Slashdot Mirror
Schneier Asks Why We Accept Fax Signatures
Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.
I find it amazing that CC companies want customer sigs on the back of the card. I add CID and SIGN it. About half of the ppl will now check for my ID.
I prefer the "u" in honour as it seems to be missing these days.
There, fixed it for you, Bruce.
Between people being quite apt at duplicating another's signature good enough for 'at a glance' acceptance
and
people's signatures changing over time (my bank just informed me that the last signature I gave them deviated too much from the one they had on file since 10 years ago, and so as to please put my signature on their form five times to get them a new basis. Guess what, the five looked alike, sure enough, but they could just as well have been forgery attempts from 5 different people...)
I'd say that signatures in general are relatively unacceptable. Except that they're usually 'good enough' for what we need them for. That's why we accept them in 'analog' writing, faxes and even e-mails. In the few cases where it was indeed forged, it's usually found out pretty easily.
Oh, but wait, Bruce already said as much; not included in the summary, of course. So go RTFA, then come back here to complain about Slashdot's shoddy headline/summary policy.. it's too much like an actual newspaper.
Now... where's the discussion of alternatives? One of those one-time 2D barcodes that uniquely identifies -moi- when used with the recipient's public key.. or something.
This might have been an interesting question to ask about 7-8 years ago but now it just seems like Bruce is running out of topics.
Back in the early 90's there was a particular mail order company that required a copy your drivers license for proof of purchase people of 18 or older *coughs*
It wasn't that hard to xerox 2 copies your drivers license and then cut out the numbers with scissors on one and then tape them on the other and then xerox a 3rd copy and you really couldn't tell the difference. *coughs* Not that I knew anything about it.
So back then even with fax machines, its simply not that hard to to find a document of someone signature, cut it out and then tape it and then xerox it and then fax the xerox and no one would be wiser.
These days its simply a cut and paste in photoshop and then printing to a fax printer if you happen to have one.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Under US law, which I'm not citing first thing in the morning, a fax is a "legal facsimile" of the original. Under law, if you have a faxed copy of something you may as well have an original. Email doesn't have that legal status, so a scanned and emailed original won't cut it.
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
I'm a young guy, but my professors told me stories of how they would have to actually look at a network map and route the emails themselves if there wasn't a direct link between the two endpoints. So yes, while email has existed since the 60's it didn't come into wide use until the 90s.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Okay, email is older; I'll trust you on that.
;)
However, when was there widespread use? I seem to recall that in 1992, the fax was in use, and friends of the family had one and used it. The first interweb came into existence in september 1993 (hint: ha-ha-only-serious). It has taken people some time getting used to it; some mothers more than others
I think that's ultimately more relevant.
(mod parent informative)
It has to do with what is considered a legally equivalent fraud to creating and mailing forged documents.
Additionally a fax normally has an independent audit trail via 3rd party phone records (at least in theory).
So if you sign a contract and fax it through then later claim it wasn't you that sent it i'd ask for a verfied copy of the you or the senders phone bill to start with.
Actually, the summary is misleading as hell. He goes on to say exactly why fax signatures are accepted and analyzes the security implications. Since faxes almost never come out of the blue and they carry a lot of information linking the fax to a specific phone number, it's trivial to verify a fax with or without the signature. I honestly don't know how anyone who read the article can come out of it thinking that Schneier opposed signatures on faxes.
Just to inform all of you (mostly Americans); In Sweden, we haven't used fax machines for about 20 years. Well, surely some people do, but it's extremely rare, and no one consider them safe. We've used E-mail or snail mail since it's either simpler, or more secure.
Me, and most people I know, have almost never used a fax machine, and we don't understand why people around the world ever use them, at all.
This issue is very local and applies only to countries still using fax machines. Perhaps the issue isn't really about if fax machines are secure, but more general; why use them at all? They are stone age, insecure, crap quality, slow, consumes an entire phone line, etc. Much like checks. I don't think I know any swedish person who have ever used a check in his/her whole life, and that includes parents and grand parents.
So what's wrong? Fax being insecure? No, keeping bad and obsolete depricated technology. Fax machines, checks, inch, feet, Fahrenheit, etc...
Come on, the entire world is laughing at you. I'm not trying to troll, but rather to enlight. We do laugh; "Well, you know Yanks" and so on. Please give us a reason to stop that.
This reminds me of a story from my youth. A teacher assigned our class a collection of assignments, and whenever we turned something in, she would sign off on the a form she gave each of us to keep, if the work was acceptable and we received credit for it. At the end of the semester, she would collect the forms, total the results, and that would be the grade for that portion of the class.
A friend of mine didn't have enough signatures to pass the class at the end of the semester, so we collected sheets from a few people, and scanned quite a few of the teachers signatures. We then got rid of all the extra stuff, and copied and pasted the signatures onto a blank 8.5" x 11" document, and made some test prints to get the exact placement right. When the time came, we ran his original form sheet through the printer, and printed the new signatures where they would have appeared on the document. It was extremely difficult to tell which signatures were real, and which were printed on, on the final document, even knowing that some were forgeries. The results were essentially perfect, the teacher never noticed, and we never got caught.
This occurred over 10 years ago now, and I haven't helped anybody cheat on anything since. Perhaps relying on signatures to authenticate documents isn't such a good idea anymore, now that they can be so easily duplicated.
You don't make the poor richer by making the rich poorer. - Winston Churchill
Except that the sending phone, business name, etc. are the equivalent of email headers, and just as easy to fake. Try setting up hylafax - it will prompt you to enter all of that info.
Don't blame me, I voted for Kodos
Working for a startup company back in 1992 we solved the distance signature problem. It was called Telesignature (patent # 5,222,138). I am listed as co-inventor ( the other person who hired me had no technical knowledge ). You would place a document into an secure enclosure and a scanner would scan it and send the image to via modem (9600bps in 1992) to a pen computer on the other end. The person would review and sign the document and the signature would be sent back and written with a pen plotter on the original document. We got lots of raves on the signature quality. Virtually no who was shown the signatures could tell it was written by a machine. We used RSA keys to ensure the whole process was tamper proof and an audit trail was left. A year alter we brought out a companion product called fax-a-check. The digital copies of the document are what actually provided proof of the transaction. The legal system at the time demanded written documents and so it seems still does.
Scanned and printed copies are treated the same as a "xerox" photocopy.
I suspect that your confusion stems from the fact that if you print two copies of a document from e.g. MS-Word, neither is considered a copy of the other. If the law requires you to provide someone with a "copy", you need to print one copy then photocopy it (scanning and printing counts). IOW, the copy must be made from a physical document, not from the data which was used to generate it.
I worked for an A paper lender from 1996 to 2001. For the majority of that time, we didn't accept faxed in loan submissions. The idea was that a broker or loan officer could simply fax a loan to a dozen different lenders all at once instead of committing his business with us and because it was too easy to doctor loan docs and fax 'em in. We demanded original signatures and docs printed using a laser printer (yes, that was a requirement) or on original pre-printed loan applications. The only faxes we would accept would be loan conditions like a flood cert, mortgage insurance or something like that. We also didn't accept loan packages with appraisals done with a digital camera because the images could be doctored easily. Sometime near 1999, we started a limited doc fax program for brokers we had high confidence in and were pretty sure wouldn't send in bogus loan info.
Years later, I worked as an Account Executive for a subprime lender, we accepted EVERYTHING by fax. They're out of business now and the industry on a whole is reeling from rampant fraud.
Fifty watts per channel, baby cakes.
In fact large (multi-million dollar) deals are made all day long with oral contracts (for the US they are usually recorded too).
I was doing document presentation t a trial where someone had to pay mid 7 figures because they made an oral agreement to sell stock and bonds and then didn't produce. The brokerage doing the purchase then sold them the same day (orally). When the original seller (who himself had made the purchase on a non-recorded phone conversation, and didn't understand what he was purchasing, which is where the benefit of writing comes in, since it became he said/he said) didn't come through the brokerage still had to cover their oral agreements (by purchasing over market price).
these few brokers had done deals worth more than I am likely to spend my entire life (mid 8 figures, the 7 figures was the amount they spend over market price to sell it at such) with purely oral agreements in a span of time under 48 hours. Big money can move without a scrap of paper (and in th case of the people working in France, there was not even a phone recording).
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Where I live (and no, it's not Uzbekistan) banks fax everything. I've had a look into the "transmission room" in some locations when doing hardware maintenance and seen some BAD ASS faxing monsters, with auto feeder accepting variable paper size and quality, error checking, scheduler, reporting, multiple user access levels etc. The amount of money and technology invested in such a tool that after all goes biii bzzt bzzt over a tiny cable at the business end was simply mind-boggling.
Depends on where you live.
My wife is a real-estate agent. Has to deal with passing a lot of signatures around. It was only a couple of years ago that North Carolina passed a law to make faxed signatures legally binding.
Lot of Fedexing going on up till then.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
This may be off-topic, but it reminds me of how my mother-in-law gave me money for a down payment on a house. Because the money was in cash, the bank required us to go to a bank, and have her get the money changed over to a cashiers check, which I then had to photocopy, deposit into my account, and keep into that account, until the day of the closing (when it had to be transferred to another cashiers check). All this to prove that the cash was given by her (which it didn't), and to create a paper trail (which was created in a process that could probably be described as "money laundering").
But they DID accept high-res scans in lieu of photocopies or faxes.
Well, I wish someone would tell the idiotic head of HR of my previous company that...
While I was looking for a new job, one prospective employer wanted to verify my employment history, and called her.
She refused to verify my history over the phone - claiming privacy issues.
Fortunately the company hired to do my background check called me about this problem (apparently it's rather common.) They had me digitally sign a request for the stupid HR officer to verify my employment history with the background checking company.
She refused - claiming that digitally signed documents are not legally binding.
Instead, I had to fax a signed request to her - and then call my former boss to politely ask "WTF?!?"
FORTUNATELY the background check company was willing to work with me on this and I got the job.
However, I still have to wonder how many other job offers I may have missed due to this b*tch's refusal to do her job. Now that I think about, I did have a few job prospects abruptly dry up even though I knew the hiring manager and engineers were impressed with me, only to be told by their HR department "we've decided on someone else." without so much of an explanation as to why I was not being considered any further.
Maybe he is missing the whole point: the security in the fax comes not from the printed paper you are sending, BUT from the fact that they can check the origin of the fax transmission. Faxes are point-to-point communication channels, so it is VERY difficult to intercept them or the impersonate other's people fax number.
Interesting... which reminds me, didn't Clinton make digital signatures legal before leaving office, and if so, then wouldn't that then allow printed copies of a digitally signed document count as being legally binding?