Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier Asks Why We Accept Fax Signatures

Posted by timothy on from the emperor's-new-clothes dept.

Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.

7 of 531 comments (clear)

  1. Animaether Asks Why We Accept Signatures by Animaether · · Score: 4, Interesting

    There, fixed it for you, Bruce.

    Between people being quite apt at duplicating another's signature good enough for 'at a glance' acceptance

    and

    people's signatures changing over time (my bank just informed me that the last signature I gave them deviated too much from the one they had on file since 10 years ago, and so as to please put my signature on their form five times to get them a new basis. Guess what, the five looked alike, sure enough, but they could just as well have been forgery attempts from 5 different people...)

    I'd say that signatures in general are relatively unacceptable. Except that they're usually 'good enough' for what we need them for. That's why we accept them in 'analog' writing, faxes and even e-mails. In the few cases where it was indeed forged, it's usually found out pretty easily.
    Oh, but wait, Bruce already said as much; not included in the summary, of course. So go RTFA, then come back here to complain about Slashdot's shoddy headline/summary policy.. it's too much like an actual newspaper.

    Now... where's the discussion of alternatives? One of those one-time 2D barcodes that uniquely identifies -moi- when used with the recipient's public key.. or something.

  2. Re:It's an "older" technology by vertinox · · Score: 4, Interesting

    Back in the early 90's there was a particular mail order company that required a copy your drivers license for proof of purchase people of 18 or older *coughs*

    It wasn't that hard to xerox 2 copies your drivers license and then cut out the numbers with scissors on one and then tape them on the other and then xerox a 3rd copy and you really couldn't tell the difference. *coughs* Not that I knew anything about it.

    So back then even with fax machines, its simply not that hard to to find a document of someone signature, cut it out and then tape it and then xerox it and then fax the xerox and no one would be wiser.

    These days its simply a cut and paste in photoshop and then printing to a fax printer if you happen to have one.

    --
    "I am the king of the Romans, and am superior to rules of grammar!"
    -Sigismund, Holy Roman Emperor (1368-1437)
  3. Re:It's an "older" technology by Maserati · · Score: 5, Interesting

    Under US law, which I'm not citing first thing in the morning, a fax is a "legal facsimile" of the original. Under law, if you have a faxed copy of something you may as well have an original. Email doesn't have that legal status, so a scanned and emailed original won't cut it.

    --
    Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
  4. Re:It's an "older" technology by CastrTroy · · Score: 4, Interesting

    I'm a young guy, but my professors told me stories of how they would have to actually look at a network map and route the emails themselves if there wasn't a direct link between the two endpoints. So yes, while email has existed since the 60's it didn't come into wide use until the 90s.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  5. Re:Older generation by moderatorrater · · Score: 5, Interesting

    Actually, the summary is misleading as hell. He goes on to say exactly why fax signatures are accepted and analyzes the security implications. Since faxes almost never come out of the blue and they carry a lot of information linking the fax to a specific phone number, it's trivial to verify a fax with or without the signature. I honestly don't know how anyone who read the article can come out of it thinking that Schneier opposed signatures on faxes.

  6. We haven't had faxes for 20 years by Anonymous Coward · · Score: 5, Interesting

    Just to inform all of you (mostly Americans); In Sweden, we haven't used fax machines for about 20 years. Well, surely some people do, but it's extremely rare, and no one consider them safe. We've used E-mail or snail mail since it's either simpler, or more secure.

    Me, and most people I know, have almost never used a fax machine, and we don't understand why people around the world ever use them, at all.

    This issue is very local and applies only to countries still using fax machines. Perhaps the issue isn't really about if fax machines are secure, but more general; why use them at all? They are stone age, insecure, crap quality, slow, consumes an entire phone line, etc. Much like checks. I don't think I know any swedish person who have ever used a check in his/her whole life, and that includes parents and grand parents.

    So what's wrong? Fax being insecure? No, keeping bad and obsolete depricated technology. Fax machines, checks, inch, feet, Fahrenheit, etc...
    Come on, the entire world is laughing at you. I'm not trying to troll, but rather to enlight. We do laugh; "Well, you know Yanks" and so on. Please give us a reason to stop that.

  7. Re:Should have stop at, Aren't FAXes the weirdest by amuro98 · · Score: 4, Interesting

    Well, I wish someone would tell the idiotic head of HR of my previous company that...

    While I was looking for a new job, one prospective employer wanted to verify my employment history, and called her.

    She refused to verify my history over the phone - claiming privacy issues.

    Fortunately the company hired to do my background check called me about this problem (apparently it's rather common.) They had me digitally sign a request for the stupid HR officer to verify my employment history with the background checking company.

    She refused - claiming that digitally signed documents are not legally binding.

    Instead, I had to fax a signed request to her - and then call my former boss to politely ask "WTF?!?"

    FORTUNATELY the background check company was willing to work with me on this and I got the job.

    However, I still have to wonder how many other job offers I may have missed due to this b*tch's refusal to do her job. Now that I think about, I did have a few job prospects abruptly dry up even though I knew the hiring manager and engineers were impressed with me, only to be told by their HR department "we've decided on someone else." without so much of an explanation as to why I was not being considered any further.