Schneier Asks Why We Accept Fax Signatures

Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.

Re:well

[Anonymous Coward]

I'm sure you can forge a signature, but not the number you're sending it from. Surely that can count as another level of security?

Um.... the fax number that appears at the top of the page is a simple setting on the fax machine, it's not even callerID. Of course, CID spoofing is trivial too, get a spoof card or a digital line of some sort and you're good to go there.

Credit Card Signatures

[SoundGuyNoise]

The signature on the credit card or on the sales receipt have been for security purposes. It's there to indicate that you accept the terms and agreements to using the card, and that you agree to pay the credit card company for your purchases.

Signatures aren't about security

[bperkins]

They are about legal requirements.

Faking a fax signature isn't really that much harder than faking a real one.

Sending a fake signature over a fax isn't that much harder than faking a real one, but is no less criminal.

"Notarized" signatures are supposed to be more secure, though if you can produce a convincing fake ID, they probably aren't.

Re:It's an "older" technology

[morgan_greywolf]

Older? Really?

The modern fax machine was introduced in the mid-1970s. E-mail was introduced with CTSS in 1965 and Internet e-mail, with the introduction of the now-ubiquitous '@' sign by Ray Tomlinson, in 1971.

The fact that ignorant people from the older generations think that "email" is "new" isn't my problem, it's theirs.

FWIW, I used e-mail well before I ever, ever used a fax machine. And I'm 35.

telephone number

[goombah99]

Faxs come with a telephone number of the sender as well. and often the personal cover letter. To forge a fax that is perpetually unquestionable you have to forge the phone number, signature, and stationary.

People are comfortable with that because they understand what is involved in doing that. With e-mail and digitial docs its harder for an untrained person to evaluate the threat. Also with digital docs it's harder later to raise questions about the authenticity. With the fax, one can later check for example fax logs on the sending machines and other trails of evidence.

In both cases forgeries are possible but in the case of faxes most humans are able to evaluate the threat.

Not that big of a security risk at all.

[kaltkalt]

First of all, legally, a copy of a contract is just as legitimate as the original (yes, IAAL). Both can be alleged to be forgeries just as easily. In fact a copy could be more easily proved to be a forgery than the original, as one could compare signatures and show that the signature was lifted from another source. It's like one of those infamous "Majestic 12" documents that was allegedly signed by Harry Truman - the best evidence we have that it is not authentic is that the Truman signature is exactly like another signature on another document, it was lifted, cut and pasted, onto the MJ-12 document. Note: I don't want to debate the MJ-12 documents here. Anyway, the other reason why fax signatures are not a security risk is that you know who is going to be sending you the fax. "Sign it and fax it over to me today." You get the fax today. Nobody else would reasonably know about that expectation. It's like going to pick up money from western union - "I'm here to pick up $100 for Brian Halloweth" ... the fact that you know about the 100 bucks for someone named Brian Halloweth is good evidence your claim is legitimate. Ditto with the fax signature. Of course this doesn't apply to general applications that can be signed and faxed at any time, unexpectedly. But those can just as easily be forged, and in this scenario the faxee is less likely to know the signature of the faxor. Any alleged weakness in a fax signature is also a weakness in a real signature. That's the bottom line. I don't buy the notion that they are a huge security risk.

Re:telephone number

[Loether]

Faxs come with a telephone number of the sender as well. and often the personal cover letter. To forge a fax that is perpetually unquestionable you have to forge the phone number, signature, and stationary.

"Forging" a telephone number on a fax machine just requires changing a setting on the sending machine. It's in the fax manual.

Schneier's thinking is backwards

[Theaetetus]

Requiring a signature comes out of the old contract law of the Statute of Frauds, which requires certain contracts (not all) to be in writing, with a signature by the person to be bound to the contract. It was so that you couldn't agree to sell someone an expensive good, collect the money, then give them a cheap one and claim that that was the original contract - or so that you couldn't agree to buy the expensive good, pay them a dollar, and claim that was the original contract. Your signature isn't about protecting you from identity theft, it's about protecting the other party from your fraud.

So, why do companies accept easily faked signatures by fax? They have a signature, so you're bound to the agreement. The burden of proof is on you if you want to prove the signature was faked, not them, so they're protected. They'll either get paid by you, or you'll find the identity thief and they'll get paid by him or her.

The bigger question would be why do we agree to being bound to our faxed signatures? And the answer there is convenience. Sure, they can be faked, but it's a lot nicer than having to wait for the US Mail.

Re:It's an "older" technology

[Jhon]

TECHNICALLY, the "fax machine" was invented in the 19th century. It became WIDELY used in the 1970s. While the first EMAIL may have been keyed in 1965, it could HARDLY have been considered to have been in WIDE use.

So, YES, the fax machine is OLDER. Much older.

Re:Actually, I LOVE the CC sig.

[eXonyte]

Did you know that putting "See ID" or "See License" invalidates a Visa card unless you sign it as well? Unless, of course, your legal name happens to be "See License".

Check out the Rules for Visa Merchants [visa.com], in particular page 34 (page 29 if printed). There is some amusing information in there, such as the fact that merchants are not allowed to require ID for a credit card purchase.

[...] merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID.

I have no idea if MasterCard, Discover, or Amex have similar rules.

Re:Actually, I LOVE the CC sig.

[smbarbour]

I work in the credit card industry, so I do know how it works...

1) The signature on the back of the card authorizes it for use. Failure to sign the card is supposed to indicate that the card is not authorized.

2) Merchants are NOT allowed to check ID as a condition of credit card acceptance.

3) The signatures do NOT have to match. The signature on the card only authorizes the card for use and is not for comparison.

Re:It's an "older" technology

[reebmmm]

The acceptance of fax signatures has to do only with fact that fax machines have been around for a long time

This is part of it, but the real reason why is that the law (E-SIGN and various other state versions) have basically said that you can't deny a signature MERELY because it's electronically signed.

Oh, and also because its silly not to accept an electronic signature.

It might surprise people but there's hardly a reason NOT to accept a fax/electronic signature since a signature is really meaningless in the business context. It is essentially EVIDENCE. It's not conclusive. There are certain enumerated situations (like wills and real estate) where signatures are a big deal, but these are not the day-to-day transactions people usually think about.

In a contract, the question is whether the parties intended to form a contract. A signature can be evidence of that. So can clicking a button. So can doing s/First Last/. So can paying for the goods. So can accepting the goods. So can performing. So can stating so in an e-mail with a contract attached. And on and on.

Besides, the risk of fraud exists regardless of whether you get a real signature or otherwise. Again, even when there's a fraud, the signature becomes evidence of the fraud. Heck, even requiring in person signature is not a sure fire way to prevent fraud. Frequently the person accepting an actual signed contract will not be in a position to evaluate whether the signature is in fact true or fraudulent.

Re:Paper in, paper out.

[Anonymous Coward]

419 fax scams were around far earlier than the email version. And before that, by mail.

Heck, the short story The Spanish Prisoner was published in 1910 (at least so Wikipedia tells me)

Re:It's an "older" technology

[Cyberax]

Nope. http://en.wikipedia.org/wiki/Pantelegraph [wikipedia.org] was invented in 1861.

signature law

[Benjamin_Wright]

The law of signatures places more emphasis on the ceremonial aspect of signing [blogspot.com] than on security. --Ben http://hack-igations.blogspot.com/2008/04/text-message-investigations.html [blogspot.com]

Re:The real question is...

[Carcass666]

Joe Public can go buy a FAX machine with a decent multisheet feeder, plug it into a phone line, and quickly send out faxes. You do not have to wait for the scan, you don't even have to wait for it to dial, you can plop in 20 pages, dial a number, hit Start and off you go

Contrast this with a scanning on a PC. Even low-end FAX machine usually has a better multi-sheet feeder than most scanners. If you get a multi-function scanner/printer, the resolution isn't going to be much better than a dedicated FAX anyway. Windows (I don't know about Mac) comes with really crappy scanning software, and most packages I've seen that come with multi-function scanners/printers aren't much better.

Same situation with receiving a FAX versus getting an email, hoping the attachment isn't blocked because it is too large, waiting for FAX or PDF software to load, and then waiting for printing. With a FAX - it "just works"

As much as we may wish for the Paperless Office, it isn't coming soon. The world still runs on paper. And FAX'ing is still much more expedient than scanning/emailing/printing.

Re:Actually, I LOVE the CC sig.

[alan_dershowitz]

The signatures do NOT have to match. The signature on the card only authorizes the card for use and is not for comparison.

This is WRONG. If you go through with a transaction where the signatures don't match, your business could be held LIABLE for the purchase if it was a fraudulent transaction. You are supposed to hold the card and make a Code 10 call to VISA and ask for further instructions if the signature doesn't appear to match.

Re:What to do if someone asks you to fax a signatu

[R2.0]

"Get three pieces of black construction paper and a roll of scotch tape.

Tape them together top to bottom, creating one long sheet. On the bottom, place a piece of tape half over the edge.

Insert the long sheet into the fax machine, and dial the number. As it begins to feed through, quickly affix the top to the bottom sheet, creating a long loop.

Go get a cup of coffee."

You forgot to change your own fax settings to "Fax Directly" instead of "Fax from Memory". VERY important point.

Re:Should have stop at, Aren't FAXes the weirdest

[torkus]

Actually you're not correct there. Digitally scanned documents are legal substitutes for the original.

Don't believe me? Check with your bank. Checks are not physically distributed to other banks for payment/clearing (I believe) and virtually all banks use digital images for "returning" your check (I know for a fact). Print out that digital image and it's perfectly valid in court.

The law this is based off is the one that says 'a copy of a document is legally equivilant to the original'. Heck, you realize most modern photocopy machines are actually a fancy scanner and laser printer with a computer inbetween right?

Re:Actually, I LOVE the CC sig.

[kailoran]

The signatures do NOT have to match..

This is WRONG.

The "rules for visa merchants" official pdf someone posted above confirm that, but they do say that the signature doesn't have to match the name printed on the card. Maybe that was where GP got the idea.

Re:telephone number

[Alpha830RulZ]

Yeah, but that sender phone number is programmed into the machine, and can be set to -any- phone number. To check what number the fax really came from, you;d need to check the ANI information on the call (caller ID). That information often doesn't correspond to the actual number of the fax, if the fax is routed through a PBX.

Re:Actually, I LOVE the CC sig.

[MightyYar]

which is a measly two days

That's not quite true. There is a second fall-back of a $500 limit if you, for some reason, do not report the theft after you've learned about it. You get 60 days to report something appearing on your statement - the 2 days is just for physical loss or theft. And EVEN THEN, you are only responsible for further losses after the initial 60 days.

And, as you say, I've never heard of a financial institution enforcing even the $50 liability - let alone the $500. And to be fair, I've never heard of a check card company holding you liable either.

BUT, there's a big difference. If your credit card is charged to it's limit, you call the company, they cancel the number. No big deal. They go sort it out and you loose a credit line for a while... chances are you have more than one anyway.

With a check card, chances are you'll start to notice the fraud when your rent check bounces, or you go to get money at an ATM and there isn't any. Call the bank, they cancel the card, and then you WAIT, with no money. Any checks you wrote bounce, and you pile up $30 fees. You can't pay any bills.

You shouldn't be keeping tons of cash in checking anyway.

Not everyone HAS tons of cash. Many people don't even have a savings account, let alone "tons of cash" in their checking account. Even then, the definition of "tons of cash" is certainly different for everyone. I knew a guy that kept about $100,000 in there, just in case his airplane needed repairs and he needed to write a check. I, on the other hand, would rarely let it float about $10,000 - preferring to keep any extra in my brokerage account.

In any event, unless you have a check card, why in the world shouldn't you keep money in your checking account? Interest rate? I'm sorry, but the couple dollars in interest you get from that big 2% rate on savings isn't exactly going to sway me - and many banks will give you almost the same rate on your checking if you agree to keep a certain balance or do direct deposit.

screw you forever if you're 0.0001 seconds late when paying.

They indeed are bastards with the late fees. However, on the few occasions that I was late paying, I've had luck calling the credit card company and asking if they could please refund the late fee. Of course, we're talking once or twice in three years... but if you aren't that organized, they will be happy to auto-deduct the minimum payment from your checking account so you don't get a late fee.

Re:Actually, I LOVE the CC sig.

[Chyeld]

And if you read the PDF the GP linked to, you would realize that the merchants that allowed you to get away with that are just as screwed as the ones that don't check at all.

The purpose of signing the card is to show that you have agreed to the card holder's agreement with the CC company. Allowing you to rack up charges with an unsigned card makes their transaction just as 'fradulent' as allowing you to rack up charges on Jane Smith's card while signing your name as "Sebastian Bach".

CID is the same deal, if it isn't your signature on the card, they aren't suppose to accept it regardless of whether you have the Pope and President swearing it's you or a napkin with a polaroid stapled to it.

Re:It's an "older" technology

[Herkum01]

Try to have a copy of a legal document, like your driver's license, and show it in court.

You cannot use a duplicate of a legal document in place of a legal document, it is considered hearsay and would get thrown out.

You may get away with a fax for a quick approval, but you need to have an original legal document( for example, by mail) or you run the hazard of it not being valid.

Re:It's an "older" technology

[kilgortrout]

That is incorrect on so many levels, I don't know where to start. First, there is no overarching "US law" regulating the admissibility in evidence of fax signed documents. That would be a matter for the rules of evidence in each of the fifty States. In general, a fax would have the same legal status as any other copy and the admissibility of any copy would be determined by whether or not you could authenticate the copy as an accurate copy of the original. When you have only a copy, there is always the potential of a dispute about authenticity, i.e. whether or not the copy is accurate. When you have an originally signed document, the only thing that can usually be disputed is the authenticity of the signature which is generally easier to resolve. The fax enjoys no special legal status in any jurisdiction that I'm aware of.

Re:Should have stop at, Aren't FAXes the weirdest

[Wrath0fb0b]

The reason your bank can use a digital image for your check is because Congress created a legally binding document called a "substitute check" (this was in the wake of 911 when paper checks were stuck on the ground for 3 days). See http://en.wikipedia.org/wiki/Check_21_Act [wikipedia.org]. Before that act, the original dead-tree check had to be sent to the account bearer's bank for actual processing.

I would be wary of stretching that logic to apply to any legal document -- if scanned documents were valid, banks could have been doing this with checks before the intervention of Congress. Then again, I don't know why faxed documents are presumed any better.

Re:Should have stop at, Aren't FAXes the weirdest

[Anonymous Coward]

Check 21 didnt "allow" banks to accpet an electronic replacement, it forced them to do so.

Re:It's an "older" technology

[rewinn]

Yes, but the "Electronic Signatures in Global National Commerce Act" [loc.gov] was not intended to refer to scanned images of a physical signature, but rather more like a personal key that the owner controls by password, physical token, or some such McGuffin. You could, I suppose, write out your e-signature with a pen and fax it, or scan it and mail it; or you could generate an e-signature from your scanned physical signature (hey why not?) but it wouldn't be what was intended. See: "Electronic Signatures in Global National Commerce Act" [ftc.gov]

Re:Older generation

[iocat]

Great points. In practice, we usually fax contracts so we can start working, then send (via FedEx) paper copies for 'real' execution. I can't think of an example in 15+ years in the working world where a fax signature wasn't used in a positive manner -- to seal the deal on something everyone already agreed on, like an NDA or a writing assignment or a negotiated development contract.

On the other hand, we also switched to the e-signing service DocuSign [docusign.com] for our internal contracts and approvals, because using a fax machine is such a massive pain in the ass and no one in our company likes dealing with paper. A few of our clients use it too, it's pretty wonderful. As secure as you want it to be, and also quick and easy.

Not really confusing at all.

[zippthorne]

A signature is not an identification tool. It is a deliberate act signifying agreement. Since you have to put some effort into signing a document, it means you agree to the terms.

Some documents are so important that you must write the whole thing out by hand before signing. This is to make sure you've agree to terms with full knowledge of them. There will *not* be teams of handwriting analysts pouring over it and everything else you've written to make sure it's really you.

Presumably identification is done through more secure means. The signature is just a symbol of acquiescence.

They were protecting themselves

[snowwrestler]

If they accept a credit card that is not signed (even if it says See ID and they check the ID), they have violated the rules of the credit card company. Should there be a problem with that purchase, they will have to eat the chargeback.

I managed a retail shop for several years and the credit card companies are dead serious about their rules. The card MUST be signed with a personal signature--"See ID" or "CID" does not satisfy that. The shop must keep the original of the signed copy of the credit charge slip (if they accidentally keep the carbon, the purchase is not covered). The shop is not allowed to require ID for the purchase. In addition there are a variety of rules about data storage and security.

On the other hand, merchants are also forbidden from setting a minimum credit card purchase...if you ever get told "there is a $5 minimum to use a card," that shop is violating the rules and you can report them to your credit card company. But only do that if you're really pissed, because they might lose their account and that can literally kill a small business.

Re:Should have stop at, Aren't FAXes the weirdest

[Pendersempai]

That's ridiculous. Far more contracts occur online than in writing. Every single purchase from Amazon.com, every single bid on an auction at eBay, and every sale that occurs over craigslist happens without a physical pen-and-paper signature. There is no doubt that these are valid orders.

And it's not all small transactions, either. Amateur and professional traders alike make trades worth vast sums of money online. Even wire transfers, which can be billions of dollars, happen over the phone and online within hours.

The idea that emailed contracts aren't enforceable -- or even that there's reasonable fear of them not being enforceable -- is just plain wrong.

Re:Should have stop at, Aren't FAXes the weirdest

[Kadin2048]

I am in agreement with you and wanted to point out something that I think furthers your point.

The Uniform Commercial Code (UCC), which has been adopted by all 50 states, discusses what is a valid signature in Article 1, Section 1-201(39) [cornell.edu]:

"Signed" includes using any symbol executed or adopted with present intention to adopt or accept a writing.

(Writing is defined as "printing, typewriting, or any other intentional reduction to tangible form.")

While that doesn't rule out the possibility of states having other requirements for signatures, the "least common denominator" between all states -- the UCC -- is pretty format-agnostic.

I think it's also worth pointing out that some 48 states, according to one source [findlaw.com], have put digital-signature laws in place that allow some form of non-physical, electronic signature. Some of them are pretty specific to PK crypto, while others are technology-agnostic. I find it a little hard to believe that any state that's gone to the trouble of crafting and passing a digital-signature law would still require faxed signatures.

What seems more likely to me is that private agreements between parties are the major driver for faxed signatures, because there are contracts forming standing arrangements between businesses that weren't written to take advantage of anything besides the dominant technology (POTS fax) at the time they were written. Therefore, you end up with change orders, POs, and other authorizations having to go by fax, because of some hoary old contract, even though some other form of signature would be theoretically acceptable.

Re:Actually, I LOVE the CC sig.

[Valar]

As someone who works for a bank and has some familiarity with merchant service programs and debit/credit card revenue, I can testify to the fact that the industry standard is a flat charge per transaction, plus a percentage of dollar volume.