Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier Asks Why We Accept Fax Signatures

Posted by timothy on from the emperor's-new-clothes dept.

Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.

13 of 531 comments (clear)

  1. Older generation by FriendlyLurker · · Score: 5, Insightful

    Thats the older generation for you... once you young-uns who grew up with email get promoted to PHB status, you too can adopt your favourite technology of your day to deliver signatures...

    1. Re:Older generation by AKAImBatman · · Score: 5, Insightful

      Thats the older generation for you...Thats the older generation for you...
      Actually, I'd say it's more a matter of practical security vs. air-tight security.

      Most of the posts here act like signed faxes come out of the blue and magically make things happen. Well, that's not a very secure way to use a fax machine. e.g. I'd hate to have Presidential orders executed with only a fax as evidence that the order is issued!

      In real life, faxes of documents occur after a verbal agreement is reached. For example, let's say a company owes me stock options. I tell the company that I wish to exercise the options. They tell me that I need to review the terms of the options and sign them before the stocks are issued to me. Documents are faxed (or emailed!) to me for review. I review the documents and either deliver a verbal rejection (perhaps followed by modified terms) or I sign the documents and fax them in.

      Let's look at the possible attacks in this situation. I have already verbally agreed to pursue this contract. If someone tries to forge my signature (why?) before I decide to reject the contract, the forgery will be discovered when I contact the company to offer my rejection of the terms.

      Well, what if someone poses as me and begins the process? That could potentially be a problem. Except that my identity is usually verified up front. In a smaller company they already know me, my voice, my email, and my address. When I contact them, they know who I am. In a larger company, they will usually require proof of identification along with any papers being signed.

      Someone can still steal the certificates from my mail, but that goes above and beyond the issues with fax machines.

      To give another example, let's say I'm offered an employment contract. Obviously such a contract has been under negotiation for some time. By the time it's been faxed, it's clear as day that it was me who signed it and agreed to the terms. If my signature was forged for whatever reason, it would become rather clear when I don't show up for work the first day, or when some impostor shows up.

      Granted, someone could have been impersonating me the entire time, but then they'd also need forged proof of identification to fill out the necessary tax forms at employment time.

      I think you'll find that any contracts where there is concern of forgery or claims of forgery are handled in one of two ways:

      1. The fax is used to confirm your agreement and get the process started. The actual documents must be physically mailed before the terms of the contract are fully realized.

      2. Fax is unacceptable. The documents must be FedExed and signed for so that they can be tracked from person to person. Someone is ALWAYS accountable for the documents.

      In short, faxes are just fine. Just don't act stupid when working with them. If you ever find a company that does, work to get their legal counsel fired. If that company is signing important documents without legal counsel, RUN. Run far away and never look back.
      --
      Javascript + Nintendo DSi = DSiCade
    2. Re:Older generation by moderatorrater · · Score: 5, Interesting

      Actually, the summary is misleading as hell. He goes on to say exactly why fax signatures are accepted and analyzes the security implications. Since faxes almost never come out of the blue and they carry a lot of information linking the fax to a specific phone number, it's trivial to verify a fax with or without the signature. I honestly don't know how anyone who read the article can come out of it thinking that Schneier opposed signatures on faxes.

    3. Re:Older generation by Tim4444 · · Score: 5, Insightful

      In real life, faxes of documents occur after a verbal agreement is reached.

      That's not always true. In real estate contract offers are often delivered solely by fax, and the response is also delivered by fax when an offer is accepted. Sometimes the offers and counter offers go back and forth so many times that part of the document becomes too illegible to hold up in court.

      Anyone can go to Kinkos and send a fax pretending it's from me. Someone might not be able to get me hired as in your example, but they might do enough damage to get me fired.

      Faxing was an important technology that served a specific function in its time. It allowed us to transmit documents on analog lines before digital networks were widely accessible. Now that we have the internet and suitable cryptographic techniques, there's no point holding onto faxing. You can push the merits of telegraphs all you want, but I'd rather use a cell phone. Why waste money on a phone line for a fax machine when you can get an internet connection for about the same amount?

      One irony of faxing is that digital lines are taking over in the public phone network as well. However, people are still trying to use the analog fax protocol over digital lines. IP telephony is optimized for voice transmissions. If a packet is lost, many applications will fill extend the voice from adjacent packets to cover up the dead space from the lost packet. This kind of manipulation makes voice sound good, but it distorts fax signals in a way that the protocol wasn't designed to check. The fax protocol checks for a certain threshold of error before it requests a resend. The designers new that if they mandated a perfect transmission the resends would slow down the fax too much. They designed the checksums to catch the most common errors that occur with analog lines. With IP telephony manipulation, the fax protocol can't detect much of the manipulation and so you can get a completely munged document that didn't generate a single fax error.

      I think faxing filled an important niche in its time, but the world has moved on so it's time to let go of it. Newer copy machines even let you email your scanned documents which is far more convenient than faxing ever was. I'd rather see companies put their energy into standardizing an email encryption system rather than trying to keep faxing alive.

  2. Doesn't Make Sense To Start New Trends by darkmeridian · · Score: 5, Insightful

    Businesses have been using faxes for decades. The risk of forgery and other liabilities have pretty much been well-established by law and common knowledge. If a contract requires modifications to be in signed writing, it is a matter of established law that a faxed document counts. Does an e-mail count if the contract doesn't expressly say so? That's just an unnecessary risk at this point. In the future, things may be different but there's no reason to be the first person to settle that uncertainty.

    Furthermore, faxes are relatively secure because it is a one-on-one communication. In contrast, e-mails can be intercepted or become widely disseminated. The risks of using e-mail in a business setting (for signatures and the like) have not been tested too thoroughly, either.

    --
    A NYC lawyer blogs. http://www.chuangblog.com/
  3. Was just kidding by archeopterix · · Score: 5, Funny

    Bruce Schneier here. Disregard what I said about faxed signatures. They are perfectly OK.
    Here's my OCR-ed signature: Bruce Schneier

  4. Re:It's an "older" technology by Maserati · · Score: 5, Interesting

    Under US law, which I'm not citing first thing in the morning, a fax is a "legal facsimile" of the original. Under law, if you have a faxed copy of something you may as well have an original. Email doesn't have that legal status, so a scanned and emailed original won't cut it.

    --
    Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
  5. Re:telephone number by MoonBuggy · · Score: 5, Insightful

    But most people don't have a fax machine, so almost any forms that have to be faxed from customer to business will just have the number of the nearest copy shop with a fax service. If you're faxing a form that you've filled in then the "stationary" is already covered.

    The only thing left is the signature, and the security of that is no different whether it's email, fax or a photocopy delivered by carrier pigeon.

  6. Re:Actually, I LOVE the CC sig. by eXonyte · · Score: 5, Informative
    Did you know that putting "See ID" or "See License" invalidates a Visa card unless you sign it as well? Unless, of course, your legal name happens to be "See License".

    Check out the Rules for Visa Merchants, in particular page 34 (page 29 if printed). There is some amusing information in there, such as the fact that merchants are not allowed to require ID for a credit card purchase.

    [...] merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID.
    I have no idea if MasterCard, Discover, or Amex have similar rules.
  7. Re:Should have stop at, Aren't FAXes the weirdest by Dog-Cow · · Score: 5, Insightful

    Faxed copies of documents are legally binding, scanned+printed are not. Blame the law that hasn't caught up yet.

  8. We haven't had faxes for 20 years by Anonymous Coward · · Score: 5, Interesting

    Just to inform all of you (mostly Americans); In Sweden, we haven't used fax machines for about 20 years. Well, surely some people do, but it's extremely rare, and no one consider them safe. We've used E-mail or snail mail since it's either simpler, or more secure.

    Me, and most people I know, have almost never used a fax machine, and we don't understand why people around the world ever use them, at all.

    This issue is very local and applies only to countries still using fax machines. Perhaps the issue isn't really about if fax machines are secure, but more general; why use them at all? They are stone age, insecure, crap quality, slow, consumes an entire phone line, etc. Much like checks. I don't think I know any swedish person who have ever used a check in his/her whole life, and that includes parents and grand parents.

    So what's wrong? Fax being insecure? No, keeping bad and obsolete depricated technology. Fax machines, checks, inch, feet, Fahrenheit, etc...
    Come on, the entire world is laughing at you. I'm not trying to troll, but rather to enlight. We do laugh; "Well, you know Yanks" and so on. Please give us a reason to stop that.

  9. Re:Should have stop at, Aren't FAXes the weirdest by angus_rg · · Score: 5, Funny

    This can even happen orally. I love when it happens orally.
  10. Re:A watermelon, eh? by utopianfiat · · Score: 5, Insightful

    I mean, a fake signature may be fraud, but at the end of the day your argument is like arguing that you should be alive after getting hit by a drunk driver because he broke the law.
    "Just because you're right doesn't make you any less dead/injured/royally boned"

    --
    +5, Truth