Schneier on Security
A blog covering security and security technology.
« The War on T-Shirts |
| Filming in DC's Union Station »
June 3, 2008
Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them.
Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure agreements and all sorts of financial documents -- all by fax. I even have a scanned file of my signature on my computer, so I can virtually cut and paste it into documents and fax them directly from my computer without ever having to print them out. What in the world is going on here?
And, more importantly, why are fax signatures still being used after years of experience? Why aren't there many stories of signatures forged through the use of fax machines?
The answer comes from looking at fax signatures not as an isolated security measure, but in the context of the larger system. Fax signatures work because signed faxes exist within a broader communications context.
In a 2003 paper, "Economics, Psychology, and Sociology of Security," Professor Andrew Odlyzko looks at fax signatures and concludes:
Although fax signatures have become widespread, their usage is restricted. They are not used for final contracts of substantial value, such as home purchases. That means that the insecurity of fax communications is not easy to exploit for large gain. Additional protection against abuse of fax insecurity is provided by the context in which faxes are used. There are records of phone calls that carry the faxes, paper trails inside enterprises and so on. Furthermore, unexpected large financial transfers trigger scrutiny. As a result, successful frauds are not easy to carry out by purely technical means.
He's right. Thinking back, there really aren't ways in which a criminal could use a forged document sent by fax to defraud me. I suppose an unscrupulous consulting client could forge my signature on an non-disclosure agreement and then sue me, but that hardly seems worth the effort. And if my broker received a fax document from me authorizing a money transfer to a Nigerian bank account, he would certainly call me before completing it.
Credit card signatures aren't verified in person, either -- and I can already buy things over the phone with a credit card -- so there are no new risks there, and Visa knows how to monitor transactions for fraud. Lots of companies accept purchase orders via fax, even for large amounts of stuff, but there's a physical audit trail, and the goods are shipped to a physical address -- probably one the seller has shipped to before. Signatures are kind of a business lubricant: mostly, they help move things along smoothly.
Except when they don't.
On October 30, 2004, Tristian Wilson was released from a Memphis jail on the authority of a forged fax message. It wasn't even a particularly good forgery. It wasn't on the standard letterhead of the West Memphis Police Department. The name of the policeman who signed the fax was misspelled. And the time stamp on the top of the fax clearly showed that it was sent from a local McDonald's.
The success of this hack has nothing to do with the fact that it was sent over by fax. It worked because the jail had lousy verification procedures. They didn't notice any discrepancies in the fax. They didn't notice the phone number from which the fax was sent. They didn't call and verify that it was official. The jail was accustomed to getting release orders via fax, and just acted on this one without thinking. Would it have been any different had the forged release form been sent by mail or courier?
Yes, fax signatures always exist in context, but sometimes they are the linchpin within that context. If you can mimic enough of the context, or if those on the receiving end become complacent, you can get away with mischief.
Arguably, this is part of the security process. Signatures themselves are poorly defined. Sometimes a document is valid even if not signed: A person with both hands in a cast can still buy a house. Sometimes a document is invalid even if signed: The signer might be drunk, or have a gun pointed at his head. Or he might be a minor. Sometimes a valid signature isn't enough; in the United States there is an entire infrastructure of "notary publics" who officially witness signed documents. When I started filing my tax returns electronically, I had to sign a document stating that I wouldn't be signing my income tax documents. And banks don't even bother verifying signatures on checks less than $30,000; it's cheaper to deal with fraud after the fact than prevent it.
Over the course of centuries, business and legal systems have slowly sorted out what types of additional controls are required around signatures, and in which circumstances.
Those same systems will be able to sort out fax signatures, too, but it'll be slow. And that's where there will be potential problems. Already fax is a declining technology. In a few years it'll be largely obsolete, replaced by PDFs sent over e-mail and other forms of electronic documentation. In the past, we've had time to figure out how to deal with new technologies. Now, by the time we institutionalize these measures, the technologies are likely to be obsolete.
What that means is people are likely to treat fax signatures -- or whatever replaces them -- exactly the same way as paper signatures. And sometimes that assumption will get them into trouble.
But it won't cause social havoc. Wilson's story is remarkable mostly because it's so exceptional. And even he was rearrested at his home less than a week later. Fax signatures may be new, but fake signatures have always been a possibility. Our legal and business systems need to deal with the underlying problem -- false authentication -- rather than focus on the technology of the moment. Systems need to defend themselves against the possibility of fake signatures, regardless of how they arrive.
This essay previously appeared on Wired.com.
EDITED TO ADD (6/3): 2005 story, "Federal Jury Convicts N.Y. Attorney of Faking Judge's Order."
Posted on June 3, 2008 at 7:01 AM
• 58 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It used to be said that,
"There's no con like an old one"
Then the Internet came along and all the old cons where given a new lease of life.
I gues this only proves how short term the collective human experiance can be.
On that assumption, all those security processess the banks used to have in the old ledger days that got swept away by the bold brush of new technology might just be worth dusting off again now that the technology is now going on line almost entirely...
The problem is that signatures have limited value as a security item, anyway. It is my understanding that in most legal contexts a signature is used as verification only inasmuch as you can be later compelled by a court to answer the question "is this your signature?" Whether you choose to perjure yourself or not is up to you.
That is, even though many places make a big show of comparing the signature when you pay for something with a credit card, this is only a cursory check with limited value. The real legally binding part comes if some party challenges the "contract" you have signed. This is a subtle difference, but it makes a big difference. Signatures are intended to be more about being able to resolve legal disputes at a later time rather than an immediate verification at the time of signing.
(It is up to the vendor, of course, if they wish to accept your verification that the name on the credit card is you, but this is always the case, regardless of whether you sign the back of the credit slip with as "X" or "Dr. Feelgood" or your "real" signature.)
This reliance of the signature as a primary or secondary verification procedure may be why we see some of these sorts of the stories. We are relying on signatures for things where they are often weakest.
Signatures just aren't very good immediate verification objects. They change over the years, and are easy to forge and (as we see here) can even be copied in different ways in order to get away with a crime. Their real strength is that they can be used in dispute arbitration to determine of a particular agreement is legally binding or not.
As Bruce mentions here, signatures received over fax are not legally binding in some contexts. That is, it is (or should be) accepted as verification only for certain convenient uses. As soon as the risk of being able to challenge that verification in court goes up, you have to provide more assurance.
What about the signatures on the electronic signature pads at retail places like Lowes? In my experience, the things usually are horribly calibrated - placing the pen to the pad results in a mark as much as 1/2 inch away from the point of contact - resulting in a signature that looks *nothing* like one I would do on paper. Lowes prints me out a copy, which is cool, and when I look at it I am forced to the conclusion that my signature is meaningless.
Fax signatures are easy to forge, but /s/ signatures are even easier. A string of characters like "/s/ John Q. Public" put in an electronic document where a signature should go is accepted as a signature. I've seen lawyers sign their electronically submitted documents like that quite a few times.
I always thought this was funny. I literally copy and paste my signature onto faxed documents all the time. I don't have a fax machine, but I do have computers with fax modems. I have an image file I keep on my computer with my signature, and another one with my wife's. When I need to return a signed document, I open it in an editor, paste my signature in, and send it back. The funny thing is that it has to be really obvious to the receiver that the document never touched paper on my end, because the quality will be as perfect as their fax machine allows.
Even worse, I've done this with e-mailed documents. Someone will send me a PDF and indicate that I can return it by e-mail. They get back a PDF which is identical in every way except for my signature pasted onto the bottom. It's clearly not scanned, and my signature is clearly pasted on (since it is obvious scanned), but nobody ever cares.
I am a lawyer and a notary and (generally) have no problem at all relying on faxed signatures. In fact, I have to disagree with Professor Andrew Odlyzko's quote "Although fax signatures have become widespread, their usage is restricted. They are not used for final contracts of substantial value, such as home purchases." Its not the value of the transaction that's at issue, its the surrounding circumstances.
I'd be less willing to accept a faxed signature from someone unknown and who we won't have an ongoing relationship, regardless of the value. The risk that it is a scam is too high. However, in a situation where there are two companies, with an existing relationship, who have to deal with each other going forward, the faxed signature is basically riskless.
Most people don't understand that signatures don't generally perform a security function, they perform a solemnization function. At least that was the case before the mathematicians got involved and tried to convince folks of the value of digitial signatures . . .. :-)
Crazy, nobody checks the signature and it seems the credit companies, for the most part, don't care either. Unless you're trying to buy HDTVs...
There's a simple, though not fool-proof, extra check you can use--make the person not only sign their name, but also write out some pre-determined string in their own handwriting. The SAT, for example, requires an entire paragraph of the test agreement to be written out in script, before the tester signs. This won't help in situations where the person whose signature is being forged is complicit, since he can then just write the text out himself, but it will help in cases where the forger does not have access to the signer himself.
I'm from Canada and know 2 personal instances where final agreements when buying a house were done by fax, in fact the entire transactions were done over the phone and by fax.
In the cases it was done, besides using a courier, it was the only way to do it. The people selling their house had already moved far from where their house was.
If/when we get around to actually having digital signatures, then at least they'll be a verification capability to them. As the people who read this site well know, you can indeed digitally sign something in a verifiable way.
Though I have no doubt that if it ever gets popular/commonplace, it will still have a thing that "looks" sorta like your actual signature. Maybe we can have people sign their names as a source of randomness in the key generation process... ;)
Faxes are astonishingly insecure, yet using encrypted and/or digitally signed email meets stubborn resistance. Go figure.
An important question is, "Who carries the risk of fraud?"
If your bank will accept faxed instructions only on condition that you are bound by any fax it believed came from you, whether you sent it or not, you could be in big trouble. But if people are willing to rely on your faxed signature, and take the loss if they are defrauded by an impersonator, then you have nothing to worry about.
Just remember to check carefully who carries the risk.
When my mother in law moved we discovered that some of the papers for her home sale were signed exactly this way. The signature was cut out of another document and pasted in. Even the notary's seal and signature were cut from another document. No harm no foul, I guess, but it did seem dishonest.
In Spain, banks do check signatures on checks, regardless the amount (except for really trivial amounts ;-). But only if you wish to cash the check. If you want to deposit the check in your banking account, they don't really care about the signature (except for really large amounts ;-), because of the trail that such an action leaves.
Worse than fax signatures are signatures in PDF files: people routinely email PDF forms for me to sign, expecting me to print and mail them back. Instead, I import the PDF into Illustrator, drop in an image of my signature, and email the doctored PDF file back. This had been accepted by a wide variety of institutions. This is crazy. The only real security in the system is that there's and end-to-end check (the statements sent to me from banks an financial institutions).
My 'nickname' slowly replaced my 'legal' name and I had to do some research into the UCC (Uniform Commercial Code) because my name, signature and ID got out of sync. (Nobody knows the law like a minimum wage clerk at a chain store, or so they think.) Writing your name in cursive is a convention, nothing more.
In a nutshell, a 'signature' is nothing more than a tangible mark to indicate assent. Everything else comes down to the question of how easily you can refudiate it. Unsigned checks have been held to be legally signed when written by hand -- the rest of the check was interpreted as a tangible mark indicating the intention to pay the check. 'X' has long been held as a signature, albeit one that's usually countersigned by somebody else vouching for that person's identity.
That's why the story of the guy attempting to buy three big screen tvs with "this is unauthorized" (or something like that) cracks me up. If the manager wanted to give him grief back, he could have correctly pointed out that, legally, he had signed the charge slip and he would be held to his word. The fact that it said "unauthorized" is irrelevant since people accept illegible signatures all of the time. It's putting the pen to paper (or to touchscreen) that matters, not what comes out.
Would he have actually followed through with the sale. Probably not, to the nth degree. But I'm sure the prankster would have backed down quickly once he realized he had pulled the pin on a live $12k grenade. :-)
Back when I worked for an energy trading firm, our software would automatically generate a contract based on the deal information entered, sign it with the appropriate person's signature and fax it without human intervention. (This was mostly to confirm that we had done the deal, and what the particulars were. Most of the deals were done over the phone.)
The real problem with faxes - even more than with photocopiers - is that people can forge the contents of the page. Forget the signature. random lines and odd pixel alignments are more tolerated on faxes, and so they can build a page with paper and scissors and then fax it.
I've seen exactly this happen in a medical context.
Walmart might be just starting to do IT right, had a unit screw up signature while using pen, closed out the process, and had the old style paper signature. Good, Smart.
Security is moving from apparent to real these days.
I think people rely on fax signatures more for non-repudiation than for authentication.
When we applied for our home mortgage, the lender allowed us to pick the date on which to lock-in the interest rate. To bind the lock-in, we had to send the lender a check for 1 point (1% of the loan amount)
We executed the lock-in by telephone. Then the lender had us write out the check, fax them an image of it, and mail it to them.They got the check a few days later, but they committed to the interest rate on the day that we called and faxed the image.
They (probably) can't cash a faxed check, but just having the image helps protect them against us trying to repudiate the lock-in.
"A person with both hands in a cast can still buy a house."
both hands in *one* cast? That, I'd like to see.
A signature on a document is a little bit like a lock on a door--nobody thinks it can't be broken, but it serves to put people on notice of where the line of honesty lies. If you pick somebody else's lock, or forge somebody else's signature, it's clear to everyone--including you and the jury--that your actions aren't innocent.
On the subject fax subterfuge, I thought you might be interested in a case that happened near my home town a few years ago. It involves an attorney faking an order from a Federal Magistrate via fax in order to embarrass the opposing legal team.
Its one thing to write yourself out of a poorly run prison, its another thing entirely to try a stunt like this.
Legally, a contract is formed when the parties to the contract have a present intention to enter into the contract. Signatures are merely evidence of that present intention. Thus, a simple "X" suffices if it can be proven in court that the person making the "X" had the present intention at the time to enter into a contract.
The benefit of fax signatures is not in security or even their own integrity, but that they require someone to lie. "Did you sign that application?"
That goes to intent and other legal issues--but not really any security issues.
Just a few observations.
How many secretaries have their bosses' signatures on a rubber stamp?
Sometimes I forget to sign a check before handing it to my wife to deposit. She's never had any problem depositing it, even when it's been only in my name. My name is on the check, it's being deposited into my checking account -- how much opportunity for fraud is there?
I've been told that my signature is not actually required to complete a credit card transaction. And even if it were, just how many handwriting experts are working as retail clerks anyway? If you want security on your credit card, switch to a PIN system like debit cards have. The signature is meaningless for security.
I've heard of a story from the early days of fax where a faxed signature was not considered legal but a photocopy was, but the party in question was not available for signing in person. He faxed the document, and his counsel then photocopied the fax. The photocopy of the fax was accepted. How's that for silly?
I'm an IT transactions attorney and I have seen this discussion with each successive wave of document exchange technology.
There's a legacy issue here with corporate contracts management and contract drafting practices.
It is very common for contracts to specify fax as an approved form of written notice and for exchanging binding signature documents. (I have worked at Fortune 500 companies with IT contracts written in the 70's and 80's -- many of these contracts are still active. Most of these early contracts specified fax or facsimile as an approved method of written notice or signature.) Contracts between private parties may restrict or specify any form of notice or signature. Today it's common for commercial contracts to contain terms approving email as a form of notice for some purposes and fax for other purposes.
The federal E-SIGN Act of 2000 sets a default rule for US interstate commerce -- digital and digitized forms of signature are officially valid and acceptable under federal law. This law keeps the flexibility to allow private parties to opt out of this in a contract and specify any signature method they want, and they frequently opt out.
My favorite form of authentication technology comes from the last millenium. The block of contract text was copied by a single scribe on different sections of a huge sheet of paper, with the block of text running in different directions. Each block of text was signed by all parties and then the sheet of paper was cut apart with a wavy or jigsaw type border or ripped in a distinctive way. Signature 'authentication' included fitting all the copies together to determine whether one was a forgery, comparing the scribe's handwriting in each block of text, and examining the paper to determine whether the rag, weight, and paper components were the same and whether the ink was of the same age, color and type. (Not that I'm advocating going back to this!)
Carol Shepherd, Attorney
Reminds me of the movie "Spy Game", where Robert Redford's character faxes an authorization to a battle group to conduct a CIA raid in China. The signature was simply the CIA director's taken from a plaque cut and pasted onto the fax.
Here in Singapore there was a case a couple of years ago where a company concluded a contract (via email) to take up a lease and when sued for failing to do so attempted to use the electronic means of the communication as a defence.
The court did not see a difference between a handwritten and typed signature here - indeed in this case the senders name in the 'from' field sufficed. (Afaik the authenticity of the mail was never disputed by either party).
Article on it here:
Back in High School I had my father's signature scanned into my computer, and once every few weeks I would print out a note to the attendance office asking them to excuse all of my absences. I ditched every single Wednesday during my senior year, until there were ~ 6 weeks left of school and they told me I couldn't miss any more or I wouldn't graduate. They never figured out those notes were forgeries, though.
When I finally showed up on a Wednesday, all my friends and teachers kept asking me what I was doing at school on a Wednesday. It was an unbelievably depressing day.
I had power of attorney for my parents, and was closing some of their bank accounts. In one case, I mailed a photocopy of the POA to the bank, which they rejected since it didn't have a raised seal. As I only had one original with a raised seal, I didn't want to give that to them. Their answer: "no problem - just FAX the original to us"! I tried to ask how a FAXed copy of a raised seal was any better than a photocopy of said document, but it was a pointless discussion...
I concluded that FAXes must be treated with magic security dust, because that's the only explanation that makes sense.
The datacenter where my company keeps all of their stuff wanted a letter faxed on company letterhead to change the primary contact on our account from our former CTO to me who has taken over his position. We don't even have company letterhead. Who has letterhead anymore? So I just fired up OpenOffice, dumper a copy of the company logo taken from our website right at the top of the document and told them to change the contact. It worked. Meaning anyone can change our contact to anyone they want. Scary. Biometrics, key cards, man traps, and all kinds of physical security to impress potential clients but they use something as trivial as a fax to change primary contact which is the person who defines all others access for our company. Scary.
I ran into this the other day. I moved my auto insurance to another company and dutifully went through the steps on my old company's website to remove the policy which correctly would cancel the policy. I received an email notifying me that cancelling my policy required that I speak to someone at an 800 number. I called the number and found out that I needed to fax a signed notice stating I was cancelling the policy.
I was floored that there are certain industries in which faxing is still so common. Hopefully we will begin to see this change in the near future.
'...there is an entire infrastructure of "notary publics"...'
You mean notaries public.
about banks not check'n sigs on money under 30K is not true....at least not with my bank. They called me about a check for $400 (or maybe it was $500) -- but nevertheless, it was around 500 -- my sig was "not normal" and the handwriting was weird to them.
They were right -- I was drunk, the night of my wedding and I was pissed off when I signed that check. It was still a legit transaction...but at least they checked!
The bank called me to verify the charges.
Not only do banks not check signatures, they don't even check the "Pay to:" lines. A couple of times I have accidentally switched checks/envelopes. Both times, both checks went through just fine into the respective wrong accounts. It was up to me to sort it out later, but it was tough since the checks both came through as "cleared" from my bank.
What an amazing response rate! This was posted today, and there are already over 50 comments.
People accept fax signatures because they need to close a transaction faster than waiting for a paper delivery mechanism and they are *willing to take the risk* that there will be a problem. I am personally amazed at the fax-of-a-fx-of-a-fax being used to close a $500,000 real estate transaction. The lesson? We'd rather be FAST than CERTAIN.
Because I know how easy it is to scan your signature, then paste it into a document and send you a fax that 'you signed', I realize how non-binding a faxed signature document would really be if it ever went to court. It would just not stand up in many different circumstances.
I won't tout my product here in this blog, but I will say that there are solutions in the market that allow a secure way to 'sign online' and it does assure that you know who signed, what they signed, and that it was their signature.
The use of online signature tools like WWW.DOCUSIGN.COM is growing like mad for many of the reasons posted in this blog - giving users the ability to have signatures that are both FAST and CERTAIN.
An Australian superannuation/pension fund containing the retirement savings of over 50,000 government employees was almost defrauded of US$112m a few years ago via a falsified fax signature fraud.
Fraudsters managed to get the money transferred out of the pension fund's account, ...and "the monies were starting to move through their international correspondent banks' process, and monies were at various stages. But the monies were frozen before the fraudsters had any ability to move those monies out."
See http://sunday.ninemsn.com.au/sunday/... for some more details about the story.
One thing I find funny though, I always thought the purpose of notaries public, in addition to administering an oath, is to identify the individual as the correct one signing the document.
Hypothetically this occurs by the notary public already knowing the individual. However, these days, that function was lost and now they just check ID, which seems to be very lame to me, as well as not as secure as requiring the notary know the individual before hand.
Heh, I had a friend so paranoid that he always signed public and exposed documents with an X and only used his "real" signature on documents secured to his satisfaction.
The downside, of course, was that anyone could then sign with an X and claim to be him -- nobody but he could tell when X would not be a valid signature.
I guess you could say his statement just made a huge exclamation point rather than raising question marks about the security of written signatures. Funny how solutions sometimes just end up making the problem worse.
"How many secretaries have their bosses' signatures on a rubber stamp?"
In some cultures a stamp IS a person's signature.
"Aren't fax signatures the weirdest thing?"
If I had to store or enter my private key into a fax machine in order to receive a fax from someone who was sending it with my public key and signed by their private key...THAT would be weird.
Getting a barely legible black and white scribble that looks nothing like a real stroke of hand and calling it a signature...well, that's normal.
I work in the legal "industry" and I'm stunned as well, particularly by what the *banks* will accept.
I believe this comes down to some basic, somewhat silly perceptions of liability. Fax machines are supposed to be self-identifying and, technically, failing this is a violation of the Telecommunications Act. Faxing (in ordinary circumstances) produces a single physical image on paper that can easily be squinted at later by "experts" in court, even if much authenticating visual information is lost in the scanning (or can be forged with a computer).
Then, for businesses relying on certain things -- like the POA mentioned above -- a fax offers plausible deniability; if a paper is provided without a seal (or original ink signature) they could be liable for accepting it, but if a fax is requested, the *sender* is arguably making a representation that they are faxing the original document and... well, it's still retarded, but the company is a little less liable.
Beyond that, also as noted above, the E-SIGN act makes some very ridiculous things "legal tender," and paved the way for "check images" and so on (which are actually not a horrible idea, if you accept that putting the trust on the sender is acceptable to save the need to truck checks back and forth... checks are also horribly flawed, of course).
I think it's mostly that the federal act imposed 'trust by default, verify later,' and the benefits (fast processing for everyone, convenience/ability to process a higher transaction load for banks) are decoupled from the costs of fraud, which are largely borne by individual victims as described in any writeup of identity theft.
Although this is irrelevant to fax signatures, there is a interesting article on digital signatures that I came across as a student.
The surrounding circumstances of the fax signature stand to support the non-repudiation of the document signature in a dispute. In the Wilson case, it's fairer to apportion blame on the verification process. Our paper signature system has always been about the human verification process and not just the signature alone.
I've wondered about the Chinese rubber stamp process for authentication: http://wtanaka.com/node/7769
Perhaps it's exactly the same as described here with faxes.
Title Companies are where you sign the docs for your home purchase in the USA. We close huge transactions on a faxed sig. Being the tech guy I hate it but "it's the way it is done in this industry" the CEO says oh well we will get burned and maybe someone will listen
Some software based computer fax systems can log the calling line identification (CLID) of the person sending the fax so you can check the authenticity of the sender.
I've concluded any number of business contracts & real estates deals that included faxed signed docs. Every one then required me to send the physical copy. Using the fax allowed us to proceed faster, but behind that was the long string of communications and sometimes legal intermediaries that made the fax-followed-by-paper a reasonable method.
What I don't understand are documents that require both witnesses *and* notaries. What is the point of having someone who doesn't know you witness your notarized document?
When I got married the other day, I didn't sign anything... I guess signatures really aren't that important.
I happen to know of two other occurrences where jail prisoners have been released by fax document. The law enforcement community is good at keeping these mistakes quiet.
Electronic Signatures indeed provide additional layers of security. I'm not referring to the pin pad at retail points of sale.
I'm referring to signature requests sent via email, INSTEAD of fax. This method requires 2 layers of authentication, email address and password to login to the email account, and a PIN to access the document required by Federal ESIGN.
This method enables Final versions of contracts to be executed electronically, and the contract is never printed to be funneled through a fax machine.
This technology has been legal for almost a decade, yet I dont understand why the legal community has been slow to embrace it.
"on October 30, 2004, Tristian Wilson was released from a Memphis jail on the authority of a forged fax message"
Another example in France, with the misspelled name of a judge on sick leave (they sent it from a hotel but faked the sender phone number):
Anyway, a faxed signature is not worse than an emailed card number (I always wondered why you could pay with only a card number, without signature, while checks need a signature: you cannot replace a check with its number).
I think a lot of the issue with fax signatures arises from viewing the
purpose of the signature as security. While it's no doubt treated
that way sometimes, in most/all of the cases in which I have been
involved, including buying a house, it has absolutely nothing to do
with security, it has to do with ensuring that, barring deliberate
fraud of some kind, my intention is registered properly. These are
situations in which the base rate of fraud is ridiculously low, almost
zero. What the faxed signature does establish is that, outside the
near-zero chance of fraud, my response wasn't by accident. You can
easily be misheard over a phone call, and if someone makes a mistake
on that basis, there's going to be an argument over whose fault it is.
But if you sign a document and fax it, there won't be.
It's worth noting that digital signatures are in this respect
sometimes worse than faxed signatures. Nobody signs something and
faxes it by accident (at least nobody without a secretary), but we've
all blindly clicked through many series of dialog boxes.
So while I hate faxes, and I don't think they have any particular use
for security, I think faxed signatures serve some useful purpose. I'd
personally prefer faxing my name printed, it's much easier to read.
I haven't really understood the point of faxes for many, many years. The thing that bothers me about this, since faxing a document is, first and foremost, a completely insecure method of sending sensitive information is the fact that there are many businesses out there that will *only* accept documents via fax. I've always asked why I can't simply just email it? That is at least just as secure, perhaps even more so.
I have my own mail server with TLS enabled so if the receiving end can also use TLS, at least the transport is encrypted. The paper fax at the receiving end is just as likely, if not more so, to be read by someone else in the office walking by the fax machine as it is for the email admin to take a look at it.
Taking the email branch one step further, why is it that there isn't the option of using digital signatures? Why can't we just sign the document/email with our public GPG key. Let's take that to another level and move the notaries into the 21st century and have them sign our public keys with their keys and do it in person. This would allow for a fairly reasonable identity verification process if I were to sign/encrypt the email/document with my GPG key (as much as a notarized document); a whole lot more so than a cut and paste handwritten signature.
Obviously, this would take some training and perhaps the development of some more user-friendly tools since most of the tools that exist now are definitely geared towards the geeks. However, it can be done and it seems like getting people used to this direction would make for a bit more secure future.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.