Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Vulnerabilities When Old Meets New

It’s trivial to falsify a signed document when FAXed.

Become a Patron of Ask Leo! and go ad-free!


Transcript

This is Leo Notenboom for askleo.info.

I love my bank.

Some years ago I moved from one of the uncaring mega-banks to a smaller, local bank. Not only do they know me by name when I walk in or call, but they’re also slightly ahead of average on technology and being able or even willing to talk to me about technology related issues.

For the past year or so I’ve been sending them signed documents which don’t, technically, have my signature.

The documents I send FAXed to my bank are never actually printed on paper until they reach the bank’s FAX machine. To sign my document, I have a scanned image of my signature that I copy/paste into the right spot on that document. The FAXed result is nearly indistinguishable from a real signature.

And it’s good enough.

So why is this all an issue? It certainly seems convenient, and it is. It’s much like rubber stamps often created for signatures. I mean, just keep the original signature file secure, and there shouldn’t be a problem, right?

Wrong.

Ever sign anything? Ever sign maybe a check or a credit card receipt and then give it to someone else?

You just gave a random person a scanable copy of your signature. They could scan your signature and use that just like I’ve used mine to “sign” documents that can then be FAXed and considered official. Hopefully, there’s a second level of verification such as the confirming phone call my bank requires. If not you could appear to have signed something that you’ve actually never seen.

Many industries are struggling with the technology of secure identification, and certainly the banking industry is one of them. Originally, FAXes were difficult to manipulate, as you actually had to scan a physical piece of paper. But these days a FAX is nothing more than a picture of a document, and as we’ve come to know pictures, particularly digital pictures, are trivial to manipulate.

The solution? Long term I’d love to see true digital signatures become the norm. Using public key encryption I can digitally sign an electronic document which can then be verified to have come only from me, and it can be further verified not to have been altered after signing.

But we’ve got a long way to go before anything like that becomes commonplace. Until then your best recourse is awareness and caution. Treat your signature like the important asset it is, and make sure that the institutions you deal with won’t act on any FAXed or emailed information without some kind of independent personal verification.

I’d love to hear what you think. Visit askleo.info and enter 11317 in the go to article number box to access the show notes and to leave me a comment. While you’re there, browse over 1,100 technical questions and answers on the site.

Till next time, I’m Leo Notenboom, for askleo.info.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.