Security by Letterhead

This otherwise amusing story has some serious lessons:

John: Yes, I'm calling to find out why request number 48931258 to transfer somedomain.com was rejected.

ISP: Oh, it was rejected because the request wasn't submitted on company letterhead.

John: Oh... sure... but... uh, just so we're on the same page, can you define exactly what you mean by 'company letterhead?'

ISP: Well, you know, it has the company's logo, maybe a phone number and web site address... that sort of thing. I mean, your fax looks like it could've been typed by anyone!

John: So you know what my company letterhead looks like?

ISP: Ye... no. Not specifically. But, like, we'd know it if we saw it.

John: And what if we don't have letterhead? What if we're a startup? What if we're redesigning our logo?

ISP: Well, you'd have to speak to customer--

John (clicking and typing): I could probably just pick out a semi-professional-looking MS Word template and paste my request in that and resubmit it, right?

ISP: Look, our policy--

John: Oh, it's ok, I just sent the request back in on letterhead.

Ha ha. The idiot ISP guy doesn't realize how easy it for anyone with a word processor and a laser printer to fake a letterhead. But what this story really shows is how hard it is for people to change their security intuition. Security-by-letterhead was fairly robust when printing was hard, and faking a letterhead was real work. Today it's easy, but people -- especially people who grew up under the older paradigm -- don't act as if it is. They would if they thought about it, but most of the time our security runs on intuition and not on explicit thought.

This kind of thing bites us all the time. Mother's maiden name is no longer a good password. An impressive-looking storefront on the Internet is not the same as an impressive-looking storefront in the real world. The headers on an e-mail are not a good authenticator of its origin. It's an effect of technology moving faster than our ability to develop a good intuition about that technology.

And, as technology changes ever increasingly faster, this will only get worse.

Posted on October 30, 2007 at 6:33 AM • 73 Comments

Comments

JamesOctober 30, 2007 7:01 AM

I've had that before - a company wouldn't accept a scanned document by e-mail for security reasons, wanted it by fax instead. Printed out the scanned document and faxed it to them - no problems :-)

alabamatoyOctober 30, 2007 7:09 AM

"Mother's maiden name is no longer a good password."

Especially if its Jones, Smith, Chang or something else that's statistically common.....

How about the US Government thift savings plan. They wont email a new password or account number, but they are happy to let it sit on a piece of paper in that little unlocked tin box down at the street.

Maybe this thread should become the "Stoopid Security Dichotomies" listing.

Ian EiloartOctober 30, 2007 7:24 AM

"The idiot ISP guy"? That's not fair. It's his company policy that's at fault, and he probably didn't write it.

Dread Pirate ErnieOctober 30, 2007 7:27 AM

In the US it is still common to receive salary as a physical check, usually with a statement attached showing gross, taxes, net, etc. My previous employer provided that statement on a separate sheet printed on a laser printer; plain paper, no letterhead. When trying to get a loan, the bank wanted to see a year's worth of statements, but wouldn't accept the ones I had because they looked too plain. My employer offerred to emboss them with the "corporate seal", and this made the statements OK in the bank's eyes. The "corporate seal" is simply a mechanical hand-oerated device that embosses the company name (NOT logo) in the paper when squeezed; they can be purchased for less than $50, no questions asked.

not-bobOctober 30, 2007 7:48 AM

@alabamatoy

There's a federal law about tampering with the little tin box, and you have to be present to do so. While that doesn't stop Mallory from looking at your secrets, it does allow you to prosecute her. Arguably there's more risk in tampering with the snail mail than tampering with email, both in risk of being caught and chances of conviction if caught.

It's not about your security or the sanctity of your account, it's about making that an externality and blaming the bad guy.

Letterhead, mail box, corporate seal, maiden name - anyone who misuses these is making an effort to decieve or otherwise break the law. That makes them a party in the liability and lessens the company's responsibility for what happens to you. Doesn't help your risk, but it's a notch off _their_ risk assessment.

EdOctober 30, 2007 7:58 AM

I have a similar experience from a popular 5-letter US company that sells network equipment. Because I am purchasing from an Asian country I had to sign some documents promising not to use it along nuclear warfare.

Before they can approve my purchase I have to show them a webpage with a company profile. Since we are a startup we didn't have a website. They insisted, so I said I'll just post a dummy website. They stopped bugging after that.

NostromoOctober 30, 2007 8:04 AM

"Security-by-letterhead was fairly robust when printing was hard"

It was never hard. In the days before laser printers, most stationery stores would take orders for letterhead (and let you pick it up in person and pay with cash).

StephaneOctober 30, 2007 8:14 AM

"The headers on an e-mail are not a good authenticator of its origin."

Well, mine are: I'm using domain keys :P

JonOctober 30, 2007 8:17 AM

Just four days ago I purchased an SSL cert from Verisign and they requested the exact same thing...an authorization on company letterhead. If companies responsible for security products don't get it, I'm left worried.

Robert AccetturaOctober 30, 2007 8:22 AM

For most of the internet's existence, this was the only real verification for moving domains if Network Solutions email reply method didn't work (which had a 99.9997% failure rate). I remember thinking it was moronic in high school opening Word and creating a letterhead to fax to them so I can "verify" I want to move the domain.

They also wanted me to fax a copy of my passport. Obviously a copy of a passport is nearly impossible to read... faxing it really "enhances" the quality.

So they had a sloppy letterhead I hacked in about 30 seconds, and a smudge of ink faxed to them to verify a domain change.

These days they have a pretty decent domain management system. It's actually one of the nicer ones.

For something important like domains, I wonder why they don't support keyfob's for extra security. Domain hijacking can be a real mess.

TimOctober 30, 2007 8:31 AM

It's all client-side authentication. "Trust me, I'm a nice cat.". Learn to find this intuitive wherever it's seen and a lot of these issues disappear.

Anyone remember Blair before invading Iraq? Fair paraphrase: "You don't need to see the evidence of WMD. I've seen it. Trust me". I could almost imagine the Jedi hand-wave, whilst listening on the radio.

Bruce SchneierOctober 30, 2007 8:38 AM

Hi, I'm Bruce Schneier, and this is my blog. You know it's me because the "Posted by" has my name on it.

(Please see next post by Nyhm.)

Dave WalkerOctober 30, 2007 8:38 AM

It gets worse. Some years back, when leaving my company's car scheme, I needed evidence of my no-claim history in order to get a half-decent discount when taking out private car insurance. The first time I received and forwarded a letterheaded note from my company's insurer to my would-be private insurer, they rejected it on the grounds that it was handwritten rather than typed.

Go figure.

NyhmOctober 30, 2007 8:40 AM

*NOTICE* The above post by "Bruce Schneier" was by me (not Bruce Schneier), demonstrating another form of Security by Letterhead.

Mike SchiraldiOctober 30, 2007 8:48 AM

Basically every country in the free world has very strict mail fraud laws. Now, a fake letter on regular paper might leave some wiggle room -- you could debate the meaning of the wording in court, and claim you had no intent to deceive, etc.

However, if it's printed on fake letterhead, that's an open-and-shut mail fraud conviction.

I think that's where policies like this come from.

Ed T.October 30, 2007 8:55 AM

"...a company wouldn't accept a scanned document by e-mail for security reasons, wanted it by fax instead."

Actually, my understanding (and remember that IANAL,NDIPOOTV) is that a fax can be admitted as evidence in a contractual dispute (it is considered a "legal" document, is my guess), whereas an email doesn't carry the same weight. (Probably something having to do with non-repudiation, though a lawyer may be able to provide more info.)

~EdT.

Mike SchiraldiOctober 30, 2007 9:13 AM

To rephrase my comment (a page or so back), it's not the companies that need to adapt -- it's the law that needs to adapt.

The companies' behavior is perfectly rational, given the law as it stands.

TSOctober 30, 2007 9:15 AM

Difficult? It was never difficult. You could write a complaint to some company, and voila, you have the company letterhead. Cut and paste onto a blank sheet and photocopy. You could easily make your own using a nice graphic from some magazine and using press on stencils. If you wanted your address in big bold type, just place a want-ad in the paper and a week later you've had your address typeset for you.

jananthaOctober 30, 2007 9:30 AM

May be the letter head could consist of an invincible hash of some sort which can be seen using UV rays :D .Just an idea! if it is used in e-mail why not use it for real! probably consist of a barcode type stamp/

Carlo GrazianiOctober 30, 2007 9:34 AM

This is not really much different from requiring people's handwritten signatures on documents, checks, credit card receipts, etc. In transactions between strangers, vacuously ritualistic authentication measures are the rule, not the exception. Evidently the alternatives are considered more expensive than dealing with the attendant background level of fraud.

JosephOctober 30, 2007 9:49 AM

""...a company wouldn't accept a scanned document by e-mail for security reasons, wanted it by fax instead."

Actually, my understanding (and remember that IANAL,NDIPOOTV) is that a fax can be admitted as evidence in a contractual dispute (it is considered a "legal" document, is my guess), whereas an email doesn't carry the same weight. (Probably something having to do with non-repudiation, though a lawyer may be able to provide more info.)
"


EXACTLY. This isn't about security. It's about legality. And those are very different things.

KeesOctober 30, 2007 10:15 AM

The reason a fax is 'legal' is because the sender's telephone number is printed on the fax automatically. This is proof that the fax was sent from that specific phone (which can be traced back to the real owner) and not from an impersonater's phone.

I don't know how easy it is to spoof a phone number on a fax with today's technology.

BTW, @ Nyhm: I knew the Bruce entry was spoofed since Bruce always includes the link to his blog in the name field...

Anon Y. MouseOctober 30, 2007 10:17 AM

I saw this just last year. I paid off a traffic ticket
by doing volunteer service to the non-profit organization
of my choice. I had to submit a signed letter -- on
"letterhead" -- to the traffic court to verify I had worked
the requisite number of hours. At first they didn't want
to accept the letter, because it had been printed on a
laser printer, not offset printed. Surprise, surprise --
many small non-profits print all their own stationary
directly on laser printers to save costs. They eventually
accepted the letter when I pointed this out. Of course,
they don't have logos or signatures of local non-profits
on file -- I could have faked the whole thing.

Terry ClothOctober 30, 2007 10:18 AM

@Bruce: ``Mother's maiden name is no longer a good password.''

It all depends on what you tell them your mother's maiden name is. I've had customer-service types say ``huh?'', but no one has ever given me hassle when Dear Old Mom is Fred Astaire.

GraminaOctober 30, 2007 10:20 AM

Y'know, people's idea of "never" (as in "it was never difficult") seem a little, um, brief to me.

Once upon a time you couldn't fake letterhead by cutting off existing letterhead and pasting it onto blank paper and photocopying it because there were no photocopiers.

Once upon a time you couldn't just trot down to the local stationers and order letterhead for not-much, because having something printed meant having it *set in type* and printed by a *printer* and getting that first typeset for something involving more than a standard typeface (which most letterhead did) was *expensive.* A con artist could do it, but it wouldn't be done casually.

Computers are not the first technological innovation involved here, folks -- some of our assumptions and some of our laws descend from the dark ages before photocopiers, when dinosaurs roamed the earth.

Oh -- and the reason some places require faxes rather than e-mail may be because faxes are explicitly permissible legal documents for some things; there was a time when they were not (remember thermal paper, anyone?), and when that was changed it was changed explicitly in law, whereas I'm not aware of any ruling one way or another on the legal status of scanned images sent by e-mail. Rationally they're the same thing, but law and reason are not necessarily the same.

SteveJOctober 30, 2007 10:26 AM

@Bruce: "It's an effect of technology moving faster than our ability to develop a good intuition about that technology."

This example suggests that technology is moving faster than our ability to draw up formal company security procedures. It doesn't even prove that, since it's not necessarily the case that the letterhead is intended to provide identification.

The reason the article is funny is precisely because our intuition immediately tells us (at least, once confronted with a simple example exploit) that the policy provides little to no security.

What should be just as funny, of course, is the equally foolish use of signatures as identification. It has *never* been difficult to fake a signature, or to invent a plausible-looking one. So "identification" fallacy identical to security-by-letterhead is nothing to do with changing technology. But fewer people would laugh at an equivalent company policy which said that change instructions have to be signed.

I think I've had about one serious change in my security intuition in the last 10 years - I once had a naive idea that untrusted "plain data" files were pretty much safe to handle. Then it became clear that pretty much any application buffer overflow allows control of that application (and ditto the OS), and my intuition had to change.

I don't think that's too fast to deal with.

The fundamentals here haven't changed - don't use something for identification if it can be easily forged. Unfounded ideas like "company letterheads provide security" aren't really intuition, they're just rules of thumb. As long as people can develop their intuition from reasonable fundamentals, they can deal with changes in the details.

So, the problem isn't evolving intuition to keep up with progress, it's developing intuition from sound principles in the first place.

IanOctober 30, 2007 10:30 AM

Reminds me of when I was in high school and I was asked to see if I could fix a printer for the principal... There was a blank sheet of letterhead in there, which I scanned in to make duplicates of for some nefarious purpose in the indeterminate future.

Sadly, I never did come up with a good use for it. :/ I've still got it somewhere on my computer, I think, though the principal's probably changed by now.

markmOctober 30, 2007 10:34 AM

"The headers on an e-mail are not a good authenticator of its origin." Was the envelope of a snail mail ever an authenticator of it's origin? IIRC, back when the post offices slapped a cancellation stamp over the postage, it was a rather-easily-forged authenticator of the date and place the letter was mailed, but not of sender's name and return address. And nowadays, most snail mail isn't even cancelled.

BrianOctober 30, 2007 10:55 AM

This is how I got my SSL and other certificates from a well known CA. I could have given them any name, any street address... virtually anything.

partdavidOctober 30, 2007 10:57 AM

This discussion reminds me of two things. First were the cons of Frank Abagnale, Jr., who in his day was really good at document fraud. In order to carry out his document forgeries, he often had to steal or buy real imprinting or pressing machinery, even to the extent of getting an offset printing press by the time he was caught.

The second thing this reminds me of is the changing definition of "the public record" in our society. When we developed our notions of what should be "public record" we had in mind a certain model of access: you have to physically go to some records repository, have people notice you there, and you could look for records only by the way in which they were indexed (for example, knowing the parcel you could find the deed to a piece of property, but it was usually impractical or suspicious to search all deeds for someone's name).

AaronOctober 30, 2007 11:12 AM

I've got an even better one for you:

I couldn't get a China Business Visa without supplying a business card with name and address. I didn't have a current one, so I went home and printed one up.

MikeAOctober 30, 2007 11:26 AM

Yet another such story: I had corporate refuse to accept a handwritten receipt from an expensive restaurant, saying they needed a cash-register receipt. So I draged an old dot-matrix printer off the shelf and made myself a "cash-register receipt". Problem solved. Muppets.

NyhmOctober 30, 2007 11:34 AM

Kees said: "I knew the Bruce entry was spoofed since Bruce always includes the link to his blog in the name field..."

Good call. I didn't really want to trick anyone (and I didn't put anything meaningful in the text). Your observation seems to be analogous to spotting counterfeit money - every aspect must be a perfect match.

I guess we'll all have to start digitally signing our posts so this doesn't happen again.

JohnOctober 30, 2007 11:46 AM

@kees:

"The reason a fax is 'legal' is because the sender's telephone number is printed on the fax automatically. This is proof that the fax was sent from that specific phone (which can be traced back to the real owner) and not from an impersonater's phone."

Actually, no. You specify the station id when you configure the fax machine, and you can set it to anything you'd like.

David WallOctober 30, 2007 11:56 AM

This sort of spoofing is so easy and common that it's worrisome indeed.

There are the odd ones like the Verisign, or BBBOnline or Trust-E "seals" that are easily added to any web page, whether the site owner is really certified by any of them. Few ever really check...

We are in the electronic signature business, and it's unfortunate, but so many products use "eye candy" so users can print and the document "looks signed." No matter what you tell customers, they all want the eye candy, even though a paper copy with eye candy is easily produced using many tools unrelated to electronic signatures.

Furthermore, many software solutions for electronic signatures put such eye candy in and tell their customers that they can look at it to determine that it's been signed, even though the eye candy is so easily forged and thus makes it easy to trick users of these systems simply by producing a document with eye candy added. Many of these companies do not even use technologies like digital signatures to lock down the documents and better ensure an original versus a fraud.

Electronic signatures generally require the document to be electronic, typically require a digital signature to detect tampering, and the more eye candy added, the easier it is to trick users who rely on their eyes instead of software re-validating the digital signatures, etc.

So even software companies that ought to know better sell their customers on solutions that are so easily exploited with social engineering attacks. Oh well...

IainOctober 30, 2007 12:09 PM

I have encountered similar check when setting up a domain for the organisation I work for. As has been suggested I think it is about having a paper trail in case of future investigation. Annoying and stupid from a customer pint of view but understandable from the supplier side.

We also had a problem with changing an existing domain with register.com. They would only accept emails form the address registered at the time the domain was set up. The person in question had left and his account been deleted. Took a bit of persuasion for them to accept a different admin contact.

Tim O'BrienOctober 30, 2007 12:35 PM

When I tried to sign up for a Code Signing Certificate from *VERISIGN*, they told me that I had to fax them a letter on company letterhead.

I run a company that doesn't have letterhead, I did exactly what this guy did, and it felt absolutely ridiculous.

Mind you, this was Verisign.

ArtOctober 30, 2007 12:37 PM

I was hit with this mentality a few days ago. I've been elected President of a local water utility non-profit corporation and I serve in my off hours. We only serve our neighborhood through a community-owned well and have never needed letterhead until a few days ago. The local post office would only accept a request to change access to the post office box if it was submitted with a company letterhead. It took me longer to keyboard the letter than create the letterhead for the letter. My request was accepted. I honestly managed to avoid laughing until I left the parking lot. The shivers still haven't left me for what I could do if I were a not nice person.

ReubenOctober 30, 2007 12:53 PM

I had the same experience asking a well known international shipping company to change a delivery location. The best part was the look on my office manager's face when I asked if we had letterhead (and I work for a fortune 10 company)

shoobe01October 30, 2007 12:57 PM

Difficulty: Yes, it was. Think back to the pre-photocopy days. Printing was a reasonably non-trivial expense, and getting someone to draw and lay out a convincing letterhead w/o computers was not easy, and not for the layman. Now, just find an unscrupulous print shop. Yeah...

Some places are catching up. ATF has, since the 30s, required copies of this form with an original signature. Just recently caught up with fax, then realized that email, etc. is the same thing. Why? Because the form is only authentication for part of the transfer. The dealers have to see driver's licenses, there is a call-in system for handguns which confirms the info live, and records are (generally) reconciled later, so the fraud will be discovered, even if not prevented.

skrikeOctober 30, 2007 12:58 PM

This is very similary to a policy that Walmart is currently enforcing. I do photography for a living, and the closest photo lab is a local walmart, so many times when I need proof prints Ill upload my images there and then go pick them up an hour later. Problem is Walmart's policy is that if an image "looks too proffesional" they ask for a copyright release.

Well #1, the whole "looks" proffesional is very subjective. Sometimes my outdoor portraits dont get flagged, but my indoor ones do especially if Ive touched them up, seems like anything posed or with props in it gets flagged, but its mostly up to the discression of the person printing it. Ive had this happen at a number of different walmarts a number of different times. And they actually do word it "your images look too proffesional, we will not give them to you unless you provide a copyright release"

Which brings us to #2. What the hell does a copyright release look like? And how do you prove that the DIGITAL files youre uploading to be printed match the same copyright release you submit? I make my own copyright releases that I give to clients in case someone asks for them, but it doesnt stop anyone from making their own semi-official looking release. Even the language on it isnt standard from what I can tell. Its especially frustrating when I send my wife in to pick up pictures and they demand a release and she has to argue with them, "my husband took the pictures, heres his card, hes a photographer etc..." the last few times she just tells them the release is on file and they are too lazy to look for it and that works.

Its especially stupid when most photo labs dont enforce this, so what entices me to continue printing at Walmart after a new lab goes in locally? Way to protect your customers!

Using Public MedicineOctober 30, 2007 1:00 PM

I'm reminded of an experience I had recently with trying to sign up for public health care; they insisted on my Birth Certificate. I asked them about this when I got into the place to sign up, as I had several other forms of identification to offer to them that were significantly more reliable, but they didn't care. Only the Birth Certificate mattered.

She even had this clever printout of several forms of "known bad" B.C. types, but couldn't understand how someone could just scan in an existing "good" one and change the name/etc.

I supposes I shouldn't trust many of the other forms of ID either, as they tend to form a chain-of-trust back to the B.C. as well, but at least those have your picture on them...

antibozoOctober 30, 2007 1:20 PM

Bruce> Mother's maiden name is no longer a good password.

It never was. Common name patterns for women:

1. Jane $Maiden $Spouse
2. Maria ... $Spouse-$Maiden
3. Jane $PaternalGrandmotherMaiden $Father

Maiden names are all over the place in extant names anyway, and always have been.

PaulOctober 30, 2007 1:32 PM

I ran into security-by-letterhead too at the post office by the upper west side of New York City. The clerk made me come back the next day with a letterhead for my startup, and then just smiled at the printout trying to delay a few more moments. It was inevitable though, he had to accept it.

DaveOctober 30, 2007 1:35 PM

The scariest thing for me was when I was applying for my visa to stay in the country and they wanted references from every company I had worked for in the last four years... and required every one of them to be on letterhead.

Only one of the companies in question actually had letterhead because most of them had no need for it. Some of them doctored up a letterhead for me and one gave me permission to do it myself. I emailed him back the result so next time somebody asks, he will actually have a company letterhead.

What concerned me was that this was the Home Office. This is what is supposed to stop terrorists getting into the country. (This is also what is supposed to stop Australians staying in the country once their visas have expired :) This should have been the height of good security practices.

TristanOctober 30, 2007 1:45 PM

It's just policy. They likely don't get paid enough to care. They aren't idiots, they're just generally apathetic.

Hank MillerOctober 30, 2007 1:50 PM

David Wall: One presumes the E-trust and the like have some form a spider (much like google uses for indexing the web), that checks every website it can find to make sure the e-trust sign isn't used incorrectly. While image recognition isn't perfect, a few false positives are okay as someone needs to verify things anyway. (In particular is is probably ok to use a e-trust look alike, but with different colors and called "un-trust" on a satire site, but e-trust in the wrong colors on a scam site is not okaym so judgement is required)

Of course I have no clue what they really do.

Todd KnarrOctober 30, 2007 2:03 PM

Most of that "security by letterhead" isn't about security at all. It's about due diligence and legal CYA. It's so that, if problems come up later, they can produce a paper trail that a reasonable person could look at and not immediately think "That's bogus.". If they can produce that paper trail, they've a much easier time saying in court "It's not our fault someone lied to us convincingly.".

TamzenOctober 30, 2007 2:13 PM

Heh. I couldn't even cancel my Verizon internet service. We had a business level service to get the number of static IP addresses we needed but it was just for home use. They refused to cancel unless it was on company letterhead. They couldn't fathom why two people needed business service. Took like 4 weeks to get the cancelation thru. At that point I hated them so much I'd do without internet service if they were my only choice.

MaexOctober 30, 2007 3:22 PM

I don't think this procedure is mainly for security reasons.
IANAL, but what kind of crime is it, if I call someone/send them some otherwise blank paper demanding a domain transfer as opposed to someone faking an official document of a company to initiate a domain transfer?

So,
1) the ISP has something written
and in case it was faked and if they get the scammer
2) the victim (still) has a a better standing in court, as the judges have something they know how to handle for decades: a written piece of paper that is faked and has been used to betray other people.

Nomen PublicusOctober 30, 2007 4:07 PM

Jim Rockford seemed to need only a small hand printer to create a suitable business card to establish any necessary identity.

It seems that The Rockford Files was based on reality :-)

BrianOctober 30, 2007 4:33 PM

I was recently a juror of lawsuit case and even if a document was official or legal, it didn't hold much weight unless it was verified by a witness.

Even then, it may not be considered valid evidence by the jurors.

jOctober 30, 2007 4:42 PM

@alabamatoy:

"How about the US Government thift savings plan. They wont email a new password or account number, but they are happy to let it sit on a piece of paper in that little unlocked tin box down at the street."

I only work part time for the USPS, so I don't know anything about the TSP, but when I needed to set up my paycheck for direct deposit, I requested my password over the internet (using my employee ID number), and they mailed me a copy of my password--without the ID number. If the letter containing the password had been stolen, the thief wouldn't be able to do anything with it.

CJOctober 31, 2007 1:15 AM

Re the paper trail concept... my insurance company refuses to answer questions, much less do policy changes, via email, fax, or post. They'll only do this via the phone.

The reason? They record all phone conversations. I'd prefer to do it via email, since then we *both* have a record of the conversation... I guess they prefer to have the only record.

Frank BitterlichOctober 31, 2007 4:34 AM

I see this kind of "security measures" all the time in my job. Like people emailing confidential data in a "password-protected" zip file. When I try to explain it to them, I usually hear "I know it's not perfect, but it's better than nothing." WRONG ANSWER. This is _worse_ than nothing, because a) it creates a wrong feeling of security, and b) it creates a standardized and published attack vector. Sigh...

alforaOctober 31, 2007 10:00 AM

Some years ago I wanted to update my copy of Bryce 3 to Bryce 5. I had to proof that I still own the CD of Bryce 3. They asked me to scan it or put it on a copy machine and fax it to them.

A black CD with dark blue letters. Scanned. Faxed...

;-)

DeputyclericOctober 31, 2007 11:16 AM

For business visas, the US Embassy in Mexico City will not accept a signed, original letter on company letterhead, even if delivered to them directly via FedEx.

They will, however, accept a scanned copy of the very same letter, in PDF format, emailed to them.

In fact, they insist on that and will accept nothing else.

There are a number of other comical aspects of how they handle business visas, but I will leave those for another post.

RobOctober 31, 2007 7:28 PM

It's certainly true that for many small companies the letterhead probably doesn't count for much. As mentioned above security companies like VeriSign do request letterhead as part of their validation requirements for SSL certificates. There are a few reasons.

Company letterheads of larger, more established firms will contain information that can be verified by other means such as names and contact details of people working at the firm, addresses and company logo. If you were requesting an SSL cert for a big company, say Wal Mart, and you claimed your company didn't have a letterhead, this would obviously be picked up pretty quickly. Even an amateur forgery would probably be picked up. Of course it's not as hard as forging currency, but it's an extra hoop to jump through and it's mainly to protect the big end of town rather than your small operators who don't have letterhead or whose letterhead is not as readily verifiable.

Checking letterhead makes sense as part of a layered security approach. I'm not sure what the equivalent is in the US, but in Australia the ABN (Australian Business Number) is also a prime piece in of information which must be provided during validation. I know for a fact that VeriSign also require this number when performing validation checks for SSL certificates here in Australia. The ABN is then used to look up official contact details for the company from a public register provided by the government. The company is contacted using the details from the public register and additional independent verification checks are carried out.

If letterhead is the only means of authentication it shouldn't hold much weight, but I think it does make sense as a part of a more extensive validation check.

In the particular example it might be worth looking at who gets hurt if something goes wrong. If someone tries to rip off John by pretending to be from his company then the fact that John has never sent anything to the ISP before on his company letterhead means that nothing is on file for him for the ISP to check against. They perform the action based on a Word template that the fake John put together. The result is that the real John gets hurt. As one of the little guys he probably doesn't have much of a chance in any sort of legal case against the ISP. So as a small operator it is probably in your interests to come up with a company letterhead which you use consistently. If they already have copies of your letterhead on file, then they may actually use this as part of their check, and it might give you more of a legal leg to stand on if something goes wrong.

Of course if someone successfully impersonates a large company the ISP could get taken to the cleaners. So in this case the requirement for letterhead is probably to at least show some sort "due care" in the case of any legal challenge. The quality of the authentication should have some relation to the potential damage.

Rob


SamOctober 31, 2007 9:29 PM

We used to play a game where you asked someone what their porn star name was, this is the name of your first pet and your mother's maiden name.

Nice piece of social engineering.

Nowdays I do not give legit answers to any of the password recovery hints, I think the fellow I spoke to at the bank could see my hints when I spoke to him judging by his tone of voice.

windscarNovember 1, 2007 6:32 AM

There are many sites which require you to give truthful answers as part of their terms-of-service. They should, as standard practice, allow users to create their own questions and answers.

They should also allow people to opt-out of password reset schemes, but I guess this would overload customer service from people who don't have a reset option and forget their passwords.

kayNovember 1, 2007 9:24 AM

Am I the only one here old enough to remember "hot press" printing?

It's not that long ago that the print quality of something that came off a "proper" press was definitely recognizable, bot because of quality, and because you could actually FEEL the type if you were careful and applied just the right amount of pressure (not too light,but don't squeeze) Today that's a "special effect", but once upon a a time ago, it was just the way it was.

There are still specialty "letterpress printing" shops that do this kind of wok, where you can see this.

The reason I'm so confident is because we had a similar conversation with a staff person at a government agency who was explaining to us the reason for such a rule in a slightly different context. My boss printed out a copy of our letterhead from the laser printer behind him and handed it to her. She was a smart lady. She didn't say much, but she must have showed it to someone higher up in the food chain, because the requirement disappeared in a relatively short time.

MartinBearNovember 3, 2007 1:26 PM

Such is the faith in official-looking paper that people will accept it even when (with a minute's reflection) they know it's not appropriate for the situation at hand.

Here's what I mean. We live in the Netherlands. My wife is traveling in the US this week, caught a cold, and bought some "serious" cough medicine at a US drug store -- the kind where you have to provide ID in case you're going to cook it down into some illegal drug.

She had a US passport in her purse, but she decided to hand over her Dutch drivers license instead. The druggist proceeded to check out whether she was a known drug offender in whatever database this pharmacy chain uses. Here's my wife's story:

1. He decided that since I'm from Holland my "State" code should be HO. I suggested NL might be a better choice. He then came up with Netherlands Antilles (in the Caribbean) but I steered him to plain old Netherlands (in cold and rainy Europe).

2. For some reason he confused my last name with my place of birth (since the field captions on the license are in Dutch, this is understandable). So I went into the search as "Judy Cleveland".

3. I was born on September 5th, but on a European license that's rendered as 5/9/xxxx, so he entered May 9th.

4. Well it turns out there's no rap sheet for Judy Cleveland born on 9 May, so I got my cold pills and went on my way.

And the moral of the story: if you have legitimate-looking, even genuine, ID that's irrelevant to the situation, the average guy behind the counter will accept it anyway and force it into whatever system he's using, because he's got no idea what he's really doing, only that his boss requires him to do it.

antibozoNovember 3, 2007 7:11 PM

MartinBear> We live in the Netherlands. My wife is traveling in the US this week, caught a cold, and bought some "serious" cough medicine at a US drug store -- the kind where you have to provide ID in case you're going to cook it down into some illegal drug.
MartinBear> 4. Well it turns out there's no rap sheet for Judy Cleveland born on 9 May, so I got my cold pills and went on my way.

Understandably, you misunderstand the situation.

The pharmacy counter worker is required to record pertinent ID information for anyone who purchases a product that contains pseudoephedrine. It is not that important, for the intended purpose, that the information be 100% accurate, or that it be particularly official in nature. This is because the intended purpose is for law enforcement to be able to detect, by correlating the logs from the various drugstores, when an individual is purchasing an unreasonably large quantity of pseudoephedrine. The pharmacy counter worker is not charged with verifying the customer's identity against any database to prevent this; it's entirely up to law enforcement to detect it through correlation. Indeed, many pharmacies use a paper log for the pseudoephedrine purchase record.

In a case such as your wife's, the record is merely a formality, since she was purchasing a tiny quantity of a cocktail preparation.

So, while your thesis may be valid, it is not a reasonable conclusion from the anecdote presented. As for the misreading of the date, if both Europeans and Americans would use the only logically *correct* date format, YYYY-MM-DD, this sort of thing wouldn't happen. (C.f. RFC3339, ISO8601.)

MartinBearNovember 3, 2007 7:29 PM

Antibozo> Thanks for the clarification, but I have a follow-up from my wife that makes it clear no one is remotely taking this seriously.

She's feeling pretty ill and decided to stock up on cold meds at another drug store. (One great thing about America is the wide availability of fantastic cold meds -- something very hard to get in Europe, even with a prescription).

Again she showed her Dutch drivers license. This pharmacy insisted on something issued by an American government, so she showed her US passport. ... At which point the pharmacist misread her name and listed her as FirstName MiddleName rather than FirstName LastName. So that's two purchases in the same day, neither of them in her right name even though she showed legit ID both times.

Which I think proves my point: no one is remotely interested in keeping accurate records and, as has been remarked so many times before, if you give a human a boring and repetitive task they will quickly do it very, very badly.

Regards,
MartinBear

SkippernNovember 4, 2007 6:37 PM

The Norwegian Police have found the best security system for handing out information from criminal records. The person in question have to meet personally on the police station and apply for the information, and hand in documentation of what the copy will be used for. This makes it very difficoult for me to apply for visas to many of the countries I am working in, as many of them demand some sort of documentation that I have no criminal record, and I do not live in Norway any more.
The solution for us Norwegians who doesn't live in Norway anymore is: fax in the application with attached documentation of purpose and copies of passports, with relay address to where the documents are to be sent. Secure, huh?

PaeniteoNovember 5, 2007 5:21 AM

@Kees: "I don't know how easy it is to spoof a phone number on a fax with today's technology."

Not much more difficult than "spoofing" a sender's email address.

Rich WilsonNovember 5, 2007 9:43 AM

@MartinBear

Could have been worse. I had friends from Saskatoon Saskatchewan who spent the better part of a night being 'interviewed' by a cop in a southern US state who was furious that they would try to make fun of him, because there's no such place as "Saskatoon Saskatchewan"

Rich WilsonNovember 5, 2007 9:45 AM

How is this any different than security by printed receipt? Granted, the stakes aren't generally as high, really, I've been tempted to photo copy a blank taxi cab receipt for the next time I forget to ask for one.

Bilim HaberleriMarch 28, 2008 7:53 AM

The reason a fax is 'legal' is because the sender's telephone number is printed on the fax automatically. This is proof that the fax was sent from that specific phone (which can be traced back to the real owner) and not from an impersonater's phone.

BrianJune 20, 2011 10:23 AM

The Donside Paper Company's lying contest is a hilarious example of this, wherein one of the submitted entries was sent on the Contest Sponsor's letterhead saying that the contest was canceled. It was believed. A similar entry was offered a second time telling people to resubmit the entries, also successfully.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..