Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Vulnerabilities When Old Meets New

It’s trivial to falsify a signed document when FAXed.

Become a Patron of Ask Leo! and go ad-free!


Transcript

This is Leo Notenboom for askleo.info.

I love my bank.

Some years ago I moved from one of the uncaring mega-banks to a smaller,
local bank. Not only do they know me by name when I walk in or call, but
they’re also slightly ahead of average on technology and being able or even
willing to talk to me about technology related issues.

For the past year or so I’ve been sending them signed documents which don’t,
technically, have my signature.

The documents I send FAXed to my bank and are never actually printed on
paper until they reach the bank’s FAX machine. To sign my document, I have a
scanned image of my signature that I copy/paste into the right spot on that
document. The FAXed result is nearly indistinguishable from a real
signature.

And it’s good enough.

So why is this all an issue? It certainly seems convenient, and it is. It’s
much like rubber stamps often created for signatures. I mean, just keep the
original signature file secure, and there shouldn’t be a problem, right?

Wrong.

Ever sign anything? Ever sign maybe a check or a credit card receipt and
then give it to someone else?

You just gave a random person a scan-able copy of your signature. They could
scan your signature and use that just like I’ve used mine to “sign” documents
that can then be FAXed and considered official. Hopefully there’s a second
level of verification such as the confirming phone call my bank requires. If
not you could appear to have signed something that you’ve actually never
seen.

Many industries are struggling with the technology of secure identification,
and certainly the banking industry is one of them. Originally, FAXes were
difficult to manipulate, as you actually had to scan an physical piece of
paper. But these days a FAX is nothing more than a picture of a document, and
as we’ve come to know pictures, particularly digital pictures, are trivial to
manipulate.

The solution? Long term I’d love to see true digital signatures become the
norm. Using public key encryption I can digitally sign a electronic document
which can then be verified to have come only from me, and it can be further
verified not to have been altered after signing.

But we’ve got a long way to go before anything like that becomes common
place. Until then your best recourse is awareness and caution. Treat your
signature like the important asset it is, and make sure that the institutions
you deal with won’t act on any FAXed or emailed information without some kind
of independent personal verification.

I’d love to hear what you think. Visit askleo.info and enter 11317 in the go
to article number box to access the show notes and to leave me a comment. While
you’re there, browse over 1,100 technical questions and answers on the
site.

Till next time, I’m Leo Notenboom, for askleo.info.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.