Slashdot Mirror
Schneier Asks Why We Accept Fax Signatures
Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.
Thats the older generation for you... once you young-uns who grew up with email get promoted to PHB status, you too can adopt your favourite technology of your day to deliver signatures...
The acceptance of fax signatures has to do only with fact that fax machines have been around for a long time, and people think they understand how they work. It just seems safer.
Sadly, the same people who make decisions based on the comfort provided by the familiarity of a technology are those who make policy at companies.
Not just for signatures, but it really annoys me when a company will only accept faxes instead of scanned emails for any number of documents. Luckily the situation has been improving in the recent years.
Businesses have been using faxes for decades. The risk of forgery and other liabilities have pretty much been well-established by law and common knowledge. If a contract requires modifications to be in signed writing, it is a matter of established law that a faxed document counts. Does an e-mail count if the contract doesn't expressly say so? That's just an unnecessary risk at this point. In the future, things may be different but there's no reason to be the first person to settle that uncertainty.
Furthermore, faxes are relatively secure because it is a one-on-one communication. In contrast, e-mails can be intercepted or become widely disseminated. The risks of using e-mail in a business setting (for signatures and the like) have not been tested too thoroughly, either.
A NYC lawyer blogs. http://www.chuangblog.com/
Scott Adams already covered this in "Dilbert".
The accounting trolls told Dilbert that they wouldn't accept copies of his expenses... but he could FAX them.
There, fixed it for you, Bruce.
Between people being quite apt at duplicating another's signature good enough for 'at a glance' acceptance
and
people's signatures changing over time (my bank just informed me that the last signature I gave them deviated too much from the one they had on file since 10 years ago, and so as to please put my signature on their form five times to get them a new basis. Guess what, the five looked alike, sure enough, but they could just as well have been forgery attempts from 5 different people...)
I'd say that signatures in general are relatively unacceptable. Except that they're usually 'good enough' for what we need them for. That's why we accept them in 'analog' writing, faxes and even e-mails. In the few cases where it was indeed forged, it's usually found out pretty easily.
Oh, but wait, Bruce already said as much; not included in the summary, of course. So go RTFA, then come back here to complain about Slashdot's shoddy headline/summary policy.. it's too much like an actual newspaper.
Now... where's the discussion of alternatives? One of those one-time 2D barcodes that uniquely identifies -moi- when used with the recipient's public key.. or something.
I have been told on a few occasions "PGP signed email" is not sufficient, and that only a fax would be accepted. This even happens if the signature can be verified. Banks seem to do this a lot. I wish that they would catch up with the times.
I've signed a load of contracts in the US by having my publisher send me a PDF, which I've returned (by email) having copied and pasted a scanned copy of my signature over it. Interestingly, they would accept this but not a hash of the original PDF signed with a certificate signed by CACert, which had two people verify two pieces of government-issued ID to confirm that I am me.
I am TheRaven on Soylent News
The signature on the credit card or on the sales receipt have been for security purposes. It's there to indicate that you accept the terms and agreements to using the card, and that you agree to pay the credit card company for your purchases.
You never expect irony, do you?
Want to be a professional wrestler? Visit www.iyfwrestling.com
@iyfwrestling
They are about legal requirements.
Faking a fax signature isn't really that much harder than faking a real one.
Sending a fake signature over a fax isn't that much harder than faking a real one, but is no less criminal.
"Notarized" signatures are supposed to be more secure, though if you can produce a convincing fake ID, they probably aren't.
Vaguely related to the topic at hand are the legal rules surrounding any communication.
It's generally accepted (in UK law, at least, so my source says) that once you reply and / or initiate a conversation over a medium, that that medium is then a valid method of contacting you indefinitely over the course of that action.
So if you email a solicitor, then for that solicitor to send you an email back is perfectly legally acceptable and may even be construed as "delivered" whether or not it arrives. Because *you* selected the method of transit. If your mortgage nearly falls through at the last minute and you need to do something incredibly urgent or lose your house, a solicitor acting on your behalf can just send you an email and they've "done their job". If your servers are down, tough, if you no longer have that email, tough. At least if you read the strict letter of the law.
It may be that this is related - once a person has contacted you by fax, then sending back your confirmation by fax is construed as legally acceptable for "signing" a contract. If you don't like it, then don't communicate with them by fax at all. Ever.
On a personal note, if I weren't able to fax legally-binding forms back to a company, I wouldn't have a house, but I still don't "like" it. My purchase of the house dragged on for six months longer than it should have and the solicitor in charge on my end was a close personal friend, so they were stopping all heel-dragging and pulling out all the stops for us.
However, just as we were approaching the signing date, we had an holiday booked (Hey, we thought a six month cushion on top of a six month estimate for the deal would be long enough!). We arrived in a foreign country for a holiday, and within a day we had a phone call to say that if a particular court didn't receive a signed document on an official form within the next eight hours (time differences etc.) then we wouldn't be able to complete the purchase now, or ever (the house would be sold at auction). We had to find a kind hotel (fortunately, we found a hotel receptionist who had recently had much worse problems selling their house and they let us use the hotel fax machine for free) and recieve several forms, sign them and fax them back (and pay a month's mortgage, in cash, within 8 hours but that was easily resolved by phoning relatives near our solicitor's, although we still technically owe them that).
So it worked out well that we were able. I don't think we could have got back in time on the first plane, and there was nothing we or our solicitor could do to negate the need for us to sign the forms and pay in cash (bank transfers etc. wouldn't have cleared in time, believe it or not). However, the fact that anyone could have signed the form just shows that 99% of paperwork is useless and a waste of time, not that fax machines are somehow "evil".
Bruce Schneier sure is oblivious sometimes.
They're accepted because they're good enough.
What does that mean? It means that if there is a problem later, the fax is sufficient evidence to resolve most problems, either by providing proof of a signature or proof of a forgery. As long as most businesses have some documentation to cover themselves that's generally good enough. Certainly some issues may not fall into this category, but enough do to make faxes acceptable.
Security, for many businesses, isn't about "making sure something bad doesn't ever happen" it's about having what you need to resolve a problem should it arise in the future.
I could easily forge my parents signatures when I was 9 (And did it a couple of time). I don't trust a penned signature, why should I trust a faxed one?
Get three pieces of black construction paper and a roll of scotch tape.
Tape them together top to bottom, creating one long sheet. On the bottom, place a piece of tape half over the edge.
Insert the long sheet into the fax machine, and dial the number. As it begins to feed through, quickly affix the top to the bottom sheet, creating a long loop.
Go get a cup of coffee.
The answer is extremely simple. There is precedent in the courts that says a fax signature is acceptable and legally binding. There is no precedent saying that an e-mailed document in digital form is.
Hence on a contract, fax is accepted.
-M
when you see the word 'Linux', drink!
Faxs come with a telephone number of the sender as well. and often the personal cover letter. To forge a fax that is perpetually unquestionable you have to forge the phone number, signature, and stationary.
People are comfortable with that because they understand what is involved in doing that. With e-mail and digitial docs its harder for an untrained person to evaluate the threat. Also with digital docs it's harder later to raise questions about the authenticity. With the fax, one can later check for example fax logs on the sending machines and other trails of evidence.
In both cases forgeries are possible but in the case of faxes most humans are able to evaluate the threat.
Some drink at the fountain of knowledge. Others just gargle.
"Can't you see that everyone is buying station wagons?"
Bruce Schneier here. Disregard what I said about faxed signatures. They are perfectly OK.
Here's my OCR-ed signature: Bruce Schneier
First of all, legally, a copy of a contract is just as legitimate as the original (yes, IAAL). Both can be alleged to be forgeries just as easily. In fact a copy could be more easily proved to be a forgery than the original, as one could compare signatures and show that the signature was lifted from another source. It's like one of those infamous "Majestic 12" documents that was allegedly signed by Harry Truman - the best evidence we have that it is not authentic is that the Truman signature is exactly like another signature on another document, it was lifted, cut and pasted, onto the MJ-12 document. Note: I don't want to debate the MJ-12 documents here. Anyway, the other reason why fax signatures are not a security risk is that you know who is going to be sending you the fax. "Sign it and fax it over to me today." You get the fax today. Nobody else would reasonably know about that expectation. It's like going to pick up money from western union - "I'm here to pick up $100 for Brian Halloweth" ... the fact that you know about the 100 bucks for someone named Brian Halloweth is good evidence your claim is legitimate. Ditto with the fax signature. Of course this doesn't apply to general applications that can be signed and faxed at any time, unexpectedly. But those can just as easily be forged, and in this scenario the faxee is less likely to know the signature of the faxor.
Any alleged weakness in a fax signature is also a weakness in a real signature. That's the bottom line. I don't buy the notion that they are a huge security risk.
Stupid people make stupid things profitable.
So, why do companies accept easily faked signatures by fax? They have a signature, so you're bound to the agreement. The burden of proof is on you if you want to prove the signature was faked, not them, so they're protected. They'll either get paid by you, or you'll find the identity thief and they'll get paid by him or her.
The bigger question would be why do we agree to being bound to our faxed signatures? And the answer there is convenience. Sure, they can be faked, but it's a lot nicer than having to wait for the US Mail.
I swear, he makes some good points, but as a security professional he should understand why they accept it. The amount of business they'd loose by not accepting it is worth more than the potential loss if they didn't.
Of course, now that the cat's out of the bad, they'll need to reevaluate.
I wrote "See License" on the back of my credit card. I'm still amazed by the number of vendors who don't look, so I make sure to thank the ones that do, and chide the ones that don't.
Actually, Zug.com has an interesting tale of the author trying to see how much he could get away with when he signed credit card purchases. He even did musical notation once. Very funny.
http://www.zug.com/pranks/credit/
http://www.zug.com/pranks/credit_card/
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Check out the Rules for Visa Merchants, in particular page 34 (page 29 if printed). There is some amusing information in there, such as the fact that merchants are not allowed to require ID for a credit card purchase. I have no idea if MasterCard, Discover, or Amex have similar rules.
The document sent can be doctored in many ways, but there are lots of precedents about misrepresentation, forgery, larceny, and so on. The laws don't need to be changed. If someone forges or misrepresents information, then they're criminally and civilly liable for that action.
We accept and trust people and their submitted documents. Fancy that.
What? They're not real? That's a bad thing. Time to call the prosecutors. Jail for that? Really? Good.
---- Teach Peace. It's Cheaper Than War.
I work in the credit card industry, so I do know how it works...
1) The signature on the back of the card authorizes it for use. Failure to sign the card is supposed to indicate that the card is not authorized.
2) Merchants are NOT allowed to check ID as a condition of credit card acceptance.
3) The signatures do NOT have to match. The signature on the card only authorizes the card for use and is not for comparison.
We had one vendor who refused to accept a signature on a scanned and e-mailed document - They insisted that it be faxed. We even pointed out that we were just going to print out the scanned document and drop it in the fax machine because the physical document had already been handed off to somebody else and we suggested that they just print it themselves. They still wanted the fax, so we printed and faxed the document we'd already delivered and that satisfied them. Bizarre.
He's getting rather old, but he's a good mouse.
Faxed copies of documents are legally binding, scanned+printed are not. Blame the law that hasn't caught up yet.
So when I walk out of a gas station because they wanted to see my license because I wanted to pay for a coke and some chips with my credit card, can I do anything about it?
IOW, is reporting violators of 2) in the above post actually worthwhile?
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
Just to inform all of you (mostly Americans); In Sweden, we haven't used fax machines for about 20 years. Well, surely some people do, but it's extremely rare, and no one consider them safe. We've used E-mail or snail mail since it's either simpler, or more secure.
Me, and most people I know, have almost never used a fax machine, and we don't understand why people around the world ever use them, at all.
This issue is very local and applies only to countries still using fax machines. Perhaps the issue isn't really about if fax machines are secure, but more general; why use them at all? They are stone age, insecure, crap quality, slow, consumes an entire phone line, etc. Much like checks. I don't think I know any swedish person who have ever used a check in his/her whole life, and that includes parents and grand parents.
So what's wrong? Fax being insecure? No, keeping bad and obsolete depricated technology. Fax machines, checks, inch, feet, Fahrenheit, etc...
Come on, the entire world is laughing at you. I'm not trying to troll, but rather to enlight. We do laugh; "Well, you know Yanks" and so on. Please give us a reason to stop that.
My understanding (based on the contracts I have worked with over the years) is that this condition isn't a legal condition, but rather something that is specified in the agreements between companies. Our contracts specifically call out that faxed approvals are sufficient, and newer contracts say the same about e-mail. This is working with financial institutions on matters such as project approvals and change control approvals.
I wouldn't do this for big deals involving large amounts of money (exceeding 6 or 7 figures), but I for one don't worry too much about an email approval.
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
Actually you're not correct there. Digitally scanned documents are legal substitutes for the original.
Don't believe me? Check with your bank. Checks are not physically distributed to other banks for payment/clearing (I believe) and virtually all banks use digital images for "returning" your check (I know for a fact). Print out that digital image and it's perfectly valid in court.
The law this is based off is the one that says 'a copy of a document is legally equivilant to the original'. Heck, you realize most modern photocopy machines are actually a fancy scanner and laser printer with a computer inbetween right?
You can get rich if you own a politician, but you have to be rich to buy one in the first place.
All that is required to be legally binding is an offer and acceptance. This can even happen orally. For some kinds of contracts -- covered by the Statute of Frauds -- you need to have a written document which must be "signed," but this refers only to some indication in the document that the person has knowingly agreed to be bound; a suitable email will suffice.
Here, some googling found this: "Signature" merely means any authentication which identifies the party to be charged. Even a letterhead or an "X" will do, provided it is placed on the wriiting with the intent to authenticate it. (Merrill Lynch, Pierce, Fenner & Smith, Inc. v. Cole 457 A.2d 656, 663 (Conn.,1983).) http://www.west.net/~smith/frauds.htm
(I'm not your lawyer and none of this was legal advice, obviously.)
Working for a startup company back in 1992 we solved the distance signature problem. It was called Telesignature (patent # 5,222,138). I am listed as co-inventor ( the other person who hired me had no technical knowledge ). You would place a document into an secure enclosure and a scanner would scan it and send the image to via modem (9600bps in 1992) to a pen computer on the other end. The person would review and sign the document and the signature would be sent back and written with a pen plotter on the original document. We got lots of raves on the signature quality. Virtually no who was shown the signatures could tell it was written by a machine. We used RSA keys to ensure the whole process was tamper proof and an audit trail was left. A year alter we brought out a companion product called fax-a-check. The digital copies of the document are what actually provided proof of the transaction. The legal system at the time demanded written documents and so it seems still does.
The reason your bank can use a digital image for your check is because Congress created a legally binding document called a "substitute check" (this was in the wake of 911 when paper checks were stuck on the ground for 3 days). See http://en.wikipedia.org/wiki/Check_21_Act. Before that act, the original dead-tree check had to be sent to the account bearer's bank for actual processing.
I would be wary of stretching that logic to apply to any legal document -- if scanned documents were valid, banks could have been doing this with checks before the intervention of Congress. Then again, I don't know why faxed documents are presumed any better.
Not quite true.
America, Home of the Brave.
I thought it was:
4 melvon
5 mevon
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
I mean, a fake signature may be fraud, but at the end of the day your argument is like arguing that you should be alive after getting hit by a drunk driver because he broke the law.
"Just because you're right doesn't make you any less dead/injured/royally boned"
+5, Truth
Depends on where you live.
My wife is a real-estate agent. Has to deal with passing a lot of signatures around. It was only a couple of years ago that North Carolina passed a law to make faxed signatures legally binding.
Lot of Fedexing going on up till then.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
I don;t think it is so much that faxes have been codified as legally binding, and scan + print and or e-mail have not been, its that faxes have been tested. Court cases where faxed documents were disputed, have been found to be a valid method in court. Chances are pretty good an E-mailed PDF or similar would be as well. Its just that there is a risk it might not be, however small nobody wants to take the chance.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Well, I wish someone would tell the idiotic head of HR of my previous company that...
While I was looking for a new job, one prospective employer wanted to verify my employment history, and called her.
She refused to verify my history over the phone - claiming privacy issues.
Fortunately the company hired to do my background check called me about this problem (apparently it's rather common.) They had me digitally sign a request for the stupid HR officer to verify my employment history with the background checking company.
She refused - claiming that digitally signed documents are not legally binding.
Instead, I had to fax a signed request to her - and then call my former boss to politely ask "WTF?!?"
FORTUNATELY the background check company was willing to work with me on this and I got the job.
However, I still have to wonder how many other job offers I may have missed due to this b*tch's refusal to do her job. Now that I think about, I did have a few job prospects abruptly dry up even though I knew the hiring manager and engineers were impressed with me, only to be told by their HR department "we've decided on someone else." without so much of an explanation as to why I was not being considered any further.
That's ridiculous. Far more contracts occur online than in writing. Every single purchase from Amazon.com, every single bid on an auction at eBay, and every sale that occurs over craigslist happens without a physical pen-and-paper signature. There is no doubt that these are valid orders.
And it's not all small transactions, either. Amateur and professional traders alike make trades worth vast sums of money online. Even wire transfers, which can be billions of dollars, happen over the phone and online within hours.
The idea that emailed contracts aren't enforceable -- or even that there's reasonable fear of them not being enforceable -- is just plain wrong.
The issue is whether a contract would be disputed, and one party would be stuck as a result.
For example, with wire transfers there are all kinds of non-consumer-friendly bank laws out there. If the bank followed the appropriate processes and some identity thief gets the bank to send $1M of some customers money to some foreign bank, the bank probably could care less. Chances are that banking laws will make the customer liable and they weren't involved.
Now, imagine this scenario. You pay me $50k in untraceable cash as consideration for me privately providing you with some form of insurance (say a million dollars worth). You suffer a loss that I am liable for. I simply deny having ever signed the contract. If the contract were on paper you would have an expert witness testify that it could be forensically traced to me. If the contract were faxed you would point to all kinds of court precedents for faxed documents. If the contract were emailed there would not be much precedent - maybe I'd owe you, and may be not. Unless you like taking your chances (and who buys insurance when they like to take chances?), you're going to insist on some well-tested form of transmission.
Basically the issue comes down to repudiation. It is easy to repudiate a document transitted electronically unless crytographic safeguards are used. FAX should be easy to repudiate but for various reasons it has a perception of authority and it has been well-tested in court.
The Uniform Commercial Code (UCC), which has been adopted by all 50 states, discusses what is a valid signature in Article 1, Section 1-201(39):(Writing is defined as "printing, typewriting, or any other intentional reduction to tangible form.")
While that doesn't rule out the possibility of states having other requirements for signatures, the "least common denominator" between all states -- the UCC -- is pretty format-agnostic.
I think it's also worth pointing out that some 48 states, according to one source, have put digital-signature laws in place that allow some form of non-physical, electronic signature. Some of them are pretty specific to PK crypto, while others are technology-agnostic. I find it a little hard to believe that any state that's gone to the trouble of crafting and passing a digital-signature law would still require faxed signatures.
What seems more likely to me is that private agreements between parties are the major driver for faxed signatures, because there are contracts forming standing arrangements between businesses that weren't written to take advantage of anything besides the dominant technology (POTS fax) at the time they were written. Therefore, you end up with change orders, POs, and other authorizations having to go by fax, because of some hoary old contract, even though some other form of signature would be theoretically acceptable.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Email creates more logs than a fax. It creates a log not only at the server on either end, but in cases of companies with complex relaying setups, potentially multiple servers in between.... I'm assuming what you mean is that a fax creates a third-party log at the phone company. Even this is trivially falsifiable, however, with a trunk line and a device that generates a false Caller ID message. While IIRC there is a secondary log that's harder to falsify, if memory serves, good luck getting access to it except as part of a criminal investigation....
Check out my sci-fi/humor trilogy at PatriotsBooks.
Maybe he is missing the whole point: the security in the fax comes not from the printed paper you are sending, BUT from the fact that they can check the origin of the fax transmission. Faxes are point-to-point communication channels, so it is VERY difficult to intercept them or the impersonate other's people fax number.