Schneier Asks Why We Accept Fax Signatures

Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.

Credit Card Signatures

[SoundGuyNoise]

The signature on the credit card or on the sales receipt have been for security purposes. It's there to indicate that you accept the terms and agreements to using the card, and that you agree to pay the credit card company for your purchases.

Signatures aren't about security

[bperkins]

They are about legal requirements.

Faking a fax signature isn't really that much harder than faking a real one.

Sending a fake signature over a fax isn't that much harder than faking a real one, but is no less criminal.

"Notarized" signatures are supposed to be more secure, though if you can produce a convincing fake ID, they probably aren't.

telephone number

[goombah99]

Faxs come with a telephone number of the sender as well. and often the personal cover letter. To forge a fax that is perpetually unquestionable you have to forge the phone number, signature, and stationary.

People are comfortable with that because they understand what is involved in doing that. With e-mail and digitial docs its harder for an untrained person to evaluate the threat. Also with digital docs it's harder later to raise questions about the authenticity. With the fax, one can later check for example fax logs on the sending machines and other trails of evidence.

In both cases forgeries are possible but in the case of faxes most humans are able to evaluate the threat.

Re:telephone number

[Loether]

Faxs come with a telephone number of the sender as well. and often the personal cover letter. To forge a fax that is perpetually unquestionable you have to forge the phone number, signature, and stationary. "Forging" a telephone number on a fax machine just requires changing a setting on the sending machine. It's in the fax manual.

Re:telephone number

[Alpha830RulZ]

Yeah, but that sender phone number is programmed into the machine, and can be set to -any- phone number. To check what number the fax really came from, you;d need to check the ANI information on the call (caller ID). That information often doesn't correspond to the actual number of the fax, if the fax is routed through a PBX.

Not that big of a security risk at all.

[kaltkalt]

First of all, legally, a copy of a contract is just as legitimate as the original (yes, IAAL). Both can be alleged to be forgeries just as easily. In fact a copy could be more easily proved to be a forgery than the original, as one could compare signatures and show that the signature was lifted from another source. It's like one of those infamous "Majestic 12" documents that was allegedly signed by Harry Truman - the best evidence we have that it is not authentic is that the Truman signature is exactly like another signature on another document, it was lifted, cut and pasted, onto the MJ-12 document. Note: I don't want to debate the MJ-12 documents here. Anyway, the other reason why fax signatures are not a security risk is that you know who is going to be sending you the fax. "Sign it and fax it over to me today." You get the fax today. Nobody else would reasonably know about that expectation. It's like going to pick up money from western union - "I'm here to pick up $100 for Brian Halloweth" ... the fact that you know about the 100 bucks for someone named Brian Halloweth is good evidence your claim is legitimate. Ditto with the fax signature. Of course this doesn't apply to general applications that can be signed and faxed at any time, unexpectedly. But those can just as easily be forged, and in this scenario the faxee is less likely to know the signature of the faxor. Any alleged weakness in a fax signature is also a weakness in a real signature. That's the bottom line. I don't buy the notion that they are a huge security risk.

Schneier's thinking is backwards

[Theaetetus]

Requiring a signature comes out of the old contract law of the Statute of Frauds, which requires certain contracts (not all) to be in writing, with a signature by the person to be bound to the contract. It was so that you couldn't agree to sell someone an expensive good, collect the money, then give them a cheap one and claim that that was the original contract - or so that you couldn't agree to buy the expensive good, pay them a dollar, and claim that was the original contract. Your signature isn't about protecting you from identity theft, it's about protecting the other party from your fraud.

So, why do companies accept easily faked signatures by fax? They have a signature, so you're bound to the agreement. The burden of proof is on you if you want to prove the signature was faked, not them, so they're protected. They'll either get paid by you, or you'll find the identity thief and they'll get paid by him or her.

The bigger question would be why do we agree to being bound to our faxed signatures? And the answer there is convenience. Sure, they can be faked, but it's a lot nicer than having to wait for the US Mail.

Re:It's an "older" technology

[Jhon]

TECHNICALLY, the "fax machine" was invented in the 19th century. It became WIDELY used in the 1970s. While the first EMAIL may have been keyed in 1965, it could HARDLY have been considered to have been in WIDE use.

So, YES, the fax machine is OLDER. Much older.

Re:Actually, I LOVE the CC sig.

[eXonyte]

Did you know that putting "See ID" or "See License" invalidates a Visa card unless you sign it as well? Unless, of course, your legal name happens to be "See License".

Check out the Rules for Visa Merchants, in particular page 34 (page 29 if printed). There is some amusing information in there, such as the fact that merchants are not allowed to require ID for a credit card purchase.

[...] merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID.

I have no idea if MasterCard, Discover, or Amex have similar rules.

Re:Actually, I LOVE the CC sig.

[smbarbour]

I work in the credit card industry, so I do know how it works...

1) The signature on the back of the card authorizes it for use. Failure to sign the card is supposed to indicate that the card is not authorized.

2) Merchants are NOT allowed to check ID as a condition of credit card acceptance.

3) The signatures do NOT have to match. The signature on the card only authorizes the card for use and is not for comparison.

Re:It's an "older" technology

[reebmmm]

The acceptance of fax signatures has to do only with fact that fax machines have been around for a long time

This is part of it, but the real reason why is that the law (E-SIGN and various other state versions) have basically said that you can't deny a signature MERELY because it's electronically signed.

Oh, and also because its silly not to accept an electronic signature.

It might surprise people but there's hardly a reason NOT to accept a fax/electronic signature since a signature is really meaningless in the business context. It is essentially EVIDENCE. It's not conclusive. There are certain enumerated situations (like wills and real estate) where signatures are a big deal, but these are not the day-to-day transactions people usually think about.

In a contract, the question is whether the parties intended to form a contract. A signature can be evidence of that. So can clicking a button. So can doing s/First Last/. So can paying for the goods. So can accepting the goods. So can performing. So can stating so in an e-mail with a contract attached. And on and on.

Besides, the risk of fraud exists regardless of whether you get a real signature or otherwise. Again, even when there's a fraud, the signature becomes evidence of the fraud. Heck, even requiring in person signature is not a sure fire way to prevent fraud. Frequently the person accepting an actual signed contract will not be in a position to evaluate whether the signature is in fact true or fraudulent.

Re:It's an "older" technology

[Cyberax]

Nope. http://en.wikipedia.org/wiki/Pantelegraph was invented in 1861.

Re:Actually, I LOVE the CC sig.

[alan_dershowitz]

The signatures do NOT have to match. The signature on the card only authorizes the card for use and is not for comparison. This is WRONG. If you go through with a transaction where the signatures don't match, your business could be held LIABLE for the purchase if it was a fraudulent transaction. You are supposed to hold the card and make a Code 10 call to VISA and ask for further instructions if the signature doesn't appear to match.

Re:Should have stop at, Aren't FAXes the weirdest

[torkus]

Actually you're not correct there. Digitally scanned documents are legal substitutes for the original.

Don't believe me? Check with your bank. Checks are not physically distributed to other banks for payment/clearing (I believe) and virtually all banks use digital images for "returning" your check (I know for a fact). Print out that digital image and it's perfectly valid in court.

The law this is based off is the one that says 'a copy of a document is legally equivilant to the original'. Heck, you realize most modern photocopy machines are actually a fancy scanner and laser printer with a computer inbetween right?

Re:Should have stop at, Aren't FAXes the weirdest

[Wrath0fb0b]

The reason your bank can use a digital image for your check is because Congress created a legally binding document called a "substitute check" (this was in the wake of 911 when paper checks were stuck on the ground for 3 days). See http://en.wikipedia.org/wiki/Check_21_Act. Before that act, the original dead-tree check had to be sent to the account bearer's bank for actual processing.

I would be wary of stretching that logic to apply to any legal document -- if scanned documents were valid, banks could have been doing this with checks before the intervention of Congress. Then again, I don't know why faxed documents are presumed any better.

Re:Older generation

[iocat]

Great points. In practice, we usually fax contracts so we can start working, then send (via FedEx) paper copies for 'real' execution. I can't think of an example in 15+ years in the working world where a fax signature wasn't used in a positive manner -- to seal the deal on something everyone already agreed on, like an NDA or a writing assignment or a negotiated development contract.

On the other hand, we also switched to the e-signing service DocuSign for our internal contracts and approvals, because using a fax machine is such a massive pain in the ass and no one in our company likes dealing with paper. A few of our clients use it too, it's pretty wonderful. As secure as you want it to be, and also quick and easy.

Re:Should have stop at, Aren't FAXes the weirdest

[Pendersempai]

That's ridiculous. Far more contracts occur online than in writing. Every single purchase from Amazon.com, every single bid on an auction at eBay, and every sale that occurs over craigslist happens without a physical pen-and-paper signature. There is no doubt that these are valid orders.

And it's not all small transactions, either. Amateur and professional traders alike make trades worth vast sums of money online. Even wire transfers, which can be billions of dollars, happen over the phone and online within hours.

The idea that emailed contracts aren't enforceable -- or even that there's reasonable fear of them not being enforceable -- is just plain wrong.

Re:Should have stop at, Aren't FAXes the weirdest

[Kadin2048]

I am in agreement with you and wanted to point out something that I think furthers your point.

The Uniform Commercial Code (UCC), which has been adopted by all 50 states, discusses what is a valid signature in Article 1, Section 1-201(39):

"Signed" includes using any symbol executed or adopted with present intention to adopt or accept a writing.

(Writing is defined as "printing, typewriting, or any other intentional reduction to tangible form.")

While that doesn't rule out the possibility of states having other requirements for signatures, the "least common denominator" between all states -- the UCC -- is pretty format-agnostic.

I think it's also worth pointing out that some 48 states, according to one source, have put digital-signature laws in place that allow some form of non-physical, electronic signature. Some of them are pretty specific to PK crypto, while others are technology-agnostic. I find it a little hard to believe that any state that's gone to the trouble of crafting and passing a digital-signature law would still require faxed signatures.

What seems more likely to me is that private agreements between parties are the major driver for faxed signatures, because there are contracts forming standing arrangements between businesses that weren't written to take advantage of anything besides the dominant technology (POTS fax) at the time they were written. Therefore, you end up with change orders, POs, and other authorizations having to go by fax, because of some hoary old contract, even though some other form of signature would be theoretically acceptable.