Helping people with computers... one answer at a time.

It's trivial to falsify a signed document when FAXed.

Listen:
Download the mp3

Transcript

This is Leo Notenboom for askleo.info.

I love my bank.

Some years ago I moved from one of the uncaring mega-banks to a smaller, local bank. Not only do they know me by name when I walk in or call, but they're also slightly ahead of average on technology and being able or even willing to talk to me about technology related issues.

For the past year or so I've been sending them signed documents which don't, technically, have my signature.

The documents I send FAXed to my bank and are never actually printed on paper until they reach the bank's FAX machine. To sign my document, I have a scanned image of my signature that I copy/paste into the right spot on that document. The FAXed result is nearly indistinguishable from a real signature.

And it's good enough.

So why is this all an issue? It certainly seems convenient, and it is. It's much like rubber stamps often created for signatures. I mean, just keep the original signature file secure, and there shouldn't be a problem, right?

Wrong.

Ever sign anything? Ever sign maybe a check or a credit card receipt and then give it to someone else?

You just gave a random person a scan-able copy of your signature. They could scan your signature and use that just like I've used mine to "sign" documents that can then be FAXed and considered official. Hopefully there's a second level of verification such as the confirming phone call my bank requires. If not you could appear to have signed something that you've actually never seen.

Many industries are struggling with the technology of secure identification, and certainly the banking industry is one of them. Originally, FAXes were difficult to manipulate, as you actually had to scan an physical piece of paper. But these days a FAX is nothing more than a picture of a document, and as we've come to know pictures, particularly digital pictures, are trivial to manipulate.

The solution? Long term I'd love to see true digital signatures become the norm. Using public key encryption I can digitally sign a electronic document which can then be verified to have come only from me, and it can be further verified not to have been altered after signing.

But we've got a long way to go before anything like that becomes common place. Until then your best recourse is awareness and caution. Treat your signature like the important asset it is, and make sure that the institutions you deal with won't act on any FAXed or emailed information without some kind of independent personal verification.

I'd love to hear what you think. Visit askleo.info and enter 11317 in the go to article number box to access the show notes and to leave me a comment. While you're there, browse over 1,100 technical questions and answers on the site.

Till next time, I'm Leo Notenboom, for askleo.info.

Article C2980 - March 31, 2007 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.