Slashdot Mirror
Schneier Asks Why We Accept Fax Signatures
Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.
Thats the older generation for you... once you young-uns who grew up with email get promoted to PHB status, you too can adopt your favourite technology of your day to deliver signatures...
The acceptance of fax signatures has to do only with fact that fax machines have been around for a long time, and people think they understand how they work. It just seems safer.
Sadly, the same people who make decisions based on the comfort provided by the familiarity of a technology are those who make policy at companies.
Not just for signatures, but it really annoys me when a company will only accept faxes instead of scanned emails for any number of documents. Luckily the situation has been improving in the recent years.
I've seen this before. People will accept a fax as 'in writing' because someone puts a piece of paper in one machine and gets a piece of paper out of the other end. There's obviously no way anyone could tamper with it on the way. (Sarcasm) People who have different setups (where they see an electronic file rather than a piece of paper) seem to be a bit more wary.
I believe the problem is due to the fact that I, like most people I'm sure, have never heard of this simple exploit. Second, people obviously trust fax machines, perhaps because they're simplistic compared to computers. There's so much magic with email I can see why people don't trust it. It's unfortunate that people don't consider unforeseen physical hacks as serious threats as well.
I find it amazing that CC companies want customer sigs on the back of the card. I add CID and SIGN it. About half of the ppl will now check for my ID.
I prefer the "u" in honour as it seems to be missing these days.
Businesses have been using faxes for decades. The risk of forgery and other liabilities have pretty much been well-established by law and common knowledge. If a contract requires modifications to be in signed writing, it is a matter of established law that a faxed document counts. Does an e-mail count if the contract doesn't expressly say so? That's just an unnecessary risk at this point. In the future, things may be different but there's no reason to be the first person to settle that uncertainty.
Furthermore, faxes are relatively secure because it is a one-on-one communication. In contrast, e-mails can be intercepted or become widely disseminated. The risks of using e-mail in a business setting (for signatures and the like) have not been tested too thoroughly, either.
A NYC lawyer blogs. http://www.chuangblog.com/
Scott Adams already covered this in "Dilbert".
The accounting trolls told Dilbert that they wouldn't accept copies of his expenses... but he could FAX them.
I'm sure you can forge a signature, but not the number you're sending it from. Surely that can count as another level of security?
Yeah, people are stupid. What else is new?
Give me Classic Slashdot or give me death!
There's probably a law somewhere which makes copy'n'pasting a signature a heinous crime while email forgers will go free. You didn't expect reason, did you?
All we want are the fax, maam.
There, fixed it for you, Bruce.
Between people being quite apt at duplicating another's signature good enough for 'at a glance' acceptance
and
people's signatures changing over time (my bank just informed me that the last signature I gave them deviated too much from the one they had on file since 10 years ago, and so as to please put my signature on their form five times to get them a new basis. Guess what, the five looked alike, sure enough, but they could just as well have been forgery attempts from 5 different people...)
I'd say that signatures in general are relatively unacceptable. Except that they're usually 'good enough' for what we need them for. That's why we accept them in 'analog' writing, faxes and even e-mails. In the few cases where it was indeed forged, it's usually found out pretty easily.
Oh, but wait, Bruce already said as much; not included in the summary, of course. So go RTFA, then come back here to complain about Slashdot's shoddy headline/summary policy.. it's too much like an actual newspaper.
Now... where's the discussion of alternatives? One of those one-time 2D barcodes that uniquely identifies -moi- when used with the recipient's public key.. or something.
I have been told on a few occasions "PGP signed email" is not sufficient, and that only a fax would be accepted. This even happens if the signature can be verified. Banks seem to do this a lot. I wish that they would catch up with the times.
I've signed a load of contracts in the US by having my publisher send me a PDF, which I've returned (by email) having copied and pasted a scanned copy of my signature over it. Interestingly, they would accept this but not a hash of the original PDF signed with a certificate signed by CACert, which had two people verify two pieces of government-issued ID to confirm that I am me.
I am TheRaven on Soylent News
The signature on the credit card or on the sales receipt have been for security purposes. It's there to indicate that you accept the terms and agreements to using the card, and that you agree to pay the credit card company for your purchases.
You never expect irony, do you?
Want to be a professional wrestler? Visit www.iyfwrestling.com
@iyfwrestling
They are about legal requirements.
Faking a fax signature isn't really that much harder than faking a real one.
Sending a fake signature over a fax isn't that much harder than faking a real one, but is no less criminal.
"Notarized" signatures are supposed to be more secure, though if you can produce a convincing fake ID, they probably aren't.
In a FAX there is the POT NUMBER. Which, contrary to an IP NUMBER will NOT change that often.
Thus it requires at least the sender to be in front of this very fax machine, hooked to this very pot line, and nefarious activity would be simple tracked to its roots: Someone around this fax machine.
I was a property and casualty insurance adjuster for a few years. The state I dealt with had mandatory PIP, which means if you are injured in a car accident you have primary medical coverage through the auto insurance policy. I was constantly turning away both claimants and medical providers who wanted to fax medical records, notarized forms, etc. It wasn't the claimants who were the problem nearly as much as the medical providers, who would actually get ANGRY when I refused to accept faxed paperwork from them.
One thing I learned from a few years in the insurance industry is that the majority of medical providers, or at least their billing departments, are, at best, a bit shady.
Vaguely related to the topic at hand are the legal rules surrounding any communication.
It's generally accepted (in UK law, at least, so my source says) that once you reply and / or initiate a conversation over a medium, that that medium is then a valid method of contacting you indefinitely over the course of that action.
So if you email a solicitor, then for that solicitor to send you an email back is perfectly legally acceptable and may even be construed as "delivered" whether or not it arrives. Because *you* selected the method of transit. If your mortgage nearly falls through at the last minute and you need to do something incredibly urgent or lose your house, a solicitor acting on your behalf can just send you an email and they've "done their job". If your servers are down, tough, if you no longer have that email, tough. At least if you read the strict letter of the law.
It may be that this is related - once a person has contacted you by fax, then sending back your confirmation by fax is construed as legally acceptable for "signing" a contract. If you don't like it, then don't communicate with them by fax at all. Ever.
On a personal note, if I weren't able to fax legally-binding forms back to a company, I wouldn't have a house, but I still don't "like" it. My purchase of the house dragged on for six months longer than it should have and the solicitor in charge on my end was a close personal friend, so they were stopping all heel-dragging and pulling out all the stops for us.
However, just as we were approaching the signing date, we had an holiday booked (Hey, we thought a six month cushion on top of a six month estimate for the deal would be long enough!). We arrived in a foreign country for a holiday, and within a day we had a phone call to say that if a particular court didn't receive a signed document on an official form within the next eight hours (time differences etc.) then we wouldn't be able to complete the purchase now, or ever (the house would be sold at auction). We had to find a kind hotel (fortunately, we found a hotel receptionist who had recently had much worse problems selling their house and they let us use the hotel fax machine for free) and recieve several forms, sign them and fax them back (and pay a month's mortgage, in cash, within 8 hours but that was easily resolved by phoning relatives near our solicitor's, although we still technically owe them that).
So it worked out well that we were able. I don't think we could have got back in time on the first plane, and there was nothing we or our solicitor could do to negate the need for us to sign the forms and pay in cash (bank transfers etc. wouldn't have cleared in time, believe it or not). However, the fact that anyone could have signed the form just shows that 99% of paperwork is useless and a waste of time, not that fax machines are somehow "evil".
Bruce Schneier sure is oblivious sometimes.
They're accepted because they're good enough.
What does that mean? It means that if there is a problem later, the fax is sufficient evidence to resolve most problems, either by providing proof of a signature or proof of a forgery. As long as most businesses have some documentation to cover themselves that's generally good enough. Certainly some issues may not fall into this category, but enough do to make faxes acceptable.
Security, for many businesses, isn't about "making sure something bad doesn't ever happen" it's about having what you need to resolve a problem should it arise in the future.
I still think they are not really off the hook. Faxed signatures and POS scans won't stand up in court to prove anything. Just procedure infested companies taking too long to understand the impact of new technology. So many companies pay for proprietary software to lock out the print screen key and try to prevent screenshots of confidential documents from being leaked. But I have taken readable screenshots using my cell phone camera. What do they do? They pretend such camera's don't exist, and plan to feign surprise when shown a screen shot taken by a cell phone camera. Can't figure their logic out there either.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I could easily forge my parents signatures when I was 9 (And did it a couple of time). I don't trust a penned signature, why should I trust a faxed one?
It is certainly possible to write, in script form, anyone's name and not just your own. Why would a company accept any signed contract where one of their representatives didn't see the other party, to the contract, sign? Sure, hand writing analysis will reveal the forgery but who submits a signed contract to hand writing analysis before executing on their part of the contract? Considering the amount of identity fraud going on where the perpetrator submits a credit card application using your identity and "signs the application" to authorize, you would think that banks would get tired of losing money in this trick.
Least you digerati start smirking in smug superiority, an X.509 certificate is no better if the bad guys have gotten hold of your private key.
Get three pieces of black construction paper and a roll of scotch tape.
Tape them together top to bottom, creating one long sheet. On the bottom, place a piece of tape half over the edge.
Insert the long sheet into the fax machine, and dial the number. As it begins to feed through, quickly affix the top to the bottom sheet, creating a long loop.
Go get a cup of coffee.
are just as silly. It's pretty trivial to use fake IDs esp. with lazy notaries.
never mind that with eFax and just about any other service, you can fax someone the scanned image that is mentioned. Don't tell that to your bitch of an HR rep though. She'll probably fire you for whatever obscure reason...
http://www.youtube.com/watch?v=RJkx_oD63KM
-1 not first post
The answer is extremely simple. There is precedent in the courts that says a fax signature is acceptable and legally binding. There is no precedent saying that an e-mailed document in digital form is.
Hence on a contract, fax is accepted.
-M
when you see the word 'Linux', drink!
I assume the (il)logic is the same as that governing people's willingness to give their credit card numbers to an underpaid human, over an unsecure POTS line, frequently over a really insecure old school cordless phone; in preference to giving the said number to a machine over SSL.
In general, people's risk assessments are completely out to lunch. Back in 2001, my school had its student trip to Greece canceled by parental concern. Apparently, the parents wanted their kids "safe at home"(never mind that we all lived in a certain large city on the American east coast), rather than facing the foreign dangers of a fairly quiet and moderately obscure neutral country.
I think that there has been some work done on formalizing our understanding of what distorts risk perception; but it makes for depressing reading.
This might have been an interesting question to ask about 7-8 years ago but now it just seems like Bruce is running out of topics.
It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.
I certainly wouldn't trust e-mail for anything important.
Unless the sender signs his e-mail using something like PGP, the message could be from anyone. I don't think most companies train their staff to detect forged headers.
I have, however, cut and paste my signature electronically into a document and then printed it out before ultimately faxing it; looks more real. I realize this is silly - why not just print the document and sign it myself before faxing?
I think I just wouldn't get the same thrill out of cheating the required-signature-on-a-fax system.
I've learned that they're worthless, so I don't read AC comments anymore.
Faxs come with a telephone number of the sender as well. and often the personal cover letter. To forge a fax that is perpetually unquestionable you have to forge the phone number, signature, and stationary.
People are comfortable with that because they understand what is involved in doing that. With e-mail and digitial docs its harder for an untrained person to evaluate the threat. Also with digital docs it's harder later to raise questions about the authenticity. With the fax, one can later check for example fax logs on the sending machines and other trails of evidence.
In both cases forgeries are possible but in the case of faxes most humans are able to evaluate the threat.
Some drink at the fountain of knowledge. Others just gargle.
I see the security concerns, but there are situations that need this or something like it, right?
You're 1,000 miles away on vacation. You left your kids with your parents. They get in a bad car accident, and the hospital needs your signed permission to operate on your child. Since a fax can easily be forged and can't be trusted, what's a better solution?
The solution needs to use things equally available as a piece of paper, a pen, and a fax machine. I may not have my computer with PGP encryption etc. with me.
My signature is just a random scribble which nobody ever looked at until I bought a house. Then all they did was verify the scribbles matched each other from doc to doc; they didn't match my ID signature at all.
Bruce Schneier here. Disregard what I said about faxed signatures. They are perfectly OK.
Here's my OCR-ed signature: Bruce Schneier
The reason fax signatures are accepted is that the Real Estate industry lobbied (paid off) congress to make it legal for faxed signatures to be used in real estate transactions.
It helps them with having their secretaries sign everything for them, and helps release them from liability as they can later say "I never signed that". As long as its accepted as a "good enough" practice it will still be only reasonably challengable, and grotesquely insecure, but still, good enough for government use.... Ah, America, land of the Luddite.
Like arts? Like cheesy little Indie mags? Check out www.artwerkmag.com, and don't laugh at the bad coding please.
That's the one that always amazed me -- no signature required, just as long as the request was printed on some special (and easily forgeable) paper.
At a job where I provided IT services for many clients I always kept a copy of each customer's letterhead on file to make it easier to deal with people like Network Solutions.
To get my last mortage I needed to provide several months of bank statements. It was absolutely unacceptable to send them the PDF's that my bank keeps online. I had to send them copies of the actual statement. No matter how much I talked to them I couldn't get them to see the light of day. So the easiest thing todo was print my PDF statements and then fax them the printouts.
First of all, legally, a copy of a contract is just as legitimate as the original (yes, IAAL). Both can be alleged to be forgeries just as easily. In fact a copy could be more easily proved to be a forgery than the original, as one could compare signatures and show that the signature was lifted from another source. It's like one of those infamous "Majestic 12" documents that was allegedly signed by Harry Truman - the best evidence we have that it is not authentic is that the Truman signature is exactly like another signature on another document, it was lifted, cut and pasted, onto the MJ-12 document. Note: I don't want to debate the MJ-12 documents here. Anyway, the other reason why fax signatures are not a security risk is that you know who is going to be sending you the fax. "Sign it and fax it over to me today." You get the fax today. Nobody else would reasonably know about that expectation. It's like going to pick up money from western union - "I'm here to pick up $100 for Brian Halloweth" ... the fact that you know about the 100 bucks for someone named Brian Halloweth is good evidence your claim is legitimate. Ditto with the fax signature. Of course this doesn't apply to general applications that can be signed and faxed at any time, unexpectedly. But those can just as easily be forged, and in this scenario the faxee is less likely to know the signature of the faxor.
Any alleged weakness in a fax signature is also a weakness in a real signature. That's the bottom line. I don't buy the notion that they are a huge security risk.
Stupid people make stupid things profitable.
why are signatures supposed to have represented security, in any context, at any time period in the past?
it's just a formality, a minor road block. it's not anything remotely secure, but it represents a tangible personalization. it's psychological more than it is security: making your personal mark on a deal
for that psychological reason, the signature will never go away. but nor should anyone have ever thought of them as a security feature in the first place. they are trivial to defeat, and always have been trivial to defeat. all you need is one copy of someone's signature and 15 minutes of patience and practice and anyone with a pen and a writing hand can copy your signature good enough to fool a third party
a white picket fence won't stop someone committed to getting in your yard either. but is that a reason to take down your fence? or upgrade to 10 foot chain link with barbed wire? no: you're simply thinking about the value of a white picket fence in the wrong context
the problem is not with the security questions surrounding a written signature, the problem is in ever thinking of them in a security context. it's a psychological and personalization context question, the use, and continued use, for a long time to come, of the written signature
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
sign the document, put it in an envelope and fax the whole thing, problem solved. These so-called security gurus are all very well but they lack common sense.
I've been surprised at this policy myself but it seems to be quite common. I wonder if there isn't some merit in it, though. For a non-technical person, the fax probably seems a lot more secure than email. Email requires spam filters and virus scanners and training in security practices for users. That makes the content of email pretty suspect.
Also, I wonder if a fax is more auditable ... I mean, you generally know what phone number it came in on, as opposed to an email whose originating ip can be easily forged. Legally, that might be meaningful if they had to hold you to the fact that you signed something. It might be easier for you to deny having sent an email with your signature than to deny having sent a fax that originated from your home or business phone number.
Prov 9:8 Do not rebuke mockers or they will hate you; rebuke the wise and they will love you.
An OTC derivatives trade is usually for some horrendously complicated thing that is so customised, it hasn't a chance of going the listed route. OTC trades are made by phone and they can be made for tens of millions of dollars. The signed trade confirmations go more often than not by fax.
The check is that I have a timed telephone call and a fax to confirm the transaction and so does my counterparty. Of course that's where the real fun begins as the deal needs rekeying.
In modern times there is something called FpML and then there are matching/confirmation systems such as SWIFTnet FPML, SwapsWire or DTCC Deriv/SERV which provide electronic signatures and non-repudiation, but they are still not used widely which means ultimately back to the good old fax.
See my journal, I write things there
So, why do companies accept easily faked signatures by fax? They have a signature, so you're bound to the agreement. The burden of proof is on you if you want to prove the signature was faked, not them, so they're protected. They'll either get paid by you, or you'll find the identity thief and they'll get paid by him or her.
The bigger question would be why do we agree to being bound to our faxed signatures? And the answer there is convenience. Sure, they can be faked, but it's a lot nicer than having to wait for the US Mail.
I swear, he makes some good points, but as a security professional he should understand why they accept it. The amount of business they'd loose by not accepting it is worth more than the potential loss if they didn't.
Of course, now that the cat's out of the bad, they'll need to reevaluate.
I work for a high tech, email centric company.
If I have something I need to sign (for HR, or whatever). They email me the form. I then need to print the form out, sign it and fax it back. In some cases they are in the same building, but I'm not allowed to walk over to them, or interoffice mail them, to deliver the actual signed form.
I think in large part it's just because they have an established standard, which they use to deal with all our remote offices and such, and they don't want to deviate by having people walk in to the department. But it's pretty silly to have to fax someone when you could be at their desk in 30 seconds.
Sometimes people get so used to a process that they can't see that it's not the most efficient process anymore. This is how it's always been, so this is how it will be. Amen.
We emerge from our mother's womb an unformatted diskette; our culture formats us. - Douglas Coupland
I wrote "See License" on the back of my credit card. I'm still amazed by the number of vendors who don't look, so I make sure to thank the ones that do, and chide the ones that don't.
Actually, Zug.com has an interesting tale of the author trying to see how much he could get away with when he signed credit card purchases. He even did musical notation once. Very funny.
http://www.zug.com/pranks/credit/
http://www.zug.com/pranks/credit_card/
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
That telephone number that is supposedly the sender's is just a setting in every fax machine. You can enter anything. It's entirely meaningless as proof of anything.
Allowing the sending of signatures by fax is STUPID, stupid, stupid. It got started when a fax was allowed as an initial application, to be completed when a mailed letter was received. Then work-avoidance schemes took control, and waiting for a letter and opening it and finding the application and continuing the processing was eliminated.
I bought my house in the 90s. (In Canada - mind you) The seller had already moved quite a distance away, so all documents were faxed back and forth.
At the insistence of the realtor, all such documents included a statement that they must be followed up by an original signed copy within one week. It was stated as if it were a legal requirement. To me it made sense as it was clear enough at the time how easy it would be to fake a signature on a faxed document.
I don't know how things work in the US, but in many countries a signature delivered by Fax carries the same weight as a signature sent by snail-mail. But a scanned document sent by e-mail does not carry the same legal status - simply because no law has been passed to ensure that.
So one simple explanation/answer may be, that a fax simply has a higher legal status than a scanned document sent by e-mail. I am willing to bet that actual laws regarding the validity of signatures DOES have the word "fax" in them (or in some sub-clause) but the word "email" is nowhere to be found.
The problem may not be that the older generations "love their fax machines" or understand them better - but simply that nobody has updated the laws used to resolve legal issues surrounding signatures sent through e-mail.
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
Turns out, they do not. Or rather they do, to the limit where they start verifying signatures (which they do not for smaller transactions and the like). For larger things they require either an original signature or they call back.
This was something like 20 years ago, and I have no doubts they do something similar today. Recently I got called to verify a larger (not that large though) bank transfer I had done via online-banking. That is the state of the art in Germany though. No idea what US banks do, but the few contacts I had struck me as positively primitive compared to european banks. Less fraud in the US? I doubt it.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I'm no expert, but I'm pretty sure that forging a signature onto a high resolution scan of a document is even easier than doing so on a fax given an authentic signed document.
Should have stop at, Aren't FAXes the weirdest things. 1980s' tech and a sure sign of feeble minds on the business side of those things. Hey, like, you got a fax number? Let me send you some facsimiles of some computer (ascii) art. It's wicked cool! and so real, and from a computer.
Until there is widespread adoption of public key crypto, we'll be stuck with this bullshit. And that will only happen when you guys start regularly using it. you do have gpg keys right?
I do, and my public keys are available, but damned if I hardly ever use them because so few of recipeints have any idea what I'm talking about. Try to get some sales noob on the other end to understand what you're talking about when they need a credit card number and a signature.
None of this will ever happen, because it's is several steps too complicated.
Obviously the solution to this problem is not email, the solution is web 2.0 based where the crypto is inherent in the browser and the site certificates.
I just recently had to deal with this and ended up faxing my CC and signature to the seller. I did enquire whether they would accept payment by paypal, "pay what?". Mind you, Canadian companies are still, for the majority, living in 1999 when it comes to technology, it's really pretty pathetic.
Salut,
Jacques
...but I don't know a single sensible European company that accepts a fax from a stranger (i.e. nobody they have a standing business relationship that is already built on a fair deal of mutual trust). Courts don't see faxes as legally binding contracts either. A fax may be used as a precursor for a contract, they may be used to exchange the documents for signing but you won't see a contract that is not transfered in the original to the recepient in the end.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Signatures are for legal consent. Until the mid 90's (95? 97?) The only legal way to show consent on a document was to "make your mark or signature" (you know the big ink X you see in pirate movies and Civil War films)which was the eqiv. of a signature for people who are not literate. Prince could sign his name with that symbol even before he changed his name. He did that to make US call him that.
FAX signatures were a loophole around the law (to keep people from having to mail stuff around). A court case held this usage up, so everyone started to use it to save money/time.
In the mid 90's (in the US) Congress passed the "Digital Signature Act" which legalizes the digital representation of "your mark." Any indication that the document is "from you" is legal. So PDFs or even typing your name at the end of an email is now legal like a signature.
This is the same law that allows your bank to mail you scans of your processed checks instead of the real checks.
Like someone said earlier, Credit Card Signatures are a recommended security procedure. Stores don't have to check. Many don't bother.
A faxed signature may not be secure, but it's legally protected. If you commit fraud using a faxed signature, the other party has recourse to criminal prosecution to pursue you.
It may not always be possible to do so (maybe you're a brilliant master criminal), but the threat is always there, and the penalties are quite serious. Hans Reiser is proof that "geeks" are no more capable of eluding justice, for all their vaunted smarts, than any other kind of criminal. When it comes to crime, most of us are amateurs. (Which I think is a very good thing!)
In the end, it's never about providing bulletproof security, just enough of a deterrent to make the risks outweigh the benefits, and provide a clear legal mechanism to assign responsibility. Since fax uses POTS, it can be traced, forensic evidence brought to bear on the transmitting equipment, etc. How sure are you that you really covered every loophole?
In contrast, transmitting the same image over the Internet is a much dicier proposition to trace. Fax may be old and easy to fool, but it's also a whole lot less complex than e-mail.
Who wants a black and white watermellon?
In any case, a signature is more than just a verification tool. It's also (and indeed, probably primarily) a legal binding into a contract. Hence a fake signature is fraud, punishable by the full weight of the law.
I wish Schneieieier were a little brighter.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
My wife is an RN for a clinic. Recently, the state of Oregon began requiring faxed prescription requests for certain meds, disallowing the more standard email system that was in use.
My opinion? It's a way to keep more state employees busy, manually typing in information that would have already been there with an email.
-- I really need to bleed off some of this
Is it the shite resolution?
All good reasons, to be sure, but ffs, stop with the fucking faxes, please.Is it the slowness?
The lack of security?
The 19th century technology?
The bulky machine?
The waste of paper?
It's any mark that you use with the intent to authenticate something. Your signature does not need to be the same every time. For fun, at self-checkout terminals, I occasionally sign with a tic-tac-toe grid, a drawing of an airplane or with my non-dominant hand. Those have exactly the same legal significance as the signature I used to sign my mortgage documents.
On an agreement, the signature is evidence that you agreed to it. But, if somebody wants to say "I didn't sign that," you can look at how he acted at the time. Was there an email saying "I'm faxing over the signed version now"? (Is there a copy in the sender's outbox, or a backup of the outbox?) After faxing it over, did the sender act like there was an agreement?
A signature that looks very similar to another signature is evidence that the same person signed both. But, once you start faxing and copying, the value of that evidence drops.
The bigger problem is when people start accepting faxed signatures for things that they shouldn't without any further checking: "Here's a fax from the president of the company, saying to write me a check for $1M," or "Mr. Rather, here's a scan of a document from when George W. Bush was in the air national guard."
One aspect of this is that a fax does not end up stored on a server. If you have any kind of document that should only exist in hard copy format, a fax is better than an email, which can end up in many places. That's why law firms often still rely on faxes for many communications.
I used to get frustrated with this, but now I just scan things and fax them from my computer. Only slightly annoying...
Now imagine I have a high resolution scan of a contract for which I want a signature pasted to it, like the fax example you gave at first: You cut the signature of someone, paste it at the bottom of the contract, then scan it at a high resolution.
You then take Photoshop, enchance the contrast so the whites are white, and the blacks are black. Then you use that pretty little Photoshop eraser, and make sure the border of your pasted signature can't be seen. This is kid's stuff!
I still don't understand why a fax signature can be accepted too. The only signatures that should be approved should be Ink on paper handwritten signature, and certificate authority certified digital signature via EMail. I would feel a little safer then.
The document sent can be doctored in many ways, but there are lots of precedents about misrepresentation, forgery, larceny, and so on. The laws don't need to be changed. If someone forges or misrepresents information, then they're criminally and civilly liable for that action.
We accept and trust people and their submitted documents. Fancy that.
What? They're not real? That's a bad thing. Time to call the prosecutors. Jail for that? Really? Good.
---- Teach Peace. It's Cheaper Than War.
In North America and Europe, an electronic signature is generally legally binding, so it's the people, not the law that are the barrier.
AFAIK, the reason why faxes gained status as legally binding is because that it is very hard to falsify that a tele-communication transaction actually took place between to parties since the telecom industry keeps detailed logs. So in case of a business dispute that turns into a lawsuit, the court can request log files from a neutral 3. party. No such neutral 3. party logfiles existed for email.
Legally binding faxes doesn't give protection against 3. party frauds, but gives some measure of protection that a communication took place between two business partners. The fax signature is of course easily falsified, but AFAIK the reason they became accepted was because old well established laws governing falsifying signatures existed. It is easy to raise charges against someone who falsified a signature, whether on fax or paper, but what about altering the "From:" field in an email? There will also exist an original of the fax with the real signature on at the sender of the fax.
That faxes are legally binding has everything to do with system of justice and law suits/disputes between business partners, but not very much about security. If you want content security use a pgp-signed email, if you want security for being able to sue somebody for breach of contract use a fax.
--
Regards
I sign loads of stuff every day, a simple thing to do to add a bit of security is always to use blue ink for signatures, and always send documents scanned in color.
I have a reluctance to _send_ a facsimile of my signature via e-mail (especially when sent from an aerioplane on the week-end). True, someone can cut and paste my faxed signature, but my scanned signature is more easily distributable to more unpleasant people at once.
Winston Smith's job would have been all the easier if the Party paper were on-line only....
Query:
People who understand the laws about this:
What about the legal status of documents received by systems whose "fax" machines dump directly to a stored image?
It has to do with what is considered a legally equivalent fraud to creating and mailing forged documents.
Additionally a fax normally has an independent audit trail via 3rd party phone records (at least in theory).
So if you sign a contract and fax it through then later claim it wasn't you that sent it i'd ask for a verfied copy of the you or the senders phone bill to start with.
As Schneier says in the article, the acceptance of faxed signatures is not nearly as insecure as it seems on the surface, because almost no transactions ever hinge solely on a single faxed document.
I've faxed signed forms for all sorts of things, from insurance forms to e-file authorizations for my tax preparer. In every single case, this was done in the middle of an ongoing process that had been started face to face or by mailing real, signed forms. The faxed documents were always sent after having a phone conversation that confirmed the content of the fax with someone I had already dealt with on the other end.
On the other hand, I've never seen a case where a fax would initiate a transaction on its own, or even determine dollar amounts of an ongoing transaction. They're mostly just used to speed up the process when a signature is needed as a formality, so the potential for abuse is really limited.
This reminds me of a boss who demanded that we deploy "digital signatures" - by which he meant we scanned our signatures into image files and attached them to an email. No amount of articles explaining actual PKI signatures would convince him that this was, in fact, less than useless because it gave a really false sense of security. I think I finally convinced him by emailing myself a directive to abandon the project, using his scanned signature, and copying him on it.
The problem is that for any real authentication to work, you usually have to have a trusted third-party, and because of all the costs involved in maintaining compliance with industry standards like PCI (for credit card processing, not motherboard card slots), this is going to cost money. Factor in the tin-foil hat paranoia we all have regarding trusting anybody to authoritatively authenticate on our behalf, and real digital signatures become really difficult to implement.
Can it be done? Absolutely, there are plenty of ways to do it now, and for individuals, it can be free. But for companies who spend thousands upon thousands of dollars on compliance issues, it becomes more difficult.
And anyway, do we really want signatures that are authoritatively authenticated with the force of law? I'm guessing we don't, which is why you don't see a bigger corporate push for this. There is some comfort in the wiggle room to say "that really wasn't me."
Sometimes I wonder why things are signed at all when they're clearly fake - it must just be an artifact of the medium. The other day I got a nicely written bulk-mail letter from my vehicle insurance agent. It was signed at the bottom, but I could see the edges of the pixels in his signature. Ok... there's nothing official contained, it's basically a flyer. I guess most people just won't notice? But even then they wouldn't think the guy wrote a letter to each customer individually. ...though now I know the shape and thickness of the lines in his real signature...
The premise of the commentary doesn't make sense to me. E-mail signatures have been accepted by most businesses for years now, for everything from vacation rentals to mortgage applications. Recently, in the process of signing a contract on a home purchase, we were forced to use a fax machine because no scanner was immediately available. The entire document later had to be re-sent by e-mail because the fax copy wasn't legible enough.
Sure would be nice if the signature could be verified easily BEFORE there is a problem, don't you think? Would be even nicer if the verification wasn't based on the subjective opinion of a handwriting expert.
if outlook had a clearly identified [PRINT] button, then email would be preferred over fax. Funny how the perception of paper with a requirement of 1 extra step (i.e. press a print button) creates such a backwards mentality.
The law of signatures places more emphasis on the ceremonial aspect of signing than on security. --Ben http://hack-igations.blogspot.com/2008/04/text-message-investigations.html
Benjamin Wright, Dallas, Texas, benjaminwright.us
Just to inform all of you (mostly Americans); In Sweden, we haven't used fax machines for about 20 years. Well, surely some people do, but it's extremely rare, and no one consider them safe. We've used E-mail or snail mail since it's either simpler, or more secure.
Me, and most people I know, have almost never used a fax machine, and we don't understand why people around the world ever use them, at all.
This issue is very local and applies only to countries still using fax machines. Perhaps the issue isn't really about if fax machines are secure, but more general; why use them at all? They are stone age, insecure, crap quality, slow, consumes an entire phone line, etc. Much like checks. I don't think I know any swedish person who have ever used a check in his/her whole life, and that includes parents and grand parents.
So what's wrong? Fax being insecure? No, keeping bad and obsolete depricated technology. Fax machines, checks, inch, feet, Fahrenheit, etc...
Come on, the entire world is laughing at you. I'm not trying to troll, but rather to enlight. We do laugh; "Well, you know Yanks" and so on. Please give us a reason to stop that.
I know it's probably a bit on the dumb side, but one day I signed a white piece of paper, took a photo of it with my cell phone camera, edited it in photoshop to make the white areas translucent, then whenever I need to sign something and send it electronically, I will copy/paste/resize my signature, make it a PDF, then send it along
Ah! The old bang path. I haven't seen one of those in years. I was going to put that down as a missing option in the recent navigation poll, but I figured it was too late in the game.
When our name is on the back of your car, we're behind you all the way!
That answers the immediate question, but there's still the question of why the -law- considers a fax to be a legal facsimile.
... yet, my company's pretax account takes documentation via fax. I could mail the documents, of course, but that will add time and processing costs to all parties involved. (I'm sure they use electronic copies of the faxes, not paper copies.) So it's a significant benefit to all parties to use 'legal fascimile' faxes.
I think the answer to that, ironically, comes back to businesses. Businesses needed a way to send 'signed' documents quickly, and pre-FedEx there weren't really many options. Fax machines were bulky and expensive. They didn't accept signed documents from just anyone, they had already vetted the other party to some extent.
So, on balance, the convenience of 'legal facsimile' faxes outweighed the cost of the rare forgery. They pushed the law to recognize the same.
Now things have totally reversed. You can send documents to anywhere in the country in a day for a modest amount, you can create perfect forgeries using a scanner, basic editing software and fax modem, etc. People would be insane to trust faxes for anything but the most trivial things...
Bottom line is that businesses use faxes since it's legal, and it's legal because businesses want to use faxes. It's not going away soon, but I agree 100% that it's insane to trust faxed documents for anything of significant value. (E.g., we used faxes to the seller when I bought my house a decade ago.)
I think the ultimate question is refutability. I don't care if a business accepts faxes -as long as I can refute a forged fax-. That's the only same solution -- put all liability on the receiver. They can continue to accept low-balance transactions if it's convenient, while I can be confident that nobody will try to forge documents "selling" my house to a third party.
(It turns out we have a good recent example of this -- credit card companies don't require signed receipts for low-balance credit card transactions. The cardholder always wins any dispute, but businesses are willing to accept that risk in exchange for the convenience of moving people through the line quicker or avoiding the need for customer interaction at all (e.g., at gas stations))
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
I'm always impressed by the Slashdot posters that are heroes in their own minds. If you'd read the post in his blog instead of the Fine Summary, you'd know that's exactly what he says.
Quite simply it provides the company with a written record. At $employer we require it even though we know its not all that much in security, but its primarily kept so we have a paper trail for some stuff, and in some cases ensure we have a written acceptance of fault and an understanding that we will withdraw service should they fail again.
"Get three pieces of black construction paper and a roll of scotch tape.
Tape them together top to bottom, creating one long sheet. On the bottom, place a piece of tape half over the edge.
Insert the long sheet into the fax machine, and dial the number. As it begins to feed through, quickly affix the top to the bottom sheet, creating a long loop.
Go get a cup of coffee."
You forgot to change your own fax settings to "Fax Directly" instead of "Fax from Memory". VERY important point.
"As God is my witness, I thought turkeys could fly." A. Carlson
Sorry for the AC, can't log in from work. Here's a relevant dissertation at FindLaw regarding the legal definition and requirements of a signature.
Back in the bad old days before I worked in IT. I worked in a call center / customer order entry for a place that sold various holiday pastries and such products.
We had people FAX us checks all the time, and than call up and get abusively angry at the agents because their order was not processed (They usually neglected to put a phone number on the form to).
The only thing sillier at that job was the phone system, antiqated even for the day. The order taker would push a button after each call to signal the ACD that she was ready for the next call. Of course every holiday we'd clean out the temp agencies of agents, a good percentage of which would choose to take a call and than read for the rest of their shift if somebody didn't come over and push the button for them.
yes...and that it's been in use of a while.
I've signed contracts over email/pdf before. The last job I had, I didn't need to fax my acceptance letter. They had some online system where they sent me the pdf and I accepted it through some website. I don't even remember the process. I'm assuming it is just as valid as it was a very large company.
In Canada, there's also http://www.datawitness.com/products/signoff which seems to have some kind of legitimacy. I think they also have contracts with the government of british columbia for online Wills and other things.
The law takes time to change. The proper legal use of online methods (email, PGP, certificates...) will get there.
If there is money or property involved, forging a fax signature would also constitute wire fraud, a Federal crime.
The use of the fax pretty much ensures interstate wire use in some form or another.
If, in your example, someone faked your signature on the NDA fax -- though I'd be hard pressed for a reason why -- that person is guilty of wire fraud. That stands whether you violate the NDA or not -- a civil matter.
So why accept the fax signature? The Federal penalty is up to 30 years in prison. That pretty much trumps most state statutes for whatever else could be involved.
If someone walks into a store with a fake credit card, the penalty is 10 years. Doing it by fax carries a max of 30 years with the addition of the wire fraud.
To quote: "It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email."
This is Timothy's comment, not Bruce's, and makes me think that Timothy missed the point. Scanned and emailed signatures have EXACTLY the same problems as faxed ones. The point isn't that we should encourage MORE bad security practices, but rather eliminate them. The faxed signature from McDonald's to release a prisoner could have been just as handily done by email if we accepted scans of signatures as attachments. In fact, it could have been done more easily because "relatively secure email" is easier to forge than fax sources.
Making email secure would require hashing which would involve cryptographic keys. At that point, we could actually eliminate visual signatures in all cases except for in-person, pen-and-ink signing of documents, by using digital signatures.
Faxed signatures are a bad idea. Scanned and emailed signatures are the same thing, but more democratic--let's bring a bad idea to a larger audience!
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
PHBs are not logical at all.
Whilst working for a bank, they wanted absolute proof that certain Emails that they sent to clients, were, in fact, received. When they found that "return receipt requested" could be turned off by clients, they insisted on another way.
I asked if they did this for paper snail mail. The resounding answer was "Of course not". So I asked why this was any different. They could not come up with a good answer. Their best argument was about paper being a physical medium that they PAID to send, so there was proof that they sent it.
Again I explained that the Email copy in the out box was equivalent proof. They said the data could be deleted. I said that the proof of payment of the snail mail could burn if a fire, or blow away in a hurricane.
Then I realized that management does not function on logic. Supposedly they function to get themselves promoted and get themselves more money. But that does even hold true here.
So, after all that, it was decided, when an Email return receipt is not received, we sent out a paper snail mail to cover our butts.
I dunno. -- I fired them as my employer and have a wonderful job now.
- I live the greatest adventure anyone could possibly desire. - Tosk the Hunted
If the submitter had read Schneier's blog post, he would have realized that Shneier actually discusses why we accept fax signatures. But then, this is slashdot...
They're accepted because they're good enough. That's exactly what Schneier explains in his essay. The questions he asks are rhetorical.
Jane Jacobs, "Systems of Survival", of Greenwich Village, NYC, anti-housing projects fame. This dialogue is a quick read. The short answer is that in commerce honesty (a faxed signature) can be presumed, if it can't, commerce will fail.
I've often wondered about the electronic signature pads for credit card purchases. Once they have a copy of my signature they can put it on anything. Why would such a signature have any value whatsoever?
Working for a startup company back in 1992 we solved the distance signature problem. It was called Telesignature (patent # 5,222,138). I am listed as co-inventor ( the other person who hired me had no technical knowledge ). You would place a document into an secure enclosure and a scanner would scan it and send the image to via modem (9600bps in 1992) to a pen computer on the other end. The person would review and sign the document and the signature would be sent back and written with a pen plotter on the original document. We got lots of raves on the signature quality. Virtually no who was shown the signatures could tell it was written by a machine. We used RSA keys to ensure the whole process was tamper proof and an audit trail was left. A year alter we brought out a companion product called fax-a-check. The digital copies of the document are what actually provided proof of the transaction. The legal system at the time demanded written documents and so it seems still does.
(Sigh) Kudos.
I have a refrigerator magnet of a FAX machine that has that quote on it with "FAX" for "FACTS". I used to watch that show regularly and contrary to what SNOPES says, I could SWEAR Friday or Gannon said it on at least one occasion --- Maybe without the "ma'am" part...
But, "Don't taze me bro!"
"He's dead, Jim".
I had two domain names hijacked by some young punk kid who did the very same to my FORMER domain registrar.
I filed an auto insurance claim once, and I had a police report. The adjuster asked me, via email, if I could give the the police report. I replied, asking whether she needed the original, or if a copy would do. "Oh, you can fax it to me," she emailed.
"Well," I replied, "I don't have a fax machine, but I've attached a scan of the document to this email."
Adjuster: "That's great, but I really need you to fax me a hardcopy."
I had to explain to her that she could simply print the image I'd sent to accomplish the same thing, since it would be identical to my scanning the image with a fax machine and transmitting it to a printer at her office. In fact, my scanned image was even in color, if she wanted to print it to a color printer, and would probably be unreadable as a fax anyway. This woman couldn't have been older than thirty, so the argument about "the older generation" does not apply.
Is there an argument for "the stupider generation?"
Web 2.0 == Giant Blogspam Circle Jerk
Faxed signatures are accepted because a lot of business would grind down to a slow pace if it didn't. Also, companies want to grab you now, rather than wait for you to mail or bring in an original- more chance you might forget, get side-tracked or go to a competitor. Also, speaking from a b2b perspective, business people don't have the time to bring things to eachother, nor the funds (or time) to mail/courier papers all over the place. Fax is still a major method of sending signed work orders, contracts, purchase orders etc.
If a company is smart though, they should know the person they're talking to before they accept a faxed signature. Although, how many companies actually analyze a signature to check if it's forged? And who can tell if it is? The whole concept of signatures is rather flawed in my opinion.
Check it out: Signature Requirement
"Signature" merely means any authentication which identifies the party to be charged. Even a letterhead or an "X" will do, provided it is placed on the wriiting with the intent to authenticate it. (Merrill Lynch, Pierce, Fenner & Smith, Inc. v. Cole 457 A.2d 656, 663 (Conn.,1983).) http://www.west.net/~smith/frauds.htm
Faxes are legally binding, emails are not (yet).
I was a programmer, now I'm a law student. From what I've seen so far of the personalities in law, my guess is that the generation who was running the legal community felt comfortable with faxes because they *seemed* simple, while email clearly had more mysterious techo-magic involved.
My company recently asked a bunch of us to send in updated information to the corporate security department. We were told to fax this and not email it because "the information was too sensitive for email." I think that may be one of the dumbest things I've ever read. I sent mine by FedEx in a sealed envelope.
here's the answer to every question about people and security: "Because people are stupid." You're welcome Bruce, thanks for your variation of the question.
FreeBSD for the impatient.
I have many times sent an email with some document to a company or a government agency, and gotten the response back that I need to fax it instead. So I just take the same document and then use print to fax directly on my laptop, no fax machine needed. It's just amazing how "normal" people don't understand how fax is not more secure than email. The only possible advantage of using fax is that at least it can be tied to a physical phone number, however I seriously doubt people check the fax logs for the number the fax came from, do fax machines even keep logs or print out the originating fax number?
The Electronic Signatures in Global and National Commerce Act (ESIGN, Pub.L. 106-229, 14 Stat. 464, enacted 2000-06-30, 15 U.S.C. ch.96) is a United States federal law passed by the U.S. Congress to facilitate the use of electronic records and signatures in interstate and foreign commerce by ensuring the validity and legal effect of contracts entered into electronically.
Although every state has at least one law pertaining to electronic signatures, it is the federal law that lays out the guidelines for interstate commerce. The general intent of the ESIGN Act is spelled out in the very first section(101.a), that a contract or signature "may not be denied legal effect, validity, or enforceability solely because it is in electronic form". This simple statement provides that electronic signatures and records are just as good as their paper equivalent, and therefore subject to the same legal scrutiny of authenticity that applies to paper documents.[1]
http://en.wikipedia.org/wiki/Electronic_Signatures_in_Global_and_National_Commerce_Act
Yes, an "X" counts as a signature, so does your thumbprint, or even your noseprint. The point, dear lad, is that the signature/X/mark/stamp/etc. binds the person making the mark, not the other party.
Please go back and read my post, continuing past the first sentence, and if you have to, simply recite "... or any other mark sufficient to identify the party being charged" in your head when I say signature.
Oh, and don't tell people they're wrong when you don't understand what they're talking about.
Did you read the essay? Because I think that's pretty much what he said.
Was on Wired a week ago, dumb asses.
A signature is not an identification tool. It is a deliberate act signifying agreement. Since you have to put some effort into signing a document, it means you agree to the terms.
Some documents are so important that you must write the whole thing out by hand before signing. This is to make sure you've agree to terms with full knowledge of them. There will *not* be teams of handwriting analysts pouring over it and everything else you've written to make sure it's really you.
Presumably identification is done through more secure means. The signature is just a symbol of acquiescence.
Can you be Even More Awesome?!
If you really need to verify a signature, you use a notary.
When your are looking at the choice of signing and getting what you want from your contract now, people choose the easy way.
The Kruger Dunning explains most post on
I worked for an A paper lender from 1996 to 2001. For the majority of that time, we didn't accept faxed in loan submissions. The idea was that a broker or loan officer could simply fax a loan to a dozen different lenders all at once instead of committing his business with us and because it was too easy to doctor loan docs and fax 'em in. We demanded original signatures and docs printed using a laser printer (yes, that was a requirement) or on original pre-printed loan applications. The only faxes we would accept would be loan conditions like a flood cert, mortgage insurance or something like that. We also didn't accept loan packages with appraisals done with a digital camera because the images could be doctored easily. Sometime near 1999, we started a limited doc fax program for brokers we had high confidence in and were pretty sure wouldn't send in bogus loan info.
Years later, I worked as an Account Executive for a subprime lender, we accepted EVERYTHING by fax. They're out of business now and the industry on a whole is reeling from rampant fraud.
Fifty watts per channel, baby cakes.
If they accept a credit card that is not signed (even if it says See ID and they check the ID), they have violated the rules of the credit card company. Should there be a problem with that purchase, they will have to eat the chargeback.
I managed a retail shop for several years and the credit card companies are dead serious about their rules. The card MUST be signed with a personal signature--"See ID" or "CID" does not satisfy that. The shop must keep the original of the signed copy of the credit charge slip (if they accidentally keep the carbon, the purchase is not covered). The shop is not allowed to require ID for the purchase. In addition there are a variety of rules about data storage and security.
On the other hand, merchants are also forbidden from setting a minimum credit card purchase...if you ever get told "there is a $5 minimum to use a card," that shop is violating the rules and you can report them to your credit card company. But only do that if you're really pissed, because they might lose their account and that can literally kill a small business.
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
I don't disagree that faxed signatures, or pen-to-paper signatures of any sort for that matter, are next to useless and have been since the invention of the copy machine (possibly since writing became something that everyone learns to do). But what's the alternative? How does someone provide indisputable record that (s)he has had the chance to review and approve some bit of information?
I know everyone is thinking cryptographic signatures, but they're even worse. A cryptographic signature is only a secure as the private key and the algorithm. How do you educate the masses on how to properly protect their private key? How is it even possible to protect a private key if you have to sometimes connect the storage device to hardware that isn't yours. And yes, I know about RSA's tamper-proof devices that decrypt and sign data internally rather than making the private key available, but I've also seen demos of them being cracked (the crackers claimed 80% accuracy) when hooped up to the proper oscilloscopes. An as for the algorithms, how many of us even here on slashdot can say we truly understand them, even if we're confident that we could if we dedicated the time to studying them.
The point is that only a fool would claim that even cryptographic signatures are truly indisputable. But if we used a less disputable form of signature, the supposed signer would have a much weaker case when a signature is faked.
I recently had my credit card stolen. It cost me exactly $0. I simply told my bank which charges I didn't make, signed (paper on ink and faxed) a form stating that I didn't authorize the transactions and that I expected that if they found any signatures on receipts they would be faked. As a consumer, Visa and Mastercard's policies (and, by extension, my Bank's) give me zero liability, which is beyond even what the law requires. This makes credit cards not only the fastest and easiest form of payment, but the most secure to me as a consumer. If my bank wants to put a chip in my credit card that does cryptographic signatures to help minimize their losses, that's fine so long as they don't change their policy reguarding my liability. If I have to accept anything other than zero liability, I would immediatly cancle all of my credit cards and go to cash-only. That way, the most I can lose is what I have in my wallet, not the entire contents of my bank account and the instant line of credit that I never asked for.
I dread the day when people commonly use a form of authorization that the masses believe is indisputable. Security is attained through constant effort, not some "can't be cracked" system. And justice requires reason and careful examination of the facts, not blind faith in technology.
the receiving fax shows the originating phone number
It is very common for contracts to specify fax as an approved form of written notice and to exchange signature documents. (I have worked in Fortune 500 companies with IT contracts written in the 70's and 80's -- many of these contracts are still active under the original terms, as modified. Most of these early contracts specified fax or facsimile as an approved method of written notice or signature.
Today it's common for commercial contracts to contain terms approving email as a form of notice.
a r b o r l a w -- legal blog for entrepreneurs and small business
that signatures are meaningless.
I'm also really uncomfortable with the idea of signing some box so my signature is in a computer. Not that it can't be scanned in, but when they test your signature they look at how hard you pressed the pen and stuff like that--undetectable through a digital medium...
And if they did record it, they could easily replicate it--even adding minor changes so it can't be detected as an obvious replica.
Email is even worse--Email is insecure, easy to spoof, is not guaranteed delivery, and shouldn't be used for anything official--ever.
Overall the fact is that the only advantage we have is obscurity. There are so many people you just have to hope that you aren't the one randomly chosen for identity theft or the target of some other shenanigans.
I don't trust bio signatures much yet either. Not that they couldn't be made reliable, but right now--nobody is willing to invest the money to do so.
The only thing I can imagine being valid is something like a USB Dongle you carry on your keychain that will encrypt anything sent to it with a gigantic private key (forget 1024 bits, how about 1M bit key?) It should be physically impossible to get the private key out of your keychain, but the public one can be pulled out for publishing at any time.
Use the same resin technology that they use to stop people from copying chips--or fill the damn thing with acid in a little glass vial like the theft-protection tags on clothes.
The software source must be available for review.
Readers wouldn't need protection because they couldn't actually "Steal" anything from the card, only feed it a one-time random string that the key encrypts, then compares the result against a published public key.
Maybe that wouldn't prevent it from being stolen, but at least you'd know that if it wasn't you were relatively safe, and if it was you could cancel it pretty easily...
They are getting close to this with some credit cards, but that's not a generic "Signature" mechanism, and I'm guessing that they are more hackable than I'd like.
Schneier is not so much obvlivious as in love with his own ideas, sometimes at the cost of his logical consistency.
Really, signatures are not "proof" of anything, and never have been. Back when many people were illiterate, simply making a mark was an acceptable signature. A signature is just a sign of an agreement that is sustained by collective memory, not the signature itself.
For example, how do we know that John Hancock signed the Declaration of Independence? It's not because his handwriting is hard to forge. (I wanted to say that it's because a lot of people saw him sign it, but that turns out to be a myth.) No, it's part of the collective memory of the time: Hancock was the presiding officer of the Continental Congress, and would have had to sign it; he acknowledged signing it; etc. etc.
I know for a fact, from someone who was specialised in faxes and fax software (1997, Belgium) that a fax document with a signature is not a lawful proof of anything. The only lawful document would have been a telex, because the time stamp from the post office was an official proof.
I have recently done some car insurance stuff using a scanner and email. It is just habit I guess. The risk is reduced when people talk over the phone, repeated emails and then follow up over snail mail to confirm the changes. For the whole process to work up to the end, it is relatively secure.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Yes, indeed, why would you fax, sign, and fax when you can skip all of that and scan, save, atach, email, print, sign, scan, save, attach, and email? What kind of dinosaur would use such an old technology when new technology is available that can replace it, with only a few more steps!
(Yes, I'm aware that there are a hundred and one ways to streamline the exchange of electronic documents. The problem is most of them are just as expensive and less reliable than an analog fax machine using copper wire.)
The countries that use fax machines are the ones that do the most business. The US, yes, and Japan and the UK. Partly because business is slow to change, but mostly because the replacements are harder to use and more trouble prone.
The US free market: two halves of a government-granted duopoly are free to set the market price.
I found out the hard way that my bank doesn't even check the signatures on checks.
Coder's Stone: The programming language quick ref for iPad
Add a half twist, forming a Moebuis strip, which can then cause a rip in the space time continuum at the receiver's end.
Of course, you'll need to get a Klein bottle of coffee (which has its own problems)
There is one big reason why faxed signatures are often accepted yet email is not.
The technically inept are the reason.
They (the technically inept) have not been enlightened sufficiently yet to recognize that a fax machine is simply a little digital computer. They (the inept) are still looking at faxes as "someone fed this paper into a fax machine scanner and I received a copy of that paper".
The "rules" regarding accepting faxed signatures grew out of yesteryear before computers where the only way to receive a fax was someone else sending a piece of paper through another fax machines scanner. So to receive a fax meant that there was a paper copy at the sender end (pre-computer era).
Computers have upset that "assumption" but the technically inept have not been enlightened to the fact that with a computer, a fax can be modified or created without ever having seen physical paper and sent to another fax machine and end up being indistinguishable from a real paper fax.
The assumption has not changed because the technically inept find it easier to continue with the status-quo than to learn enough to need to upset the status-quo.
Nope! DAH DAH! Sorry you are also wrong, the correct answer is 1843 - please stand corrected ;-)
http://en.wikipedia.org/wiki/Alexander_Bain_(inventor)#Facsimile_machine
probably just a poor choice of words on your part. I am certain their is no form of communication that is more or less legally binding than another. As long as both parties understand and agree, (barring some other deception) in the US you have a contract.
Verbal contracts are legally binding, but don't leave good evidence if disputed. What I think you mean is that if the veracity of a document is brought into question, that a scanned+printed document is not going to hold much weight in most courts.
A letterhead cut and pasted at the top of a page will add plenty of official-ness for some.
Indeed, this is an important point; faxed signatures do one thing only: they provide evidence that someone saw the document and that there EXISTS an original signed document. Remember to keep those signed documents you fax, you might be asked to provided them in case of legal issues.
-- Humans, because the hardware IS the software.
The whole thing is even more silly when you consider that many of the "fax machines" in use today aren't even fax machines at all, but some sort of fax-to-email service. In my industry I see a lot of this sort of thing. People get all worked up over how email won't do, they must fax whatever it is -- and they end up using an e-fax service which probably ends up in some other guy's email box anyway through his own e-fax service. :)
Yet both sides are convinced that this is somehow better than just scanning the document and emailing it normally. Truly bizarre, if you ask me.
mirrorshades radio -- darkwave, industrial, futurepop, ebm.
he was generalizing there: as in a threshold of people who knew how to falsify each tech. At least it works better for me...
damaged by dogma
When you require a fax, you create additional verification in the form of a record of a phone call placed between the originator and receiver of the fax transmission. That way, after the fact, it's fairly easy to show that at least the fax originated from a fax machine in the office of the person who sent it.
With email, the person sending the signed document could be doing so from Nigeria and there's no good way to know that they're not.
paintball
Signatures are a throw back to when it was unusual and the mark of being gentility to be able to write. They were the next best thing to using your wax seal with the family crest and usually accompanied it.
Seriously how many people who work at a till or even a bank have had the nessary 10 plus years of training to be able to tell a real signature for a fake one? Even if they did would it be reasonable for them to look at all the signatures?
I know personaly of more then one occasion when a bank has cashed a check with th e signature Mickey Mouse on it ( the person who wrote the check was just seeing if it would work and the store still got the money.)
THAT is for a real signature from a real person standing in front of you, and a computer is supposed to do better?
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Heavens, RTFA. I know this is Slashdot, but seriously, "they're accepted because they're good enough" is exactly the conclusion he arrives at, too (after waxing poetic for a while).
For important documents there may be more procedures, but a lot of faxes are sent in a pretty routine manner with no authentication.
For example, I just faxed a copyright-transfer form to a journal so they'll publish a paper of mine. How did I fax it? From an online fax service, which didn't even require me to create an account. I gave them a PDF, and they faxed it. The only "authentication" is the receipt of this PDF at the other fax machine, which will be filed away somewhere; there is no other protocol being followed. Now why couldn't I have just emailed that same PDF to them? How does routing it through a free online fax service increase security?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
The whole point of the faxed signature was to get the ball rolling. A hardcopy of the signature used to follow and most large companies still practice this.
... Iwas there when faxed signatures started becoming popular in the early 90s.
Youth, often not understanding events and practices preceding them do not practice the hardcopy follow up.
Maybe he is missing the whole point: the security in the fax comes not from the printed paper you are sending, BUT from the fact that they can check the origin of the fax transmission. Faxes are point-to-point communication channels, so it is VERY difficult to intercept them or the impersonate other's people fax number.
I'm sure the person who was insisting on receiving a fax thought it was stupid too (if they were paying them enough to think - which is probably unlikely).
The company had most likely instituted a set of procedures that were to be followed and the lowly drone that was charged with accepting the fax probably lacks any decision making authority.
The person who created the procedure is probably six foot under by now (due to old age) and no one has probably been inspired to create a new set of procedures because the current set works well enough and the legal dept. has signed off on it after evaluating the risk involved which of course means coming to an understanding of the current procedure, any new procedure would need to be re-evaluated meaning time and effort (money) on the part of the company's legal dept. for what gain; so one pesky client can email instead of faxing.
It's all down to risk management, something that companies (and sensible individuals) do all the time; look at a situation, determine the risk, determine the cost benefit in reducing the risk, then make a decision.
I completely agree that it is frustrating, but...
welcome to the corporate world.
...in Soviet Russia official Visa website says that merchants are allowed to check ID. And sometimes they really do. It's double strange, because most merchants don't use PIN verification.
I have to say that
a) I'm never impressed by assholes who throw insults from the Anonymous Coward seat.
b) THAT IS NOT IN ANY WAY "exactly what he says", you, in all your AC stupidity, are not only a genuine cowrd, you're a moron AND wrong.
No it isn't. Save the stupid fucking insults for when you're not completely wrong.
Fuck off now.