Forgot your password?
typodupeerror
Security Communications

Schneier Asks Why We Accept Fax Signatures 531

Posted by timothy
from the emperor's-new-clothes dept.
Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.
This discussion has been archived. No new comments can be posted.

Schneier Asks Why We Accept Fax Signatures

Comments Filter:
  • Older generation (Score:5, Insightful)

    by FriendlyLurker (50431) on Tuesday June 03, 2008 @09:34AM (#23637235)
    Thats the older generation for you... once you young-uns who grew up with email get promoted to PHB status, you too can adopt your favourite technology of your day to deliver signatures...
    • by AKAImBatman (238306) <akaimbatman@gmai[ ]om ['l.c' in gap]> on Tuesday June 03, 2008 @10:29AM (#23638101) Homepage Journal

      Thats the older generation for you...Thats the older generation for you...
      Actually, I'd say it's more a matter of practical security vs. air-tight security.

      Most of the posts here act like signed faxes come out of the blue and magically make things happen. Well, that's not a very secure way to use a fax machine. e.g. I'd hate to have Presidential orders executed with only a fax as evidence that the order is issued!

      In real life, faxes of documents occur after a verbal agreement is reached. For example, let's say a company owes me stock options. I tell the company that I wish to exercise the options. They tell me that I need to review the terms of the options and sign them before the stocks are issued to me. Documents are faxed (or emailed!) to me for review. I review the documents and either deliver a verbal rejection (perhaps followed by modified terms) or I sign the documents and fax them in.

      Let's look at the possible attacks in this situation. I have already verbally agreed to pursue this contract. If someone tries to forge my signature (why?) before I decide to reject the contract, the forgery will be discovered when I contact the company to offer my rejection of the terms.

      Well, what if someone poses as me and begins the process? That could potentially be a problem. Except that my identity is usually verified up front. In a smaller company they already know me, my voice, my email, and my address. When I contact them, they know who I am. In a larger company, they will usually require proof of identification along with any papers being signed.

      Someone can still steal the certificates from my mail, but that goes above and beyond the issues with fax machines.

      To give another example, let's say I'm offered an employment contract. Obviously such a contract has been under negotiation for some time. By the time it's been faxed, it's clear as day that it was me who signed it and agreed to the terms. If my signature was forged for whatever reason, it would become rather clear when I don't show up for work the first day, or when some impostor shows up.

      Granted, someone could have been impersonating me the entire time, but then they'd also need forged proof of identification to fill out the necessary tax forms at employment time.

      I think you'll find that any contracts where there is concern of forgery or claims of forgery are handled in one of two ways:

      1. The fax is used to confirm your agreement and get the process started. The actual documents must be physically mailed before the terms of the contract are fully realized.

      2. Fax is unacceptable. The documents must be FedExed and signed for so that they can be tracked from person to person. Someone is ALWAYS accountable for the documents.

      In short, faxes are just fine. Just don't act stupid when working with them. If you ever find a company that does, work to get their legal counsel fired. If that company is signing important documents without legal counsel, RUN. Run far away and never look back.
      • by Tim4444 (1122173) on Tuesday June 03, 2008 @11:26AM (#23638919)

        In real life, faxes of documents occur after a verbal agreement is reached.

        That's not always true. In real estate contract offers are often delivered solely by fax, and the response is also delivered by fax when an offer is accepted. Sometimes the offers and counter offers go back and forth so many times that part of the document becomes too illegible to hold up in court.

        Anyone can go to Kinkos and send a fax pretending it's from me. Someone might not be able to get me hired as in your example, but they might do enough damage to get me fired.

        Faxing was an important technology that served a specific function in its time. It allowed us to transmit documents on analog lines before digital networks were widely accessible. Now that we have the internet and suitable cryptographic techniques, there's no point holding onto faxing. You can push the merits of telegraphs all you want, but I'd rather use a cell phone. Why waste money on a phone line for a fax machine when you can get an internet connection for about the same amount?

        One irony of faxing is that digital lines are taking over in the public phone network as well. However, people are still trying to use the analog fax protocol over digital lines. IP telephony is optimized for voice transmissions. If a packet is lost, many applications will fill extend the voice from adjacent packets to cover up the dead space from the lost packet. This kind of manipulation makes voice sound good, but it distorts fax signals in a way that the protocol wasn't designed to check. The fax protocol checks for a certain threshold of error before it requests a resend. The designers new that if they mandated a perfect transmission the resends would slow down the fax too much. They designed the checksums to catch the most common errors that occur with analog lines. With IP telephony manipulation, the fax protocol can't detect much of the manipulation and so you can get a completely munged document that didn't generate a single fax error.

        I think faxing filled an important niche in its time, but the world has moved on so it's time to let go of it. Newer copy machines even let you email your scanned documents which is far more convenient than faxing ever was. I'd rather see companies put their energy into standardizing an email encryption system rather than trying to keep faxing alive.

      • Re:Older generation (Score:5, Informative)

        by iocat (572367) on Tuesday June 03, 2008 @12:06PM (#23639527) Homepage Journal
        Great points. In practice, we usually fax contracts so we can start working, then send (via FedEx) paper copies for 'real' execution. I can't think of an example in 15+ years in the working world where a fax signature wasn't used in a positive manner -- to seal the deal on something everyone already agreed on, like an NDA or a writing assignment or a negotiated development contract.

        On the other hand, we also switched to the e-signing service DocuSign [docusign.com] for our internal contracts and approvals, because using a fax machine is such a massive pain in the ass and no one in our company likes dealing with paper. A few of our clients use it too, it's pretty wonderful. As secure as you want it to be, and also quick and easy.

    • Re:Older generation (Score:5, Interesting)

      by moderatorrater (1095745) on Tuesday June 03, 2008 @10:34AM (#23638163)
      Actually, the summary is misleading as hell. He goes on to say exactly why fax signatures are accepted and analyzes the security implications. Since faxes almost never come out of the blue and they carry a lot of information linking the fax to a specific phone number, it's trivial to verify a fax with or without the signature. I honestly don't know how anyone who read the article can come out of it thinking that Schneier opposed signatures on faxes.
      • Re: (Score:3, Interesting)

        by i.r.id10t (595143)
        Except that the sending phone, business name, etc. are the equivalent of email headers, and just as easy to fake. Try setting up hylafax - it will prompt you to enter all of that info.
    • by arivanov (12034) on Tuesday June 03, 2008 @10:35AM (#23638197) Homepage
      No. It is a matter of court precedent, nothing else.

      Once upon a time a FAX-ed signature was acknowledged as a contractually binding signature by the courts (we can probably dig out who and when). This was before people understood how to falsify it and how to fake it. From there on it has been accepted as valid till today.

      Email never got the same treatment, because the earliest attempts to use it as evidence were countered by experts who knew how to fake it.

      And this is all about this. The power of precedent especially in the Anglo-Saxon legal system. Nothing more, nothing less.
      • Re: (Score:3, Insightful)

        by rthille (8526)

        FAX signatures were accepted by the courts, but I can't believe it was before people understood how to falsify them.
    • by Anonymous Coward on Tuesday June 03, 2008 @10:43AM (#23638327)
      Just to inform all of you (mostly Americans); In Sweden, we haven't used fax machines for about 20 years. Well, surely some people do, but it's extremely rare, and no one consider them safe. We've used E-mail or snail mail since it's either simpler, or more secure.

      Me, and most people I know, have almost never used a fax machine, and we don't understand why people around the world ever use them, at all.

      This issue is very local and applies only to countries still using fax machines. Perhaps the issue isn't really about if fax machines are secure, but more general; why use them at all? They are stone age, insecure, crap quality, slow, consumes an entire phone line, etc. Much like checks. I don't think I know any swedish person who have ever used a check in his/her whole life, and that includes parents and grand parents.

      So what's wrong? Fax being insecure? No, keeping bad and obsolete depricated technology. Fax machines, checks, inch, feet, Fahrenheit, etc...
      Come on, the entire world is laughing at you. I'm not trying to troll, but rather to enlight. We do laugh; "Well, you know Yanks" and so on. Please give us a reason to stop that.
  • by Reality Master 201 (578873) on Tuesday June 03, 2008 @09:35AM (#23637245) Journal
    The acceptance of fax signatures has to do only with fact that fax machines have been around for a long time, and people think they understand how they work. It just seems safer.

    Sadly, the same people who make decisions based on the comfort provided by the familiarity of a technology are those who make policy at companies.
    • Re: (Score:3, Insightful)

      Yes that's exactly why we have to use IE and MS Office on our desks in my company (well I know someone in the system department who installed Firefox but still).
    • telephone number (Score:4, Informative)

      by goombah99 (560566) on Tuesday June 03, 2008 @09:57AM (#23637581)
      Faxs come with a telephone number of the sender as well. and often the personal cover letter. To forge a fax that is perpetually unquestionable you have to forge the phone number, signature, and stationary.

      People are comfortable with that because they understand what is involved in doing that. With e-mail and digitial docs its harder for an untrained person to evaluate the threat. Also with digital docs it's harder later to raise questions about the authenticity. With the fax, one can later check for example fax logs on the sending machines and other trails of evidence.

      In both cases forgeries are possible but in the case of faxes most humans are able to evaluate the threat.

      • by MoonBuggy (611105) on Tuesday June 03, 2008 @10:05AM (#23637723) Journal
        But most people don't have a fax machine, so almost any forms that have to be faxed from customer to business will just have the number of the nearest copy shop with a fax service. If you're faxing a form that you've filled in then the "stationary" is already covered.

        The only thing left is the signature, and the security of that is no different whether it's email, fax or a photocopy delivered by carrier pigeon.
        • by moderatorrater (1095745) on Tuesday June 03, 2008 @10:39AM (#23638247)
          No method of getting a signature is going to be foolproof. We could sit here and discuss how notaries are ridiculously insecure because of how easy it is to get fake IDs and fake a signature, but that's not the point. The point is to make it so that we can be reasonably certain that the person who's sending the fax is the person we expect it to be. Getting a fax out of the blue will prompt a phone call to the number on file. When someone faxes a form from the nearest copy service, the receiving business has already been in communication with this person and is expecting it. So while the fax in and of itself isn't necessarily all that secure, the overall structure is fairly secure.
      • Re:telephone number (Score:5, Informative)

        by Loether (769074) on Tuesday June 03, 2008 @10:06AM (#23637733) Homepage

        Faxs come with a telephone number of the sender as well. and often the personal cover letter. To forge a fax that is perpetually unquestionable you have to forge the phone number, signature, and stationary.
        "Forging" a telephone number on a fax machine just requires changing a setting on the sending machine. It's in the fax manual.
      • Re:telephone number (Score:4, Informative)

        by Alpha830RulZ (939527) on Tuesday June 03, 2008 @11:07AM (#23638637)
        Yeah, but that sender phone number is programmed into the machine, and can be set to -any- phone number. To check what number the fax really came from, you;d need to check the ANI information on the call (caller ID). That information often doesn't correspond to the actual number of the fax, if the fax is routed through a PBX.
    • by vertinox (846076) on Tuesday June 03, 2008 @09:59AM (#23637617)
      Back in the early 90's there was a particular mail order company that required a copy your drivers license for proof of purchase people of 18 or older *coughs*

      It wasn't that hard to xerox 2 copies your drivers license and then cut out the numbers with scissors on one and then tape them on the other and then xerox a 3rd copy and you really couldn't tell the difference. *coughs* Not that I knew anything about it.

      So back then even with fax machines, its simply not that hard to to find a document of someone signature, cut it out and then tape it and then xerox it and then fax the xerox and no one would be wiser.

      These days its simply a cut and paste in photoshop and then printing to a fax printer if you happen to have one.

    • by Maserati (8679) on Tuesday June 03, 2008 @10:02AM (#23637673) Homepage Journal
      Under US law, which I'm not citing first thing in the morning, a fax is a "legal facsimile" of the original. Under law, if you have a faxed copy of something you may as well have an original. Email doesn't have that legal status, so a scanned and emailed original won't cut it.
      • by MoonBuggy (611105) on Tuesday June 03, 2008 @10:11AM (#23637807) Journal
        That's interesting, but all it really means is that the law is inconsistent and needs to be fixed.
        • by postbigbang (761081) on Tuesday June 03, 2008 @10:24AM (#23638007)
          The document sent can be doctored in many ways, but there are lots of precedents about misrepresentation, forgery, larceny, and so on. The laws don't need to be changed. If someone forges or misrepresents information, then they're criminally and civilly liable for that action.

          We accept and trust people and their submitted documents. Fancy that.

          What? They're not real? That's a bad thing. Time to call the prosecutors. Jail for that? Really? Good.
      • Chicken, meet egg. (Score:3, Insightful)

        by coyote-san (38515)
        That answers the immediate question, but there's still the question of why the -law- considers a fax to be a legal facsimile.

        I think the answer to that, ironically, comes back to businesses. Businesses needed a way to send 'signed' documents quickly, and pre-FedEx there weren't really many options. Fax machines were bulky and expensive. They didn't accept signed documents from just anyone, they had already vetted the other party to some extent.

        So, on balance, the convenience of 'legal facsimile' faxes ou
      • Re: (Score:3, Informative)

        by Herkum01 (592704)

        Try to have a copy of a legal document, like your driver's license, and show it in court.

        You cannot use a duplicate of a legal document in place of a legal document, it is considered hearsay and would get thrown out.

        You may get away with a fax for a quick approval, but you need to have an original legal document( for example, by mail) or you run the hazard of it not being valid.

      • Re: (Score:3, Informative)

        by kilgortrout (674919)
        That is incorrect on so many levels, I don't know where to start. First, there is no overarching "US law" regulating the admissibility in evidence of fax signed documents. That would be a matter for the rules of evidence in each of the fifty States. In general, a fax would have the same legal status as any other copy and the admissibility of any copy would be determined by whether or not you could authenticate the copy as an accurate copy of the original. When you have only a copy, there is always the poten
    • by reebmmm (939463) on Tuesday June 03, 2008 @10:32AM (#23638155)

      The acceptance of fax signatures has to do only with fact that fax machines have been around for a long time
      This is part of it, but the real reason why is that the law (E-SIGN and various other state versions) have basically said that you can't deny a signature MERELY because it's electronically signed.

      Oh, and also because its silly not to accept an electronic signature.

      It might surprise people but there's hardly a reason NOT to accept a fax/electronic signature since a signature is really meaningless in the business context. It is essentially EVIDENCE. It's not conclusive. There are certain enumerated situations (like wills and real estate) where signatures are a big deal, but these are not the day-to-day transactions people usually think about.

      In a contract, the question is whether the parties intended to form a contract. A signature can be evidence of that. So can clicking a button. So can doing s/First Last/. So can paying for the goods. So can accepting the goods. So can performing. So can stating so in an e-mail with a contract attached. And on and on.

      Besides, the risk of fraud exists regardless of whether you get a real signature or otherwise. Again, even when there's a fraud, the signature becomes evidence of the fraud. Heck, even requiring in person signature is not a sure fire way to prevent fraud. Frequently the person accepting an actual signed contract will not be in a position to evaluate whether the signature is in fact true or fraudulent.
  • Not just this (Score:4, Insightful)

    by bsharitt (580506) <brandon@sha[ ]t.com ['rit' in gap]> on Tuesday June 03, 2008 @09:35AM (#23637257) Homepage Journal
    Not just for signatures, but it really annoys me when a company will only accept faxes instead of scanned emails for any number of documents. Luckily the situation has been improving in the recent years.
  • by WindBourne (631190) on Tuesday June 03, 2008 @09:38AM (#23637301) Journal
    I find it amazing that CC companies want customer sigs on the back of the card. I add CID and SIGN it. About half of the ppl will now check for my ID.
    • by zoward (188110) <email.me.at.zoward.at.gmail.com> on Tuesday June 03, 2008 @09:57AM (#23637587) Homepage

      I find it amazing that CC companies want customer sigs on the back of the card. I add CID and SIGN it. About half of the ppl will now check for my ID.
      Good idea. I wrote "See License" on the back of my credit card. I'm still amazed by the number of vendors who don't look, so I make sure to thank the ones that do, and chide the ones that don't.
      • by vertinox (846076) on Tuesday June 03, 2008 @10:08AM (#23637767)
        I wrote "See License" on the back of my credit card. I'm still amazed by the number of vendors who don't look, so I make sure to thank the ones that do, and chide the ones that don't.

        Actually, Zug.com has an interesting tale of the author trying to see how much he could get away with when he signed credit card purchases. He even did musical notation once. Very funny.

        http://www.zug.com/pranks/credit/ [zug.com]
        http://www.zug.com/pranks/credit_card/ [zug.com]
      • by eXonyte (842640) on Tuesday June 03, 2008 @10:18AM (#23637909)
        Did you know that putting "See ID" or "See License" invalidates a Visa card unless you sign it as well? Unless, of course, your legal name happens to be "See License".

        Check out the Rules for Visa Merchants [visa.com], in particular page 34 (page 29 if printed). There is some amusing information in there, such as the fact that merchants are not allowed to require ID for a credit card purchase.

        [...] merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID.
        I have no idea if MasterCard, Discover, or Amex have similar rules.
        • Re: (Score:3, Interesting)

          by SGDarkKnight (253157)
          What is truely amazing is that the merchants will not compare the signature on the back of the card to the signature of the reciept you just signed to see if they are similar. After all, that is what makes the purchase legal. If the signature on the back of the card does not match the signature on the reciept, then technically, its not a valid purchase, and whoever's bill the charge appears on can refute the charge. In Canada, i never sign my CC's, that way if I lose one or it gets stolen, then they can't f
          • Re: (Score:3, Informative)

            by Chyeld (713439)
            And if you read the PDF the GP linked to, you would realize that the merchants that allowed you to get away with that are just as screwed as the ones that don't check at all.

            The purpose of signing the card is to show that you have agreed to the card holder's agreement with the CC company. Allowing you to rack up charges with an unsigned card makes their transaction just as 'fradulent' as allowing you to rack up charges on Jane Smith's card while signing your name as "Sebastian Bach".

            CID is the same deal, if
          • Re: (Score:3, Insightful)

            by tvjunky (838064)

            In Canada, i never sign my CC's, that way if I lose one or it gets stolen, then they can't forge my signature on any bills they may try to rack up on me.
            I don't know if that really is the brightest of ideas since the guy who steals your card might sign it and the go ahead and purchase things without anyone questioning his identity. He doesn't even have to forge your signature anymore.
    • by smbarbour (893880) on Tuesday June 03, 2008 @10:25AM (#23638037)
      I work in the credit card industry, so I do know how it works...

      1) The signature on the back of the card authorizes it for use. Failure to sign the card is supposed to indicate that the card is not authorized.

      2) Merchants are NOT allowed to check ID as a condition of credit card acceptance.

      3) The signatures do NOT have to match. The signature on the card only authorizes the card for use and is not for comparison.
      • by NeoSkandranon (515696) on Tuesday June 03, 2008 @10:40AM (#23638275)
        So when I walk out of a gas station because they wanted to see my license because I wanted to pay for a coke and some chips with my credit card, can I do anything about it?

        IOW, is reporting violators of 2) in the above post actually worthwhile?
      • by alan_dershowitz (586542) on Tuesday June 03, 2008 @10:59AM (#23638497)

        The signatures do NOT have to match. The signature on the card only authorizes the card for use and is not for comparison.
        This is WRONG. If you go through with a transaction where the signatures don't match, your business could be held LIABLE for the purchase if it was a fraudulent transaction. You are supposed to hold the card and make a Code 10 call to VISA and ask for further instructions if the signature doesn't appear to match.
        • Re: (Score:3, Informative)

          by kailoran (887304)

          The signatures do NOT have to match..
          This is WRONG.
          The "rules for visa merchants" official pdf someone posted above confirm that, but they do say that the signature doesn't have to match the name printed on the card. Maybe that was where GP got the idea.
  • Businesses have been using faxes for decades. The risk of forgery and other liabilities have pretty much been well-established by law and common knowledge. If a contract requires modifications to be in signed writing, it is a matter of established law that a faxed document counts. Does an e-mail count if the contract doesn't expressly say so? That's just an unnecessary risk at this point. In the future, things may be different but there's no reason to be the first person to settle that uncertainty.

    Furthermore, faxes are relatively secure because it is a one-on-one communication. In contrast, e-mails can be intercepted or become widely disseminated. The risks of using e-mail in a business setting (for signatures and the like) have not been tested too thoroughly, either.
  • by rdmiller3 (29465) on Tuesday June 03, 2008 @09:39AM (#23637307) Journal

    Scott Adams already covered this in "Dilbert".

    The accounting trolls told Dilbert that they wouldn't accept copies of his expenses... but he could FAX them.

  • by Animaether (411575) on Tuesday June 03, 2008 @09:41AM (#23637341) Journal
    There, fixed it for you, Bruce.

    Between people being quite apt at duplicating another's signature good enough for 'at a glance' acceptance

    and

    people's signatures changing over time (my bank just informed me that the last signature I gave them deviated too much from the one they had on file since 10 years ago, and so as to please put my signature on their form five times to get them a new basis. Guess what, the five looked alike, sure enough, but they could just as well have been forgery attempts from 5 different people...)

    I'd say that signatures in general are relatively unacceptable. Except that they're usually 'good enough' for what we need them for. That's why we accept them in 'analog' writing, faxes and even e-mails. In the few cases where it was indeed forged, it's usually found out pretty easily.
    Oh, but wait, Bruce already said as much; not included in the summary, of course. So go RTFA, then come back here to complain about Slashdot's shoddy headline/summary policy.. it's too much like an actual newspaper.

    Now... where's the discussion of alternatives? One of those one-time 2D barcodes that uniquely identifies -moi- when used with the recipient's public key.. or something.
  • by Anonymous Coward on Tuesday June 03, 2008 @09:43AM (#23637353)
    I have been told on a few occasions "PGP signed email" is not sufficient, and that only a fax would be accepted. This even happens if the signature can be verified. Banks seem to do this a lot. I wish that they would catch up with the times.
  • by TheRaven64 (641858) on Tuesday June 03, 2008 @09:43AM (#23637359) Journal
    I've signed a load of contracts in the US by having my publisher send me a PDF, which I've returned (by email) having copied and pasted a scanned copy of my signature over it. Interestingly, they would accept this but not a hash of the original PDF signed with a certificate signed by CACert, which had two people verify two pieces of government-issued ID to confirm that I am me.
    • by jcnnghm (538570) on Tuesday June 03, 2008 @11:17AM (#23638781)
      This reminds me of a story from my youth. A teacher assigned our class a collection of assignments, and whenever we turned something in, she would sign off on the a form she gave each of us to keep, if the work was acceptable and we received credit for it. At the end of the semester, she would collect the forms, total the results, and that would be the grade for that portion of the class.

      A friend of mine didn't have enough signatures to pass the class at the end of the semester, so we collected sheets from a few people, and scanned quite a few of the teachers signatures. We then got rid of all the extra stuff, and copied and pasted the signatures onto a blank 8.5" x 11" document, and made some test prints to get the exact placement right. When the time came, we ran his original form sheet through the printer, and printed the new signatures where they would have appeared on the document. It was extremely difficult to tell which signatures were real, and which were printed on, on the final document, even knowing that some were forgeries. The results were essentially perfect, the teacher never noticed, and we never got caught.

      This occurred over 10 years ago now, and I haven't helped anybody cheat on anything since. Perhaps relying on signatures to authenticate documents isn't such a good idea anymore, now that they can be so easily duplicated.
    • Re: (Score:3, Insightful)

      by jimicus (737525)

      I've signed a load of contracts in the US by having my publisher send me a PDF, which I've returned (by email) having copied and pasted a scanned copy of my signature over it. Interestingly, they would accept this but not a hash of the original PDF signed with a certificate signed by CACert, which had two people verify two pieces of government-issued ID to confirm that I am me.

      Perhaps because (outside of computing circles), the idea of electronic signatures isn't very well known?

  • by SoundGuyNoise (864550) on Tuesday June 03, 2008 @09:45AM (#23637387) Homepage
    The signature on the credit card or on the sales receipt have been for security purposes. It's there to indicate that you accept the terms and agreements to using the card, and that you agree to pay the credit card company for your purchases.
  • by bperkins (12056) on Tuesday June 03, 2008 @09:45AM (#23637401) Homepage Journal
    They are about legal requirements.

    Faking a fax signature isn't really that much harder than faking a real one.

    Sending a fake signature over a fax isn't that much harder than faking a real one, but is no less criminal.

    "Notarized" signatures are supposed to be more secure, though if you can produce a convincing fake ID, they probably aren't.
  • by ledow (319597) on Tuesday June 03, 2008 @09:48AM (#23637435) Homepage
    Vaguely related to the topic at hand are the legal rules surrounding any communication.

    It's generally accepted (in UK law, at least, so my source says) that once you reply and / or initiate a conversation over a medium, that that medium is then a valid method of contacting you indefinitely over the course of that action.

    So if you email a solicitor, then for that solicitor to send you an email back is perfectly legally acceptable and may even be construed as "delivered" whether or not it arrives. Because *you* selected the method of transit. If your mortgage nearly falls through at the last minute and you need to do something incredibly urgent or lose your house, a solicitor acting on your behalf can just send you an email and they've "done their job". If your servers are down, tough, if you no longer have that email, tough. At least if you read the strict letter of the law.

    It may be that this is related - once a person has contacted you by fax, then sending back your confirmation by fax is construed as legally acceptable for "signing" a contract. If you don't like it, then don't communicate with them by fax at all. Ever.

    On a personal note, if I weren't able to fax legally-binding forms back to a company, I wouldn't have a house, but I still don't "like" it. My purchase of the house dragged on for six months longer than it should have and the solicitor in charge on my end was a close personal friend, so they were stopping all heel-dragging and pulling out all the stops for us.

    However, just as we were approaching the signing date, we had an holiday booked (Hey, we thought a six month cushion on top of a six month estimate for the deal would be long enough!). We arrived in a foreign country for a holiday, and within a day we had a phone call to say that if a particular court didn't receive a signed document on an official form within the next eight hours (time differences etc.) then we wouldn't be able to complete the purchase now, or ever (the house would be sold at auction). We had to find a kind hotel (fortunately, we found a hotel receptionist who had recently had much worse problems selling their house and they let us use the hotel fax machine for free) and recieve several forms, sign them and fax them back (and pay a month's mortgage, in cash, within 8 hours but that was easily resolved by phoning relatives near our solicitor's, although we still technically owe them that).

    So it worked out well that we were able. I don't think we could have got back in time on the first plane, and there was nothing we or our solicitor could do to negate the need for us to sign the forms and pay in cash (bank transfers etc. wouldn't have cleared in time, believe it or not). However, the fact that anyone could have signed the form just shows that 99% of paperwork is useless and a waste of time, not that fax machines are somehow "evil".
  • by hassanchop (1261914) on Tuesday June 03, 2008 @09:48AM (#23637443)
    Bruce Schneier sure is oblivious sometimes.

    They're accepted because they're good enough.

    What does that mean? It means that if there is a problem later, the fax is sufficient evidence to resolve most problems, either by providing proof of a signature or proof of a forgery. As long as most businesses have some documentation to cover themselves that's generally good enough. Certainly some issues may not fall into this category, but enough do to make faxes acceptable.

    Security, for many businesses, isn't about "making sure something bad doesn't ever happen" it's about having what you need to resolve a problem should it arise in the future.

  • by Rhaban (987410) on Tuesday June 03, 2008 @09:51AM (#23637481)
    I could easily forge my parents signatures when I was 9 (And did it a couple of time). I don't trust a penned signature, why should I trust a faxed one?
  • by Alzheimers (467217) on Tuesday June 03, 2008 @09:51AM (#23637487)
    Get three pieces of black construction paper and a roll of scotch tape.

    Tape them together top to bottom, creating one long sheet. On the bottom, place a piece of tape half over the edge.

    Insert the long sheet into the fax machine, and dial the number. As it begins to feed through, quickly affix the top to the bottom sheet, creating a long loop.

    Go get a cup of coffee.
  • Courts (Score:4, Insightful)

    by PhYrE2k2 (806396) on Tuesday June 03, 2008 @09:52AM (#23637509)
    The answer is extremely simple. There is precedent in the courts that says a fax signature is acceptable and legally binding. There is no precedent saying that an e-mailed document in digital form is.

    Hence on a contract, fax is accepted.

    -M
  • by fuzzyfuzzyfungus (1223518) on Tuesday June 03, 2008 @09:55AM (#23637551) Journal
    I assume the (il)logic is the same as that governing people's willingness to give their credit card numbers to an underpaid human, over an unsecure POTS line, frequently over a really insecure old school cordless phone; in preference to giving the said number to a machine over SSL.

    In general, people's risk assessments are completely out to lunch. Back in 2001, my school had its student trip to Greece canceled by parental concern. Apparently, the parents wanted their kids "safe at home"(never mind that we all lived in a certain large city on the American east coast), rather than facing the foreign dangers of a fairly quiet and moderately obscure neutral country.

    I think that there has been some work done on formalizing our understanding of what distorts risk perception; but it makes for depressing reading.
  • Lame (Score:3, Interesting)

    by Chang (2714) on Tuesday June 03, 2008 @09:56AM (#23637557)
    This might have been an interesting question to ask about 7-8 years ago but now it just seems like Bruce is running out of topics.
  • by archeopterix (594938) on Tuesday June 03, 2008 @10:00AM (#23637629) Journal
    Bruce Schneier here. Disregard what I said about faxed signatures. They are perfectly OK.
    Here's my OCR-ed signature: Bruce Schneier
  • by kaltkalt (620110) on Tuesday June 03, 2008 @10:04AM (#23637685)
    First of all, legally, a copy of a contract is just as legitimate as the original (yes, IAAL). Both can be alleged to be forgeries just as easily. In fact a copy could be more easily proved to be a forgery than the original, as one could compare signatures and show that the signature was lifted from another source. It's like one of those infamous "Majestic 12" documents that was allegedly signed by Harry Truman - the best evidence we have that it is not authentic is that the Truman signature is exactly like another signature on another document, it was lifted, cut and pasted, onto the MJ-12 document. Note: I don't want to debate the MJ-12 documents here. Anyway, the other reason why fax signatures are not a security risk is that you know who is going to be sending you the fax. "Sign it and fax it over to me today." You get the fax today. Nobody else would reasonably know about that expectation. It's like going to pick up money from western union - "I'm here to pick up $100 for Brian Halloweth" ... the fact that you know about the 100 bucks for someone named Brian Halloweth is good evidence your claim is legitimate. Ditto with the fax signature. Of course this doesn't apply to general applications that can be signed and faxed at any time, unexpectedly. But those can just as easily be forged, and in this scenario the faxee is less likely to know the signature of the faxor. Any alleged weakness in a fax signature is also a weakness in a real signature. That's the bottom line. I don't buy the notion that they are a huge security risk.
  • Requiring a signature comes out of the old contract law of the Statute of Frauds, which requires certain contracts (not all) to be in writing, with a signature by the person to be bound to the contract. It was so that you couldn't agree to sell someone an expensive good, collect the money, then give them a cheap one and claim that that was the original contract - or so that you couldn't agree to buy the expensive good, pay them a dollar, and claim that was the original contract. Your signature isn't about protecting you from identity theft, it's about protecting the other party from your fraud.

    So, why do companies accept easily faked signatures by fax? They have a signature, so you're bound to the agreement. The burden of proof is on you if you want to prove the signature was faked, not them, so they're protected. They'll either get paid by you, or you'll find the identity thief and they'll get paid by him or her.

    The bigger question would be why do we agree to being bound to our faxed signatures? And the answer there is convenience. Sure, they can be faked, but it's a lot nicer than having to wait for the US Mail.

  • by angus_rg (1063280) on Tuesday June 03, 2008 @10:07AM (#23637757)
    I swear, he makes some good points, but as a security professional he should understand why they accept it. The amount of business they'd loose by not accepting it is worth more than the potential loss if they didn't.

    Of course, now that the cat's out of the bad, they'll need to reevaluate.
  • by pcjunky (517872) <walterp@cyberstreet.com> on Tuesday June 03, 2008 @11:31AM (#23639031) Homepage
    Working for a startup company back in 1992 we solved the distance signature problem. It was called Telesignature (patent # 5,222,138). I am listed as co-inventor ( the other person who hired me had no technical knowledge ). You would place a document into an secure enclosure and a scanner would scan it and send the image to via modem (9600bps in 1992) to a pen computer on the other end. The person would review and sign the document and the signature would be sent back and written with a pen plotter on the original document. We got lots of raves on the signature quality. Virtually no who was shown the signatures could tell it was written by a machine. We used RSA keys to ensure the whole process was tamper proof and an audit trail was left. A year alter we brought out a companion product called fax-a-check. The digital copies of the document are what actually provided proof of the transaction. The legal system at the time demanded written documents and so it seems still does.
  • by zippthorne (748122) on Tuesday June 03, 2008 @12:09PM (#23639567) Journal
    A signature is not an identification tool. It is a deliberate act signifying agreement. Since you have to put some effort into signing a document, it means you agree to the terms.

    Some documents are so important that you must write the whole thing out by hand before signing. This is to make sure you've agree to terms with full knowledge of them. There will *not* be teams of handwriting analysts pouring over it and everything else you've written to make sure it's really you.

    Presumably identification is done through more secure means. The signature is just a symbol of acquiescence.
  • by logicassasin (318009) on Tuesday June 03, 2008 @12:18PM (#23639691)
    I worked for an A paper lender from 1996 to 2001. For the majority of that time, we didn't accept faxed in loan submissions. The idea was that a broker or loan officer could simply fax a loan to a dozen different lenders all at once instead of committing his business with us and because it was too easy to doctor loan docs and fax 'em in. We demanded original signatures and docs printed using a laser printer (yes, that was a requirement) or on original pre-printed loan applications. The only faxes we would accept would be loan conditions like a flood cert, mortgage insurance or something like that. We also didn't accept loan packages with appraisals done with a digital camera because the images could be doctored easily. Sometime near 1999, we started a limited doc fax program for brokers we had high confidence in and were pretty sure wouldn't send in bogus loan info.

    Years later, I worked as an Account Executive for a subprime lender, we accepted EVERYTHING by fax. They're out of business now and the industry on a whole is reeling from rampant fraud.
  • by rantingkitten (938138) <.kitten. .at. .mirrorshades.org.> on Tuesday June 03, 2008 @03:34PM (#23642501) Homepage
    The whole thing is even more silly when you consider that many of the "fax machines" in use today aren't even fax machines at all, but some sort of fax-to-email service. In my industry I see a lot of this sort of thing. People get all worked up over how email won't do, they must fax whatever it is -- and they end up using an e-fax service which probably ends up in some other guy's email box anyway through his own e-fax service. :)

    Yet both sides are convinced that this is somehow better than just scanning the document and emailing it normally. Truly bizarre, if you ask me.
  • by fish_in_the_c (577259) on Tuesday June 03, 2008 @04:39PM (#23643419)
    Signatures are a throw back to when it was unusual and the mark of being gentility to be able to write. They were the next best thing to using your wax seal with the family crest and usually accompanied it.

    Seriously how many people who work at a till or even a bank have had the nessary 10 plus years of training to be able to tell a real signature for a fake one? Even if they did would it be reasonable for them to look at all the signatures?
    I know personaly of more then one occasion when a bank has cashed a check with th e signature Mickey Mouse on it ( the person who wrote the check was just seeing if it would work and the store still got the money.)

    THAT is for a real signature from a real person standing in front of you, and a computer is supposed to do better?

APL is a write-only language. I can write programs in APL, but I can't read any of them. -- Roy Keir

Working...