Slashdot Mirror
Schneier Asks Why We Accept Fax Signatures
Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.
There, fixed it for you, Bruce.
Between people being quite apt at duplicating another's signature good enough for 'at a glance' acceptance
and
people's signatures changing over time (my bank just informed me that the last signature I gave them deviated too much from the one they had on file since 10 years ago, and so as to please put my signature on their form five times to get them a new basis. Guess what, the five looked alike, sure enough, but they could just as well have been forgery attempts from 5 different people...)
I'd say that signatures in general are relatively unacceptable. Except that they're usually 'good enough' for what we need them for. That's why we accept them in 'analog' writing, faxes and even e-mails. In the few cases where it was indeed forged, it's usually found out pretty easily.
Oh, but wait, Bruce already said as much; not included in the summary, of course. So go RTFA, then come back here to complain about Slashdot's shoddy headline/summary policy.. it's too much like an actual newspaper.
Now... where's the discussion of alternatives? One of those one-time 2D barcodes that uniquely identifies -moi- when used with the recipient's public key.. or something.
"Can't you see that everyone is buying station wagons?"
Back in the early 90's there was a particular mail order company that required a copy your drivers license for proof of purchase people of 18 or older *coughs*
It wasn't that hard to xerox 2 copies your drivers license and then cut out the numbers with scissors on one and then tape them on the other and then xerox a 3rd copy and you really couldn't tell the difference. *coughs* Not that I knew anything about it.
So back then even with fax machines, its simply not that hard to to find a document of someone signature, cut it out and then tape it and then xerox it and then fax the xerox and no one would be wiser.
These days its simply a cut and paste in photoshop and then printing to a fax printer if you happen to have one.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Under US law, which I'm not citing first thing in the morning, a fax is a "legal facsimile" of the original. Under law, if you have a faxed copy of something you may as well have an original. Email doesn't have that legal status, so a scanned and emailed original won't cut it.
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
I'm a young guy, but my professors told me stories of how they would have to actually look at a network map and route the emails themselves if there wasn't a direct link between the two endpoints. So yes, while email has existed since the 60's it didn't come into wide use until the 90s.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Actually, the summary is misleading as hell. He goes on to say exactly why fax signatures are accepted and analyzes the security implications. Since faxes almost never come out of the blue and they carry a lot of information linking the fax to a specific phone number, it's trivial to verify a fax with or without the signature. I honestly don't know how anyone who read the article can come out of it thinking that Schneier opposed signatures on faxes.
So when I walk out of a gas station because they wanted to see my license because I wanted to pay for a coke and some chips with my credit card, can I do anything about it?
IOW, is reporting violators of 2) in the above post actually worthwhile?
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
Just to inform all of you (mostly Americans); In Sweden, we haven't used fax machines for about 20 years. Well, surely some people do, but it's extremely rare, and no one consider them safe. We've used E-mail or snail mail since it's either simpler, or more secure.
Me, and most people I know, have almost never used a fax machine, and we don't understand why people around the world ever use them, at all.
This issue is very local and applies only to countries still using fax machines. Perhaps the issue isn't really about if fax machines are secure, but more general; why use them at all? They are stone age, insecure, crap quality, slow, consumes an entire phone line, etc. Much like checks. I don't think I know any swedish person who have ever used a check in his/her whole life, and that includes parents and grand parents.
So what's wrong? Fax being insecure? No, keeping bad and obsolete depricated technology. Fax machines, checks, inch, feet, Fahrenheit, etc...
Come on, the entire world is laughing at you. I'm not trying to troll, but rather to enlight. We do laugh; "Well, you know Yanks" and so on. Please give us a reason to stop that.
This reminds me of a story from my youth. A teacher assigned our class a collection of assignments, and whenever we turned something in, she would sign off on the a form she gave each of us to keep, if the work was acceptable and we received credit for it. At the end of the semester, she would collect the forms, total the results, and that would be the grade for that portion of the class.
A friend of mine didn't have enough signatures to pass the class at the end of the semester, so we collected sheets from a few people, and scanned quite a few of the teachers signatures. We then got rid of all the extra stuff, and copied and pasted the signatures onto a blank 8.5" x 11" document, and made some test prints to get the exact placement right. When the time came, we ran his original form sheet through the printer, and printed the new signatures where they would have appeared on the document. It was extremely difficult to tell which signatures were real, and which were printed on, on the final document, even knowing that some were forgeries. The results were essentially perfect, the teacher never noticed, and we never got caught.
This occurred over 10 years ago now, and I haven't helped anybody cheat on anything since. Perhaps relying on signatures to authenticate documents isn't such a good idea anymore, now that they can be so easily duplicated.
You don't make the poor richer by making the rich poorer. - Winston Churchill
Working for a startup company back in 1992 we solved the distance signature problem. It was called Telesignature (patent # 5,222,138). I am listed as co-inventor ( the other person who hired me had no technical knowledge ). You would place a document into an secure enclosure and a scanner would scan it and send the image to via modem (9600bps in 1992) to a pen computer on the other end. The person would review and sign the document and the signature would be sent back and written with a pen plotter on the original document. We got lots of raves on the signature quality. Virtually no who was shown the signatures could tell it was written by a machine. We used RSA keys to ensure the whole process was tamper proof and an audit trail was left. A year alter we brought out a companion product called fax-a-check. The digital copies of the document are what actually provided proof of the transaction. The legal system at the time demanded written documents and so it seems still does.
Depends on where you live.
My wife is a real-estate agent. Has to deal with passing a lot of signatures around. It was only a couple of years ago that North Carolina passed a law to make faxed signatures legally binding.
Lot of Fedexing going on up till then.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
Well, I wish someone would tell the idiotic head of HR of my previous company that...
While I was looking for a new job, one prospective employer wanted to verify my employment history, and called her.
She refused to verify my history over the phone - claiming privacy issues.
Fortunately the company hired to do my background check called me about this problem (apparently it's rather common.) They had me digitally sign a request for the stupid HR officer to verify my employment history with the background checking company.
She refused - claiming that digitally signed documents are not legally binding.
Instead, I had to fax a signed request to her - and then call my former boss to politely ask "WTF?!?"
FORTUNATELY the background check company was willing to work with me on this and I got the job.
However, I still have to wonder how many other job offers I may have missed due to this b*tch's refusal to do her job. Now that I think about, I did have a few job prospects abruptly dry up even though I knew the hiring manager and engineers were impressed with me, only to be told by their HR department "we've decided on someone else." without so much of an explanation as to why I was not being considered any further.
Maybe he is missing the whole point: the security in the fax comes not from the printed paper you are sending, BUT from the fact that they can check the origin of the fax transmission. Faxes are point-to-point communication channels, so it is VERY difficult to intercept them or the impersonate other's people fax number.