Schneier Asks Why We Accept Fax Signatures 531
Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.
Actually, I LOVE the CC sig. (Score:3, Interesting)
Animaether Asks Why We Accept Signatures (Score:5, Interesting)
Between people being quite apt at duplicating another's signature good enough for 'at a glance' acceptance
and
people's signatures changing over time (my bank just informed me that the last signature I gave them deviated too much from the one they had on file since 10 years ago, and so as to please put my signature on their form five times to get them a new basis. Guess what, the five looked alike, sure enough, but they could just as well have been forgery attempts from 5 different people...)
I'd say that signatures in general are relatively unacceptable. Except that they're usually 'good enough' for what we need them for. That's why we accept them in 'analog' writing, faxes and even e-mails. In the few cases where it was indeed forged, it's usually found out pretty easily.
Oh, but wait, Bruce already said as much; not included in the summary, of course. So go RTFA, then come back here to complain about Slashdot's shoddy headline/summary policy.. it's too much like an actual newspaper.
Now... where's the discussion of alternatives? One of those one-time 2D barcodes that uniquely identifies -moi- when used with the recipient's public key.. or something.
Lame (Score:3, Interesting)
Re:Actually, I LOVE the CC sig. (Score:4, Interesting)
Re:It's an "older" technology (Score:5, Interesting)
It wasn't that hard to xerox 2 copies your drivers license and then cut out the numbers with scissors on one and then tape them on the other and then xerox a 3rd copy and you really couldn't tell the difference. *coughs* Not that I knew anything about it.
So back then even with fax machines, its simply not that hard to to find a document of someone signature, cut it out and then tape it and then xerox it and then fax the xerox and no one would be wiser.
These days its simply a cut and paste in photoshop and then printing to a fax printer if you happen to have one.
Re:It's an "older" technology (Score:5, Interesting)
Re:It's an "older" technology (Score:5, Interesting)
Re:It's an "older" technology (Score:3, Interesting)
However, when was there widespread use? I seem to recall that in 1992, the fax was in use, and friends of the family had one and used it. The first interweb came into existence in september 1993 (hint: ha-ha-only-serious). It has taken people some time getting used to it; some mothers more than others
I think that's ultimately more relevant.
(mod parent informative)
Re:Actually, I LOVE the CC sig. (Score:2, Interesting)
Additionally, cashiers are NOT required by law in most cases (even when you write "see ID" on the back) to check for proper identification. Writing CID or see ID or anything else is *technically* illegal, as it is not your signature , and as a cashier, I would be correct to deny your purchase. However, pretty much nobody would actually do this and CC companies would likely look the other way, as they just want you to spend as much as you can on their card.
audit trail and legal (Score:2, Interesting)
Additionally a fax normally has an independent audit trail via 3rd party phone records (at least in theory).
So if you sign a contract and fax it through then later claim it wasn't you that sent it i'd ask for a verfied copy of the you or the senders phone bill to start with.
Re:Older generation (Score:5, Interesting)
Re:Actually, I LOVE the CC sig. (Score:4, Interesting)
IOW, is reporting violators of 2) in the above post actually worthwhile?
We haven't had faxes for 20 years (Score:5, Interesting)
Me, and most people I know, have almost never used a fax machine, and we don't understand why people around the world ever use them, at all.
This issue is very local and applies only to countries still using fax machines. Perhaps the issue isn't really about if fax machines are secure, but more general; why use them at all? They are stone age, insecure, crap quality, slow, consumes an entire phone line, etc. Much like checks. I don't think I know any swedish person who have ever used a check in his/her whole life, and that includes parents and grand parents.
So what's wrong? Fax being insecure? No, keeping bad and obsolete depricated technology. Fax machines, checks, inch, feet, Fahrenheit, etc...
Come on, the entire world is laughing at you. I'm not trying to troll, but rather to enlight. We do laugh; "Well, you know Yanks" and so on. Please give us a reason to stop that.
Re:Actually, I LOVE the CC sig. (Score:3, Interesting)
Re:Actually, I LOVE the CC sig. (Score:2, Interesting)
Mastercard definately do, although I can't find the PDF with their merchant guidelines in that I used to refer to. I've worked at a UK based retailer in the past, serving a customer with 'See ID' on the back of her Mastercard. She looked at me incredulously when I refused to accept her ID as proof of signature on the basis that I have no idea what a valid State of Connecticut drivers license looks like (and as parent said, it invalidates the card). She told me that "a policeman told me to do it for security".
Also, when it comes to checking for signatures on Chip & Pin based cards, generally no signature just means a lazy customer. The words "VOIDVOIDVOIDVOID" where the signature strip should be (which is what happens when you try and remove it) is a much more obvious sign that something's odd.
Another customer told me he refused to sign his cards "because then a thief could then learn my signature and use my credit card with it", "But surely leaving the space blank just means that the card thief would just write their signature in the space and save themselves the effort", "...Could I borrow a pen?".
Re:They do accept scanned signatures (Score:4, Interesting)
A friend of mine didn't have enough signatures to pass the class at the end of the semester, so we collected sheets from a few people, and scanned quite a few of the teachers signatures. We then got rid of all the extra stuff, and copied and pasted the signatures onto a blank 8.5" x 11" document, and made some test prints to get the exact placement right. When the time came, we ran his original form sheet through the printer, and printed the new signatures where they would have appeared on the document. It was extremely difficult to tell which signatures were real, and which were printed on, on the final document, even knowing that some were forgeries. The results were essentially perfect, the teacher never noticed, and we never got caught.
This occurred over 10 years ago now, and I haven't helped anybody cheat on anything since. Perhaps relying on signatures to authenticate documents isn't such a good idea anymore, now that they can be so easily duplicated.
Re:Older generation (Score:3, Interesting)
We solved this in 1993 (Score:3, Interesting)
Re:Should have stop at, Aren't FAXes the weirdest (Score:1, Interesting)
I suspect that your confusion stems from the fact that if you print two copies of a document from e.g. MS-Word, neither is considered a copy of the other. If the law requires you to provide someone with a "copy", you need to print one copy then photocopy it (scanning and printing counts). IOW, the copy must be made from a physical document, not from the data which was used to generate it.
Years ago in the Mortgage Industry... (Score:3, Interesting)
Years later, I worked as an Account Executive for a subprime lender, we accepted EVERYTHING by fax. They're out of business now and the industry on a whole is reeling from rampant fraud.
Re:Should have stop at, Aren't FAXes the weirdest (Score:2, Interesting)
I was doing document presentation t a trial where someone had to pay mid 7 figures because they made an oral agreement to sell stock and bonds and then didn't produce. The brokerage doing the purchase then sold them the same day (orally). When the original seller (who himself had made the purchase on a non-recorded phone conversation, and didn't understand what he was purchasing, which is where the benefit of writing comes in, since it became he said/he said) didn't come through the brokerage still had to cover their oral agreements (by purchasing over market price).
these few brokers had done deals worth more than I am likely to spend my entire life (mid 8 figures, the 7 figures was the amount they spend over market price to sell it at such) with purely oral agreements in a span of time under 48 hours. Big money can move without a scrap of paper (and in th case of the people working in France, there was not even a phone recording).
Comment removed (Score:2, Interesting)
Re:Should have stop at, Aren't FAXes the weirdest (Score:4, Interesting)
My wife is a real-estate agent. Has to deal with passing a lot of signatures around. It was only a couple of years ago that North Carolina passed a law to make faxed signatures legally binding.
Lot of Fedexing going on up till then.
Re:Should have stop at, Aren't FAXes the weirdest (Score:3, Interesting)
This may be off-topic, but it reminds me of how my mother-in-law gave me money for a down payment on a house. Because the money was in cash, the bank required us to go to a bank, and have her get the money changed over to a cashiers check, which I then had to photocopy, deposit into my account, and keep into that account, until the day of the closing (when it had to be transferred to another cashiers check). All this to prove that the cash was given by her (which it didn't), and to create a paper trail (which was created in a process that could probably be described as "money laundering").
But they DID accept high-res scans in lieu of photocopies or faxes.
Re:Should have stop at, Aren't FAXes the weirdest (Score:4, Interesting)
While I was looking for a new job, one prospective employer wanted to verify my employment history, and called her.
She refused to verify my history over the phone - claiming privacy issues.
Fortunately the company hired to do my background check called me about this problem (apparently it's rather common.) They had me digitally sign a request for the stupid HR officer to verify my employment history with the background checking company.
She refused - claiming that digitally signed documents are not legally binding.
Instead, I had to fax a signed request to her - and then call my former boss to politely ask "WTF?!?"
FORTUNATELY the background check company was willing to work with me on this and I got the job.
However, I still have to wonder how many other job offers I may have missed due to this b*tch's refusal to do her job. Now that I think about, I did have a few job prospects abruptly dry up even though I knew the hiring manager and engineers were impressed with me, only to be told by their HR department "we've decided on someone else." without so much of an explanation as to why I was not being considered any further.
Missing the whole point? (Score:3, Interesting)
Re:Should have stop at, Aren't FAXes the weirdest (Score:3, Interesting)