse is unaware of a prescription you are on. That example may seem far afield of your own scenario, but be aware that the information you provide today may not come back to cause harm until many years into the future. It is easy for malicious actors to hold onto data for a long time, during which time your data may be sold to any number of other actors.

How about a photograph? It’s unlikely that someone will use it identify you in real life and then build a relationship of trust which can be exploited, but that doesn’t mean it is safe to share. Photographs can and have been used to create false social media accounts. I have heard one example of such a false account being insinuated into a person’s actual circle of acquaintances. Even if such an account does not harm you directly, it may be used to harm others, and it appears that the blame points back to you because all of the identifying details are accurate (name, birthdate, location, or whatever can be inferred from the resume you built).

resume.io also asks you to provide an address, which is another thing that does not belong on a resume. The website owner may have no personal use for this information, but malicious actors who purchase personal data for your city in bulk may now know what you look like, where you live, your birthdate, and your name.

Remedy

There is only one remedial step: if the password you used to create your account is one that you have used for other accounts, visit those other accounts and change their passwords.

There is no way to undo the act of sharing information, but you can learn a lesson from this experience:

  1. Don’t re-use passwords. Each online account gets its own unique password.
  2. It can become impossible to manage so many passwords. You may want to use an online or offline password manager. I do. If shopping for a password manager, consider the trust that you place in the provider. It does no good to use a product that may deliver your passwords in plaintext (not ciphertext) to the vendor.
  3. Don’t supply a birthdate, photos, or other personally identifying information online unless the recipient has a good reason to receive that information. Does a resume-building site need to know your birthdate?
  4. Whenever possible, supply a fake birthdate. (It’s okay if your facebook friends send birthday wishes on the wrong date just because facebook now thinks you were born in the spring instead of the fall. Say “thanks” regardless.) Even if you are prepared to supply a fake birthdate, think twice about proceeding with any website that asks you for a birthdate.

As a final piece of advice, do not use an online resume generator. Use a word processor, and export your resume as a PDF from the word processor itself.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *