Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Schneier Asks Why We Accept Fax Signatures

timothy posted more than 6 years ago | from the emperor's-new-clothes dept.

Security 531

Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.

Sorry! There are no comments related to the filter you selected.

Older generation (5, Insightful)

FriendlyLurker (50431) | more than 6 years ago | (#23637235)

Thats the older generation for you... once you young-uns who grew up with email get promoted to PHB status, you too can adopt your favourite technology of your day to deliver signatures...

Re:Older generation (1)

Kjuib (584451) | more than 6 years ago | (#23637271)

My cat can fax a WHOLE watermelon...

Re:Older generation (1)

snl2587 (1177409) | more than 6 years ago | (#23637279)

...and employ hundreds of people as couriers.

It's an "older" technology (3, Insightful)

Reality Master 201 (578873) | more than 6 years ago | (#23637245)

The acceptance of fax signatures has to do only with fact that fax machines have been around for a long time, and people think they understand how they work. It just seems safer.

Sadly, the same people who make decisions based on the comfort provided by the familiarity of a technology are those who make policy at companies.

Re:It's an "older" technology (2, Insightful)

lord_rob the only on (859100) | more than 6 years ago | (#23637317)

Yes that's exactly why we have to use IE and MS Office on our desks in my company (well I know someone in the system department who installed Firefox but still).

Re:It's an "older" technology (1)

dotancohen (1015143) | more than 6 years ago | (#23637511)

Yes that's exactly why we have to use IE and MS Office on our desks in my company (well I know someone in the system department who installed Firefox but still).
You can still install Portable Firefox on those machines. I do it all the time on the locked-down university machines.

Re:It's an "older" technology (2, Informative)

morgan_greywolf (835522) | more than 6 years ago | (#23637451)

Older? Really?

The modern fax machine was introduced in the mid-1970s. E-mail was introduced with CTSS in 1965 and Internet e-mail, with the introduction of the now-ubiquitous '@' sign by Ray Tomlinson, in 1971.

The fact that ignorant people from the older generations think that "email" is "new" isn't my problem, it's theirs.

FWIW, I used e-mail well before I ever, ever used a fax machine. And I'm 35.

Re:It's an "older" technology (4, Informative)

Jhon (241832) | more than 6 years ago | (#23637771)

TECHNICALLY, the "fax machine" was invented in the 19th century. It became WIDELY used in the 1970s. While the first EMAIL may have been keyed in 1965, it could HARDLY have been considered to have been in WIDE use.

So, YES, the fax machine is OLDER. Much older.

Re:It's an "older" technology (4, Interesting)

CastrTroy (595695) | more than 6 years ago | (#23637843)

I'm a young guy, but my professors told me stories of how they would have to actually look at a network map and route the emails themselves if there wasn't a direct link between the two endpoints. So yes, while email has existed since the 60's it didn't come into wide use until the 90s.

telephone number (4, Informative)

goombah99 (560566) | more than 6 years ago | (#23637581)

Faxs come with a telephone number of the sender as well. and often the personal cover letter. To forge a fax that is perpetually unquestionable you have to forge the phone number, signature, and stationary.

People are comfortable with that because they understand what is involved in doing that. With e-mail and digitial docs its harder for an untrained person to evaluate the threat. Also with digital docs it's harder later to raise questions about the authenticity. With the fax, one can later check for example fax logs on the sending machines and other trails of evidence.

In both cases forgeries are possible but in the case of faxes most humans are able to evaluate the threat.

Re:telephone number (5, Insightful)

MoonBuggy (611105) | more than 6 years ago | (#23637723)

But most people don't have a fax machine, so almost any forms that have to be faxed from customer to business will just have the number of the nearest copy shop with a fax service. If you're faxing a form that you've filled in then the "stationary" is already covered.

The only thing left is the signature, and the security of that is no different whether it's email, fax or a photocopy delivered by carrier pigeon.

Re:telephone number (4, Informative)

Loether (769074) | more than 6 years ago | (#23637733)

Faxs come with a telephone number of the sender as well. and often the personal cover letter. To forge a fax that is perpetually unquestionable you have to forge the phone number, signature, and stationary.
"Forging" a telephone number on a fax machine just requires changing a setting on the sending machine. It's in the fax manual.

Re:telephone number (1)

omeomi (675045) | more than 6 years ago | (#23637751)

they may come with the phone number of the sender, but that phone number could easily be the public fax machine at the local copy shop, or the fax number of some free Internet fax service. The phone number is no security.

Re:It's an "older" technology (4, Interesting)

vertinox (846076) | more than 6 years ago | (#23637617)

Back in the early 90's there was a particular mail order company that required a copy your drivers license for proof of purchase people of 18 or older *coughs*

It wasn't that hard to xerox 2 copies your drivers license and then cut out the numbers with scissors on one and then tape them on the other and then xerox a 3rd copy and you really couldn't tell the difference. *coughs* Not that I knew anything about it.

So back then even with fax machines, its simply not that hard to to find a document of someone signature, cut it out and then tape it and then xerox it and then fax the xerox and no one would be wiser.

These days its simply a cut and paste in photoshop and then printing to a fax printer if you happen to have one.

Re:It's an "older" technology (5, Interesting)

Maserati (8679) | more than 6 years ago | (#23637673)

Under US law, which I'm not citing first thing in the morning, a fax is a "legal facsimile" of the original. Under law, if you have a faxed copy of something you may as well have an original. Email doesn't have that legal status, so a scanned and emailed original won't cut it.

Re:It's an "older" technology (4, Insightful)

MoonBuggy (611105) | more than 6 years ago | (#23637807)

That's interesting, but all it really means is that the law is inconsistent and needs to be fixed.

Not just this (3, Insightful)

bsharitt (580506) | more than 6 years ago | (#23637257)

Not just for signatures, but it really annoys me when a company will only accept faxes instead of scanned emails for any number of documents. Luckily the situation has been improving in the recent years.

Re:Not just this (1)

skiingyac (262641) | more than 6 years ago | (#23637423)

I just want to add that a lot of companies will accept a scanned PDF via email instead if you just ask, even if they initially say to fax it. I would bet that they just say to fax it because that is easier than to explain to some non-technical person what scanning is.

I've had many people happily provide me with their own email address to do this. Actually, I can't ever remember being turned down when I've asked to do this.

Re:Not just this (0)

Anonymous Coward | more than 6 years ago | (#23637823)

I use efax (the service) as my fax number anyway, so faxes get delivered as scanned pdfs via email regardless.

But more to the point of TFA, we accept faxed/scanned signatures for documents because there's an inherent level of trust involved during the transaction. I'm not asking for a signature as proof that the person is who they say they are (authentication). Signatures serve as the written notice that the person is accepting (authorizing) whatever is in the document.

Presumably I do some basic work up front to establish that trust relationship, and if there is any question, then "executed" copies get mailed out for signature. If someone is forging signatures at that point, then we have a court system to deal with that.

In the end we all accept the inherent "insecurity" as a matter of convenience so we can get on with the actual business that the signature initiates.

Re:Not just this (1)

SoundGuyNoise (864550) | more than 6 years ago | (#23637505)

We'll accept a scanned PDF instead of a fax if it's easier for the sender, but then we have to print it and send it to our document control center for scanning and storage anyway. We just put the printout right on top of the incoming faxes.

Re:Not just this (1)

barzok (26681) | more than 6 years ago | (#23637825)

My employer happily accepted scanned & emailed copies of the paperwork to add my son to my health insurance when he was born almost 2 years ago.

... sigh (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23637277)

Boring. Please move along.

Paper in, paper out. (1)

deniable (76198) | more than 6 years ago | (#23637293)

I've seen this before. People will accept a fax as 'in writing' because someone puts a piece of paper in one machine and gets a piece of paper out of the other end. There's obviously no way anyone could tamper with it on the way. (Sarcasm) People who have different setups (where they see an electronic file rather than a piece of paper) seem to be a bit more wary.

Re:Paper in, paper out. (2, Insightful)

somersault (912633) | more than 6 years ago | (#23637331)

Sounds like there's an untapped market out there for 419 fax-scams!

Re:Paper in, paper out. (0)

Anonymous Coward | more than 6 years ago | (#23637819)

It's certainly not untapped, we get them all the time at the office.

Fax vs PC (1)

Smacky311 (1285822) | more than 6 years ago | (#23637299)

I believe the problem is due to the fact that I, like most people I'm sure, have never heard of this simple exploit. Second, people obviously trust fax machines, perhaps because they're simplistic compared to computers. There's so much magic with email I can see why people don't trust it. It's unfortunate that people don't consider unforeseen physical hacks as serious threats as well.

Actually, I LOVE the CC sig. (2, Interesting)

WindBourne (631190) | more than 6 years ago | (#23637301)

I find it amazing that CC companies want customer sigs on the back of the card. I add CID and SIGN it. About half of the ppl will now check for my ID.

Re:Actually, I LOVE the CC sig. (3, Interesting)

zoward (188110) | more than 6 years ago | (#23637587)

I find it amazing that CC companies want customer sigs on the back of the card. I add CID and SIGN it. About half of the ppl will now check for my ID.
Good idea. I wrote "See License" on the back of my credit card. I'm still amazed by the number of vendors who don't look, so I make sure to thank the ones that do, and chide the ones that don't.

Re:CC Signature Pranks (4, Funny)

vertinox (846076) | more than 6 years ago | (#23637767)

I wrote "See License" on the back of my credit card. I'm still amazed by the number of vendors who don't look, so I make sure to thank the ones that do, and chide the ones that don't.

Actually, Zug.com has an interesting tale of the author trying to see how much he could get away with when he signed credit card purchases. He even did musical notation once. Very funny.

http://www.zug.com/pranks/credit/ [zug.com]
http://www.zug.com/pranks/credit_card/ [zug.com]

Re:Actually, I LOVE the CC sig. (0, Troll)

maxume (22995) | more than 6 years ago | (#23637805)

You should be chiding them all for accepting your invalid credit card.

If you think they should be checking your identification, you should lobby the credit card companies to change the merchant agreement, not force the merchants to look the other way in order to get your business.

Doesn't Make Sense To Start New Trends (5, Insightful)

darkmeridian (119044) | more than 6 years ago | (#23637305)

Businesses have been using faxes for decades. The risk of forgery and other liabilities have pretty much been well-established by law and common knowledge. If a contract requires modifications to be in signed writing, it is a matter of established law that a faxed document counts. Does an e-mail count if the contract doesn't expressly say so? That's just an unnecessary risk at this point. In the future, things may be different but there's no reason to be the first person to settle that uncertainty.

Furthermore, faxes are relatively secure because it is a one-on-one communication. In contrast, e-mails can be intercepted or become widely disseminated. The risks of using e-mail in a business setting (for signatures and the like) have not been tested too thoroughly, either.

Re:Doesn't Make Sense To Start New Trends (1)

edittard (805475) | more than 6 years ago | (#23637349)

I'm guessing that's the answer, right there. Can we close this pointless discussion now?

Re:Doesn't Make Sense To Start New Trends (1)

i.r.id10t (595143) | more than 6 years ago | (#23637447)

But, the equivalent of email headers can be faked in a fax as well. The sending number, sending company name, etc. can all be created on the fly when sending a fax (at least, I do it when I use a bash script to take a print job to a samba server and turn it into a fax and send it via hylafax)

Re:Doesn't Make Sense To Start New Trends (0)

Anonymous Coward | more than 6 years ago | (#23637517)

I think you're imagining the wrong attack vector. It's pretty difficult to tamper with a fax en-route, but imitating someone else in a new message is not. Caller-ID helps here, though, as mentioned in the article, complacent employees might not bother to check the incoming fax number.

Re:Doesn't Make Sense To Start New Trends (1)

darkmeridian (119044) | more than 6 years ago | (#23637679)

The recipient of a fax is normally expects it. Most scams don't rely on deceiving the recipient. The real risk is in sending a document to a fake fax number just like phishing sites.

Dilbert already covered this. (4, Funny)

rdmiller3 (29465) | more than 6 years ago | (#23637307)

Scott Adams already covered this in "Dilbert".

The accounting trolls told Dilbert that they wouldn't accept copies of his expenses... but he could FAX them.

well (1)

keiofh (1223410) | more than 6 years ago | (#23637309)

I'm sure you can forge a signature, but not the number you're sending it from. Surely that can count as another level of security?

Re:well (1, Informative)

Anonymous Coward | more than 6 years ago | (#23637371)

I'm sure you can forge a signature, but not the number you're sending it from. Surely that can count as another level of security?
Um.... the fax number that appears at the top of the page is a simple setting on the fax machine, it's not even callerID. Of course, CID spoofing is trivial too, get a spoof card or a digital line of some sort and you're good to go there.

Re:well (0)

Anonymous Coward | more than 6 years ago | (#23637395)

Is it relatively easy to spoof your caller ID information. I wouldn't count that as extra security.

Re:well (0)

Anonymous Coward | more than 6 years ago | (#23637455)

actually, you can VERY easily forge the number you're sending it form. With my knowledge of VOIP systems I can EASILY make a call that appears to come from any phone number I wish.

I do this for when I want to make calls where my number is blocked...I transmit "666-666-6666"

Re:well (0)

Anonymous Coward | more than 6 years ago | (#23637479)

you can "fax" a document via software from any number you want it to be. just like caller id spoofing.

Re:well (0)

Anonymous Coward | more than 6 years ago | (#23637501)

Forging the source # is trivial.

Hell, you can just go anonymous by going to any hotel in the world and faxing it from there.

Re:well (0)

Anonymous Coward | more than 6 years ago | (#23637523)

Forging Caller ID is easier than forging a signature.

People are stupid (1)

Hatta (162192) | more than 6 years ago | (#23637315)

Yeah, people are stupid. What else is new?

Re:People are stupid (1)

Applekid (993327) | more than 6 years ago | (#23637373)

Yeah, people are stupid. What else is new?
Seems to me it's the people accepting the faxed signatures that are stupid. I'm trying to buy a house now and there's maybe half a dozen documents that I or my realtor had to run around getting originals of because a fax/email version just won't do. It's a hassle, but better than someone lifting my signature and all of a sudden making me stuck with truckload after truckload of wild wacky aim-flailing inflatable tube men.

I'd [overgeneralizingly] say if the company you're dealing with is "fine" with a faxed signature when there's a non-trivial amount of money involved, they're probably a crappy company.

Re:People are stupid (1)

Hatta (162192) | more than 6 years ago | (#23637473)

You're right, they're double stupid. They're stupid for accepting fax signatures in the first place, then they're stupid again for not realizing that email and fax are essentially the same from a security POV (i.e. completely insecure).

It's a legal thing (0)

Anonymous Coward | more than 6 years ago | (#23637319)

There's probably a law somewhere which makes copy'n'pasting a signature a heinous crime while email forgers will go free. You didn't expect reason, did you?

Re:It's a legal thing (1)

ari_j (90255) | more than 6 years ago | (#23637345)

There's probably not. =)

Re:It's a legal thing (0)

Anonymous Coward | more than 6 years ago | (#23637541)

I'm only half kidding. In Germany you can cryptographically sign digital documents and give them the same legal weight as paper documents, but only if you use the procedures and methods stipulated by law. Everything else is treated like verbal communication, i.e. is not usable as proof. But faxes, as a form of written communication, are permissible proof. It weirds me out to no end, too, but that's the way it is.

moron why we allow ourselves to be held hostage (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23637321)

we were highly trained to do so? it's more comfortable than facing reality? pretending is all the rage nowadays? the lights are coming up all over now. conspiracy theorists are being vindicated. some might choose a tin umbrella to go with their hats. the fairytail is winding down now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

http://news.google.com/?ncl=1216734813&hl=en&topic=n
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
http://www.nytimes.com/2008/05/29/world/29amnesty.html?hp
http://www.cnn.com/2008/US/06/02/nasa.global.warming.ap/index.html
http://www.cnn.com/2008/US/weather/06/02/honore.preparedness/index.html
http://www.nytimes.com/2008/06/01/opinion/01dowd.html?em&ex=1212638400&en=744b7cebc86723e5&ei=5087%0A

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://www.google.com/search?hl=en&q=weather+manipulation&btnG=Search
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);

http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the manual, 'world without end', etc.... as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis. concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order. 'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US. gov. bush denies health care for the little ones;

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html

whilst demanding/extorting billions to paint more targets on the bigger kids;

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html

& pretending that it isn't happening here;

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article3086937.ece
all is not lost/forgotten/forgiven

(yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles. talk about reverse polarity;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece

'Dragnet' policy (1)

Kamineko (851857) | more than 6 years ago | (#23637335)

All we want are the fax, maam.

Re:'Dragnet' policy (1)

dotancohen (1015143) | more than 6 years ago | (#23637573)

All we want are the fax, maam.
That was in Die Hard 2, as well.

Re:'Dragnet' policy (1)

Clovis42 (1229086) | more than 6 years ago | (#23637737)

Curses! You just ruined my chance to point out that Sgt. Joe Friday never actually said, "Just the facts, ma'am." [snopes.com]

What kind of maniac actually uses the correct phrase from the show when making a Dragnet joke?!?

Oh, and faxed signatures are kinda' dumb.

Animaether Asks Why We Accept Signatures (4, Interesting)

Animaether (411575) | more than 6 years ago | (#23637341)

There, fixed it for you, Bruce.

Between people being quite apt at duplicating another's signature good enough for 'at a glance' acceptance

and

people's signatures changing over time (my bank just informed me that the last signature I gave them deviated too much from the one they had on file since 10 years ago, and so as to please put my signature on their form five times to get them a new basis. Guess what, the five looked alike, sure enough, but they could just as well have been forgery attempts from 5 different people...)

I'd say that signatures in general are relatively unacceptable. Except that they're usually 'good enough' for what we need them for. That's why we accept them in 'analog' writing, faxes and even e-mails. In the few cases where it was indeed forged, it's usually found out pretty easily.
Oh, but wait, Bruce already said as much; not included in the summary, of course. So go RTFA, then come back here to complain about Slashdot's shoddy headline/summary policy.. it's too much like an actual newspaper.

Now... where's the discussion of alternatives? One of those one-time 2D barcodes that uniquely identifies -moi- when used with the recipient's public key.. or something.

PGP signed mail is also not enough. (4, Insightful)

Anonymous Coward | more than 6 years ago | (#23637353)

I have been told on a few occasions "PGP signed email" is not sufficient, and that only a fax would be accepted. This even happens if the signature can be verified. Banks seem to do this a lot. I wish that they would catch up with the times.

They do accept scanned signatures (4, Insightful)

TheRaven64 (641858) | more than 6 years ago | (#23637359)

I've signed a load of contracts in the US by having my publisher send me a PDF, which I've returned (by email) having copied and pasted a scanned copy of my signature over it. Interestingly, they would accept this but not a hash of the original PDF signed with a certificate signed by CACert, which had two people verify two pieces of government-issued ID to confirm that I am me.

Credit Card Signatures (3, Informative)

SoundGuyNoise (864550) | more than 6 years ago | (#23637387)

The signature on the credit card or on the sales receipt have been for security purposes. It's there to indicate that you accept the terms and agreements to using the card, and that you agree to pay the credit card company for your purchases.

Re:Credit Card Signatures (1)

SoundGuyNoise (864550) | more than 6 years ago | (#23637549)

The signature on the credit card or on the sales receipt have been for security purposes.

Corrected: The signature on the credit card or on the sales receipt have never been for security purposes.

Signatures aren't about security (4, Informative)

bperkins (12056) | more than 6 years ago | (#23637401)

They are about legal requirements.

Faking a fax signature isn't really that much harder than faking a real one.

Sending a fake signature over a fax isn't that much harder than faking a real one, but is no less criminal.

"Notarized" signatures are supposed to be more secure, though if you can produce a convincing fake ID, they probably aren't.

ho please please please (0)

Anonymous Coward | more than 6 years ago | (#23637419)

In a FAX there is the POT NUMBER. Which, contrary to an IP NUMBER will NOT change that often.
Thus it requires at least the sender to be in front of this very fax machine, hooked to this very pot line, and nefarious activity would be simple tracked to its roots: Someone around this fax machine.

Can be faked. How the practice got started. (1)

Futurepower(R) (558542) | more than 6 years ago | (#23637801)

That telephone number that is supposedly the sender's is just a setting in every fax machine. You can enter anything. It's entirely meaningless as proof of anything.

Allowing the sending of signatures by fax is STUPID, stupid, stupid. It got started when a fax was allowed as an initial application, to be completed when a mailed letter was received. Then work-avoidance schemes took control, and waiting for a letter and opening it and finding the application and continuing the processing was eliminated.

Faxed dox... (1)

snarfies (115214) | more than 6 years ago | (#23637425)

I was a property and casualty insurance adjuster for a few years. The state I dealt with had mandatory PIP, which means if you are injured in a car accident you have primary medical coverage through the auto insurance policy. I was constantly turning away both claimants and medical providers who wanted to fax medical records, notarized forms, etc. It wasn't the claimants who were the problem nearly as much as the medical providers, who would actually get ANGRY when I refused to accept faxed paperwork from them.

One thing I learned from a few years in the insurance industry is that the majority of medical providers, or at least their billing departments, are, at best, a bit shady.

Vaguely related to the topic at hand (4, Insightful)

ledow (319597) | more than 6 years ago | (#23637435)

Vaguely related to the topic at hand are the legal rules surrounding any communication.

It's generally accepted (in UK law, at least, so my source says) that once you reply and / or initiate a conversation over a medium, that that medium is then a valid method of contacting you indefinitely over the course of that action.

So if you email a solicitor, then for that solicitor to send you an email back is perfectly legally acceptable and may even be construed as "delivered" whether or not it arrives. Because *you* selected the method of transit. If your mortgage nearly falls through at the last minute and you need to do something incredibly urgent or lose your house, a solicitor acting on your behalf can just send you an email and they've "done their job". If your servers are down, tough, if you no longer have that email, tough. At least if you read the strict letter of the law.

It may be that this is related - once a person has contacted you by fax, then sending back your confirmation by fax is construed as legally acceptable for "signing" a contract. If you don't like it, then don't communicate with them by fax at all. Ever.

On a personal note, if I weren't able to fax legally-binding forms back to a company, I wouldn't have a house, but I still don't "like" it. My purchase of the house dragged on for six months longer than it should have and the solicitor in charge on my end was a close personal friend, so they were stopping all heel-dragging and pulling out all the stops for us.

However, just as we were approaching the signing date, we had an holiday booked (Hey, we thought a six month cushion on top of a six month estimate for the deal would be long enough!). We arrived in a foreign country for a holiday, and within a day we had a phone call to say that if a particular court didn't receive a signed document on an official form within the next eight hours (time differences etc.) then we wouldn't be able to complete the purchase now, or ever (the house would be sold at auction). We had to find a kind hotel (fortunately, we found a hotel receptionist who had recently had much worse problems selling their house and they let us use the hotel fax machine for free) and recieve several forms, sign them and fax them back (and pay a month's mortgage, in cash, within 8 hours but that was easily resolved by phoning relatives near our solicitor's, although we still technically owe them that).

So it worked out well that we were able. I don't think we could have got back in time on the first plane, and there was nothing we or our solicitor could do to negate the need for us to sign the forms and pay in cash (bank transfers etc. wouldn't have cleared in time, believe it or not). However, the fact that anyone could have signed the form just shows that 99% of paperwork is useless and a waste of time, not that fax machines are somehow "evil".

You know, for someone who thinks he's plugged in (3, Insightful)

hassanchop (1261914) | more than 6 years ago | (#23637443)

Bruce Schneier sure is oblivious sometimes.

They're accepted because they're good enough.

What does that mean? It means that if there is a problem later, the fax is sufficient evidence to resolve most problems, either by providing proof of a signature or proof of a forgery. As long as most businesses have some documentation to cover themselves that's generally good enough. Certainly some issues may not fall into this category, but enough do to make faxes acceptable.

Security, for many businesses, isn't about "making sure something bad doesn't ever happen" it's about having what you need to resolve a problem should it arise in the future.

My guess (1)

140Mandak262Jamuna (970587) | more than 6 years ago | (#23637471)

IANAL. The real reason might be that if someone forges a signature, the companies think they will be able to prove premeditation, criminal intent etc.

I still think they are not really off the hook. Faxed signatures and POS scans won't stand up in court to prove anything. Just procedure infested companies taking too long to understand the impact of new technology. So many companies pay for proprietary software to lock out the print screen key and try to prevent screenshots of confidential documents from being leaked. But I have taken readable screenshots using my cell phone camera. What do they do? They pretend such camera's don't exist, and plan to feign surprise when shown a screen shot taken by a cell phone camera. Can't figure their logic out there either.

Even real signatures are not safe (3, Insightful)

Rhaban (987410) | more than 6 years ago | (#23637481)

I could easily forge my parents signatures when I was 9 (And did it a couple of time). I don't trust a penned signature, why should I trust a faxed one?

For that matter, why paper signatures? (1)

anomalous cohort (704239) | more than 6 years ago | (#23637483)

It is certainly possible to write, in script form, anyone's name and not just your own. Why would a company accept any signed contract where one of their representatives didn't see the other party, to the contract, sign? Sure, hand writing analysis will reveal the forgery but who submits a signed contract to hand writing analysis before executing on their part of the contract? Considering the amount of identity fraud going on where the perpetrator submits a credit card application using your identity and "signs the application" to authorize, you would think that banks would get tired of losing money in this trick.

Least you digerati start smirking in smug superiority, an X.509 certificate is no better if the bad guys have gotten hold of your private key.

What to do if someone asks you to fax a signature (4, Funny)

Alzheimers (467217) | more than 6 years ago | (#23637487)

Get three pieces of black construction paper and a roll of scotch tape.

Tape them together top to bottom, creating one long sheet. On the bottom, place a piece of tape half over the edge.

Insert the long sheet into the fax machine, and dial the number. As it begins to feed through, quickly affix the top to the bottom sheet, creating a long loop.

Go get a cup of coffee.

Notary Requirements (1)

Tungbo (183321) | more than 6 years ago | (#23637493)

are just as silly. It's pretty trivial to use fake IDs esp. with lazy notaries.

Re:Notary Requirements (1)

EnglishSteve (834757) | more than 6 years ago | (#23637721)

Talking about notaries... We just sold our house in the USA but happened to be in Sweden at the time the paperwork needed to be signed.

Most of the paperwork could be just signed by my gf and I, but the deed transfer had to be "notarized". Nothing else was acceptable.

Unfortunately, notaries are not as thick on the ground in Sweden as they are in the USA - there's no yellow pages section etc - in fact there is one notary per Kommun (city), who is a government employee - the notary for our Kommun (approx 120000 people) could not see us for three weeks! We ended up having to drive to another Kommun about 30 miles away to get the document witnessed.

Don't even get me started about trying to Fedex the documents back to the USA - the nearest Fedex dropoff point to us was 40 miles away!

eFax (1)

jgarra23 (1109651) | more than 6 years ago | (#23637499)

never mind that with eFax and just about any other service, you can fax someone the scanned image that is mentioned. Don't tell that to your bitch of an HR rep though. She'll probably fire you for whatever obscure reason...

Courts (3, Insightful)

PhYrE2k2 (806396) | more than 6 years ago | (#23637509)

The answer is extremely simple. There is precedent in the courts that says a fax signature is acceptable and legally binding. There is no precedent saying that an e-mailed document in digital form is.

Hence on a contract, fax is accepted.

-M

Re:Courts (1)

jkerman (74317) | more than 6 years ago | (#23637713)

TThere is precedent in the courts that says a fax signature is acceptable and legally binding. There is no precedent saying that an e-mailed document in digital form is.
Yes... But that could mean the opposite of what you think it means.

i.e. "the GPL has never been tested in court, therefore, its not a valid license"

Re:Courts (1)

fireboy1919 (257783) | more than 6 years ago | (#23637795)

There is no precedent saying that an e-mailed document in digital form is.

There's an actual law instead. [about.com]

This is why I don't get how this could still be an issue. Digital signatures have been LEGALLY accepted for quite a long time, and yet people are still spouting this "well, it may not be legal, so..." crap. Few technologies have been so clearly given the green light as digital signatures have been.

It's more secure, more legible, and easier to store. Using them should be a no-brainer. It pretty much just comes down to fear of change, I think.

Same as credit card numbers over the phone... (2, Insightful)

fuzzyfuzzyfungus (1223518) | more than 6 years ago | (#23637551)

I assume the (il)logic is the same as that governing people's willingness to give their credit card numbers to an underpaid human, over an unsecure POTS line, frequently over a really insecure old school cordless phone; in preference to giving the said number to a machine over SSL.

In general, people's risk assessments are completely out to lunch. Back in 2001, my school had its student trip to Greece canceled by parental concern. Apparently, the parents wanted their kids "safe at home"(never mind that we all lived in a certain large city on the American east coast), rather than facing the foreign dangers of a fairly quiet and moderately obscure neutral country.

I think that there has been some work done on formalizing our understanding of what distorts risk perception; but it makes for depressing reading.

Lame (2, Interesting)

Chang (2714) | more than 6 years ago | (#23637557)

This might have been an interesting question to ask about 7-8 years ago but now it just seems like Bruce is running out of topics.

E-mail? (0)

Anonymous Coward | more than 6 years ago | (#23637559)

It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.

I certainly wouldn't trust e-mail for anything important.

Unless the sender signs his e-mail using something like PGP, the message could be from anyone. I don't think most companies train their staff to detect forged headers.

I only cut and paste with Ctrl+X and +V (1)

rockout (1039072) | more than 6 years ago | (#23637561)

Cutting and pasting with real scissors and glue? Bah!

I have, however, cut and paste my signature electronically into a document and then printed it out before ultimately faxing it; looks more real. I realize this is silly - why not just print the document and sign it myself before faxing?

I think I just wouldn't get the same thrill out of cheating the required-signature-on-a-fax system.

What's a better alternative, then? (1)

hawg2k (628081) | more than 6 years ago | (#23637601)

I see the security concerns, but there are situations that need this or something like it, right?

You're 1,000 miles away on vacation. You left your kids with your parents. They get in a bad car accident, and the hospital needs your signed permission to operate on your child. Since a fax can easily be forged and can't be trusted, what's a better solution?

The solution needs to use things equally available as a piece of paper, a pen, and a fax machine. I may not have my computer with PGP encryption etc. with me.

Re:What's a better alternative, then? (1)

JSBiff (87824) | more than 6 years ago | (#23637655)

I dunno, how about they RECORD THE PHONE CALL wherein you are heard giving consent to perform the operation. Yes, that could potentially still be abused, but it's a lot harder to find someone whose voice is similar, than to forge or copy a signature.

Why do we accept any signatures? (1)

flaming error (1041742) | more than 6 years ago | (#23637607)

My signature is just a random scribble which nobody ever looked at until I bought a house. Then all they did was verify the scribbles matched each other from doc to doc; they didn't match my ID signature at all.

Was just kidding (5, Funny)

archeopterix (594938) | more than 6 years ago | (#23637629)

Bruce Schneier here. Disregard what I said about faxed signatures. They are perfectly OK.
Here's my OCR-ed signature: Bruce Schneier

Follow the money! (0)

Anonymous Coward | more than 6 years ago | (#23637657)

The reason fax signatures are accepted is that the Real Estate industry lobbied (paid off) congress to make it legal for faxed signatures to be used in real estate transactions.

Because busy people insist on it... (1)

multi-flavor-geek (586005) | more than 6 years ago | (#23637659)

It helps them with having their secretaries sign everything for them, and helps release them from liability as they can later say "I never signed that". As long as its accepted as a "good enough" practice it will still be only reasonably challengable, and grotesquely insecure, but still, good enough for government use.... Ah, America, land of the Luddite.

Better than Letterhead Security (1)

ZeldorBlat (107799) | more than 6 years ago | (#23637663)

That's the one that always amazed me -- no signature required, just as long as the request was printed on some special (and easily forgeable) paper.

At a job where I provided IT services for many clients I always kept a copy of each customer's letterhead on file to make it easier to deal with people like Network Solutions.

Mortage Requirements (1)

zerj (472601) | more than 6 years ago | (#23637671)

To get my last mortage I needed to provide several months of bank statements. It was absolutely unacceptable to send them the PDF's that my bank keeps online. I had to send them copies of the actual statement. No matter how much I talked to them I couldn't get them to see the light of day. So the easiest thing todo was print my PDF statements and then fax them the printouts.

Not that big of a security risk at all. (3, Informative)

kaltkalt (620110) | more than 6 years ago | (#23637685)

First of all, legally, a copy of a contract is just as legitimate as the original (yes, IAAL). Both can be alleged to be forgeries just as easily. In fact a copy could be more easily proved to be a forgery than the original, as one could compare signatures and show that the signature was lifted from another source. It's like one of those infamous "Majestic 12" documents that was allegedly signed by Harry Truman - the best evidence we have that it is not authentic is that the Truman signature is exactly like another signature on another document, it was lifted, cut and pasted, onto the MJ-12 document. Note: I don't want to debate the MJ-12 documents here. Anyway, the other reason why fax signatures are not a security risk is that you know who is going to be sending you the fax. "Sign it and fax it over to me today." You get the fax today. Nobody else would reasonably know about that expectation. It's like going to pick up money from western union - "I'm here to pick up $100 for Brian Halloweth" ... the fact that you know about the 100 bucks for someone named Brian Halloweth is good evidence your claim is legitimate. Ditto with the fax signature. Of course this doesn't apply to general applications that can be signed and faxed at any time, unexpectedly. But those can just as easily be forged, and in this scenario the faxee is less likely to know the signature of the faxor. Any alleged weakness in a fax signature is also a weakness in a real signature. That's the bottom line. I don't buy the notion that they are a huge security risk.

wrong question (1)

circletimessquare (444983) | more than 6 years ago | (#23637691)

why are signatures supposed to have represented security, in any context, at any time period in the past?

it's just a formality, a minor road block. it's not anything remotely secure, but it represents a tangible personalization. it's psychological more than it is security: making your personal mark on a deal

for that psychological reason, the signature will never go away. but nor should anyone have ever thought of them as a security feature in the first place. they are trivial to defeat, and always have been trivial to defeat. all you need is one copy of someone's signature and 15 minutes of patience and practice and anyone with a pen and a writing hand can copy your signature good enough to fool a third party

a white picket fence won't stop someone committed to getting in your yard either. but is that a reason to take down your fence? or upgrade to 10 foot chain link with barbed wire? no: you're simply thinking about the value of a white picket fence in the wrong context

the problem is not with the security questions surrounding a written signature, the problem is in ever thinking of them in a security context. it's a psychological and personalization context question, the use, and continued use, for a long time to come, of the written signature

problem solved (1)

julian67 (1022593) | more than 6 years ago | (#23637717)

sign the document, put it in an envelope and fax the whole thing, problem solved. These so-called security gurus are all very well but they lack common sense.

POTS accountability (1)

Bob-taro (996889) | more than 6 years ago | (#23637739)

I've been surprised at this policy myself but it seems to be quite common. I wonder if there isn't some merit in it, though. For a non-technical person, the fax probably seems a lot more secure than email. Email requires spam filters and virus scanners and training in security practices for users. That makes the content of email pretty suspect.

Also, I wonder if a fax is more auditable ... I mean, you generally know what phone number it came in on, as opposed to an email whose originating ip can be easily forged. Legally, that might be meaningful if they had to hold you to the fact that you signed something. It might be easier for you to deny having sent an email with your signature than to deny having sent a fax that originated from your home or business phone number.

Over-The-Counter Derivatives Trades (1)

hughk (248126) | more than 6 years ago | (#23637741)

An OTC [wikipedia.org] derivatives [wikipedia.org] trade is usually for some horrendously complicated thing that is so customised, it hasn't a chance of going the listed route. OTC trades are made by phone and they can be made for tens of millions of dollars. The signed trade confirmations go more often than not by fax.

The check is that I have a timed telephone call and a fax to confirm the transaction and so does my counterparty. Of course that's where the real fun begins as the deal needs rekeying.

In modern times there is something called FpML [fpml.org] and then there are matching/confirmation systems such as SWIFTnet FPML, SwapsWire or DTCC Deriv/SERV which provide electronic signatures and non-repudiation, but they are still not used widely which means ultimately back to the good old fax.

Schneier's thinking is backwards (4, Informative)

Theaetetus (590071) | more than 6 years ago | (#23637753)

Requiring a signature comes out of the old contract law of the Statute of Frauds, which requires certain contracts (not all) to be in writing, with a signature by the person to be bound to the contract. It was so that you couldn't agree to sell someone an expensive good, collect the money, then give them a cheap one and claim that that was the original contract - or so that you couldn't agree to buy the expensive good, pay them a dollar, and claim that was the original contract. Your signature isn't about protecting you from identity theft, it's about protecting the other party from your fraud.

So, why do companies accept easily faked signatures by fax? They have a signature, so you're bound to the agreement. The burden of proof is on you if you want to prove the signature was faked, not them, so they're protected. They'll either get paid by you, or you'll find the identity thief and they'll get paid by him or her.

The bigger question would be why do we agree to being bound to our faxed signatures? And the answer there is convenience. Sure, they can be faked, but it's a lot nicer than having to wait for the US Mail.

Schneier is too big to understand security (3, Insightful)

angus_rg (1063280) | more than 6 years ago | (#23637757)

I swear, he makes some good points, but as a security professional he should understand why they accept it. The amount of business they'd loose by not accepting it is worth more than the potential loss if they didn't.

Of course, now that the cat's out of the bad, they'll need to reevaluate.

My office is bad too (1)

RabidMonkey (30447) | more than 6 years ago | (#23637765)

I work for a high tech, email centric company.

If I have something I need to sign (for HR, or whatever). They email me the form. I then need to print the form out, sign it and fax it back. In some cases they are in the same building, but I'm not allowed to walk over to them, or interoffice mail them, to deliver the actual signed form.

I think in large part it's just because they have an established standard, which they use to deal with all our remote offices and such, and they don't want to deviate by having people walk in to the department. But it's pretty silly to have to fax someone when you could be at their desk in 30 seconds.

Sometimes people get so used to a process that they can't see that it's not the most efficient process anymore. This is how it's always been, so this is how it will be. Amen.

Fax Signatures not always accepted (1)

CanadianRealist (1258974) | more than 6 years ago | (#23637809)

I bought my house in the 90s. (In Canada - mind you) The seller had already moved quite a distance away, so all documents were faxed back and forth.

At the insistence of the realtor, all such documents included a statement that they must be followed up by an original signed copy within one week. It was stated as if it were a legal requirement. To me it made sense as it was clear enough at the time how easy it would be to fake a signature on a faxed document.

Fax signatures are legally valid (1)

SplatMan_DK (1035528) | more than 6 years ago | (#23637815)

I don't know how things work in the US, but in many countries a signature delivered by Fax carries the same weight as a signature sent by snail-mail. But a scanned document sent by e-mail does not carry the same legal status - simply because no law has been passed to ensure that.

So one simple explanation/answer may be, that a fax simply has a higher legal status than a scanned document sent by e-mail. I am willing to bet that actual laws regarding the validity of signatures DOES have the word "fax" in them (or in some sub-clause) but the word "email" is nowhere to be found.

The problem may not be that the older generations "love their fax machines" or understand them better - but simply that nobody has updated the laws used to resolve legal issues surrounding signatures sent through e-mail.

- Jesper

Asked my bank that a long time ago... (1)

gweihir (88907) | more than 6 years ago | (#23637831)

Turns out, they do not. Or rather they do, to the limit where they start verifying signatures (which they do not for smaller transactions and the like). For larger things they require either an original signature or they call back.

This was something like 20 years ago, and I have no doubts they do something similar today. Recently I got called to verify a larger (not that large though) bank transfer I had done via online-banking. That is the state of the art in Germany though. No idea what US banks do, but the few contacts I had struck me as positively primitive compared to european banks. Less fraud in the US? I doubt it.

fax easier to forge? (1)

Firas Zirie (1179357) | more than 6 years ago | (#23637847)

I'm no expert, but I'm pretty sure that forging a signature onto a high resolution scan of a document is even easier than doing so on a fax given an authentic signed document.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?