Schneier Asks Why We Accept Fax Signatures 531
Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.
Re:well (Score:1, Informative)
Credit Card Signatures (Score:3, Informative)
Signatures aren't about security (Score:5, Informative)
Faking a fax signature isn't really that much harder than faking a real one.
Sending a fake signature over a fax isn't that much harder than faking a real one, but is no less criminal.
"Notarized" signatures are supposed to be more secure, though if you can produce a convincing fake ID, they probably aren't.
Re:It's an "older" technology (Score:2, Informative)
The modern fax machine was introduced in the mid-1970s. E-mail was introduced with CTSS in 1965 and Internet e-mail, with the introduction of the now-ubiquitous '@' sign by Ray Tomlinson, in 1971.
The fact that ignorant people from the older generations think that "email" is "new" isn't my problem, it's theirs.
FWIW, I used e-mail well before I ever, ever used a fax machine. And I'm 35.
telephone number (Score:4, Informative)
People are comfortable with that because they understand what is involved in doing that. With e-mail and digitial docs its harder for an untrained person to evaluate the threat. Also with digital docs it's harder later to raise questions about the authenticity. With the fax, one can later check for example fax logs on the sending machines and other trails of evidence.
In both cases forgeries are possible but in the case of faxes most humans are able to evaluate the threat.
Not that big of a security risk at all. (Score:4, Informative)
Re:telephone number (Score:5, Informative)
Schneier's thinking is backwards (Score:5, Informative)
So, why do companies accept easily faked signatures by fax? They have a signature, so you're bound to the agreement. The burden of proof is on you if you want to prove the signature was faked, not them, so they're protected. They'll either get paid by you, or you'll find the identity thief and they'll get paid by him or her.
The bigger question would be why do we agree to being bound to our faxed signatures? And the answer there is convenience. Sure, they can be faked, but it's a lot nicer than having to wait for the US Mail.
Re:It's an "older" technology (Score:5, Informative)
So, YES, the fax machine is OLDER. Much older.
Re:Actually, I LOVE the CC sig. (Score:5, Informative)
Check out the Rules for Visa Merchants [visa.com], in particular page 34 (page 29 if printed). There is some amusing information in there, such as the fact that merchants are not allowed to require ID for a credit card purchase. I have no idea if MasterCard, Discover, or Amex have similar rules.
Re:Actually, I LOVE the CC sig. (Score:5, Informative)
1) The signature on the back of the card authorizes it for use. Failure to sign the card is supposed to indicate that the card is not authorized.
2) Merchants are NOT allowed to check ID as a condition of credit card acceptance.
3) The signatures do NOT have to match. The signature on the card only authorizes the card for use and is not for comparison.
Re:It's an "older" technology (Score:5, Informative)
Oh, and also because its silly not to accept an electronic signature.
It might surprise people but there's hardly a reason NOT to accept a fax/electronic signature since a signature is really meaningless in the business context. It is essentially EVIDENCE. It's not conclusive. There are certain enumerated situations (like wills and real estate) where signatures are a big deal, but these are not the day-to-day transactions people usually think about.
In a contract, the question is whether the parties intended to form a contract. A signature can be evidence of that. So can clicking a button. So can doing s/First Last/. So can paying for the goods. So can accepting the goods. So can performing. So can stating so in an e-mail with a contract attached. And on and on.
Besides, the risk of fraud exists regardless of whether you get a real signature or otherwise. Again, even when there's a fraud, the signature becomes evidence of the fraud. Heck, even requiring in person signature is not a sure fire way to prevent fraud. Frequently the person accepting an actual signed contract will not be in a position to evaluate whether the signature is in fact true or fraudulent.
Re:Paper in, paper out. (Score:1, Informative)
Heck, the short story The Spanish Prisoner was published in 1910 (at least so Wikipedia tells me)
Re:It's an "older" technology (Score:4, Informative)
signature law (Score:2, Informative)
Re:The real question is... (Score:3, Informative)
Joe Public can go buy a FAX machine with a decent multisheet feeder, plug it into a phone line, and quickly send out faxes. You do not have to wait for the scan, you don't even have to wait for it to dial, you can plop in 20 pages, dial a number, hit Start and off you go
Contrast this with a scanning on a PC. Even low-end FAX machine usually has a better multi-sheet feeder than most scanners. If you get a multi-function scanner/printer, the resolution isn't going to be much better than a dedicated FAX anyway. Windows (I don't know about Mac) comes with really crappy scanning software, and most packages I've seen that come with multi-function scanners/printers aren't much better.
Same situation with receiving a FAX versus getting an email, hoping the attachment isn't blocked because it is too large, waiting for FAX or PDF software to load, and then waiting for printing. With a FAX - it "just works"
As much as we may wish for the Paperless Office, it isn't coming soon. The world still runs on paper. And FAX'ing is still much more expedient than scanning/emailing/printing.
Re:Actually, I LOVE the CC sig. (Score:5, Informative)
Re:What to do if someone asks you to fax a signatu (Score:2, Informative)
Tape them together top to bottom, creating one long sheet. On the bottom, place a piece of tape half over the edge.
Insert the long sheet into the fax machine, and dial the number. As it begins to feed through, quickly affix the top to the bottom sheet, creating a long loop.
Go get a cup of coffee."
You forgot to change your own fax settings to "Fax Directly" instead of "Fax from Memory". VERY important point.
Re:Should have stop at, Aren't FAXes the weirdest (Score:4, Informative)
Don't believe me? Check with your bank. Checks are not physically distributed to other banks for payment/clearing (I believe) and virtually all banks use digital images for "returning" your check (I know for a fact). Print out that digital image and it's perfectly valid in court.
The law this is based off is the one that says 'a copy of a document is legally equivilant to the original'. Heck, you realize most modern photocopy machines are actually a fancy scanner and laser printer with a computer inbetween right?
Re:Actually, I LOVE the CC sig. (Score:3, Informative)
Re:telephone number (Score:4, Informative)
Re:Actually, I LOVE the CC sig. (Score:3, Informative)
And, as you say, I've never heard of a financial institution enforcing even the $50 liability - let alone the $500. And to be fair, I've never heard of a check card company holding you liable either.
BUT, there's a big difference. If your credit card is charged to it's limit, you call the company, they cancel the number. No big deal. They go sort it out and you loose a credit line for a while... chances are you have more than one anyway.
With a check card, chances are you'll start to notice the fraud when your rent check bounces, or you go to get money at an ATM and there isn't any. Call the bank, they cancel the card, and then you WAIT, with no money. Any checks you wrote bounce, and you pile up $30 fees. You can't pay any bills.
In any event, unless you have a check card, why in the world shouldn't you keep money in your checking account? Interest rate? I'm sorry, but the couple dollars in interest you get from that big 2% rate on savings isn't exactly going to sway me - and many banks will give you almost the same rate on your checking if you agree to keep a certain balance or do direct deposit.
Re:Actually, I LOVE the CC sig. (Score:3, Informative)
The purpose of signing the card is to show that you have agreed to the card holder's agreement with the CC company. Allowing you to rack up charges with an unsigned card makes their transaction just as 'fradulent' as allowing you to rack up charges on Jane Smith's card while signing your name as "Sebastian Bach".
CID is the same deal, if it isn't your signature on the card, they aren't suppose to accept it regardless of whether you have the Pope and President swearing it's you or a napkin with a polaroid stapled to it.
Re:It's an "older" technology (Score:3, Informative)
Try to have a copy of a legal document, like your driver's license, and show it in court.
You cannot use a duplicate of a legal document in place of a legal document, it is considered hearsay and would get thrown out.
You may get away with a fax for a quick approval, but you need to have an original legal document( for example, by mail) or you run the hazard of it not being valid.
Re:It's an "older" technology (Score:3, Informative)
Re:Should have stop at, Aren't FAXes the weirdest (Score:5, Informative)
I would be wary of stretching that logic to apply to any legal document -- if scanned documents were valid, banks could have been doing this with checks before the intervention of Congress. Then again, I don't know why faxed documents are presumed any better.
Re:Should have stop at, Aren't FAXes the weirdest (Score:1, Informative)
Re:It's an "older" technology (Score:3, Informative)
Re:Older generation (Score:5, Informative)
On the other hand, we also switched to the e-signing service DocuSign [docusign.com] for our internal contracts and approvals, because using a fax machine is such a massive pain in the ass and no one in our company likes dealing with paper. A few of our clients use it too, it's pretty wonderful. As secure as you want it to be, and also quick and easy.
Not really confusing at all. (Score:3, Informative)
Some documents are so important that you must write the whole thing out by hand before signing. This is to make sure you've agree to terms with full knowledge of them. There will *not* be teams of handwriting analysts pouring over it and everything else you've written to make sure it's really you.
Presumably identification is done through more secure means. The signature is just a symbol of acquiescence.
They were protecting themselves (Score:3, Informative)
I managed a retail shop for several years and the credit card companies are dead serious about their rules. The card MUST be signed with a personal signature--"See ID" or "CID" does not satisfy that. The shop must keep the original of the signed copy of the credit charge slip (if they accidentally keep the carbon, the purchase is not covered). The shop is not allowed to require ID for the purchase. In addition there are a variety of rules about data storage and security.
On the other hand, merchants are also forbidden from setting a minimum credit card purchase...if you ever get told "there is a $5 minimum to use a card," that shop is violating the rules and you can report them to your credit card company. But only do that if you're really pissed, because they might lose their account and that can literally kill a small business.
Re:Should have stop at, Aren't FAXes the weirdest (Score:4, Informative)
And it's not all small transactions, either. Amateur and professional traders alike make trades worth vast sums of money online. Even wire transfers, which can be billions of dollars, happen over the phone and online within hours.
The idea that emailed contracts aren't enforceable -- or even that there's reasonable fear of them not being enforceable -- is just plain wrong.
Re:Should have stop at, Aren't FAXes the weirdest (Score:4, Informative)
The Uniform Commercial Code (UCC), which has been adopted by all 50 states, discusses what is a valid signature in Article 1, Section 1-201(39) [cornell.edu]: (Writing is defined as "printing, typewriting, or any other intentional reduction to tangible form.")
While that doesn't rule out the possibility of states having other requirements for signatures, the "least common denominator" between all states -- the UCC -- is pretty format-agnostic.
I think it's also worth pointing out that some 48 states, according to one source [findlaw.com], have put digital-signature laws in place that allow some form of non-physical, electronic signature. Some of them are pretty specific to PK crypto, while others are technology-agnostic. I find it a little hard to believe that any state that's gone to the trouble of crafting and passing a digital-signature law would still require faxed signatures.
What seems more likely to me is that private agreements between parties are the major driver for faxed signatures, because there are contracts forming standing arrangements between businesses that weren't written to take advantage of anything besides the dominant technology (POTS fax) at the time they were written. Therefore, you end up with change orders, POs, and other authorizations having to go by fax, because of some hoary old contract, even though some other form of signature would be theoretically acceptable.
Re:Actually, I LOVE the CC sig. (Score:3, Informative)