(where?) I am not a networking expert but the way the Internet works is that your email is broken down into little bits called packets that get handed off from computer to computer until they get to their destination and are reassembled. It is not likely that someone will bother to sniff enough packets to be able to see your email specifically, but it’s not all that hard (it’s a lot easier than phone tapping; packet sniffer) and you would never be able to tell if someone did.
I recently did a real estate transaction, where the vast majority of documents were transferred by email, but in two instances (to two recipients), we had to fax. And for BOTH of those recipients (a bank and a law firm), the person cheerfully said something along the lines of “as soon as we get it, it pops up on my computer, so I’ll know!” So basically it’s ending up in the same place as an email anyway.
It is FAR more common to have a security breach along the lines of a trojan on someone’s PC than to have a packet sniffer in line grabbing emails. And in this case, even if they did have a packet sniffer, if it was in the right place (in between the recipient’s computer and the server), they’d get it anyway. In most practical senses, this is not more secure than email.
Topologist provided us with the original link in post #5, therefore this is a copy link and we can’t accept it. 
Explain how a fax is more secure than an encrypted email with a digital signature attached, please.
Most fraud and most security breaches do not come from clever technical schemes involving intercepting electronic communications using technological means. The breaches come from simple human stuff.
It is harder for average Joe Fraudster to make an email appear to come from John.Doe@bigcompanytopleveldomain.com when actually it comes from somewhere else, than it is for Joe to send a fax that appears to come John but doesn’t.
As to stealing personal information, it does seem to me that your information is more at risk if you send it by email than by fax. However, this has nothing at all to do with dastardly schemes to intercept emails as they pass through servers. Again, most fraud does not come from that, it comes from abuse of personal information by the person or company to which you send it.
An email may be more likely to attract that sort of fraud simply because it is easier to search across emails stored unsecurely, or to re-transmit emails. Faxes, particulary if they arrive on paper, or as an image file rather than as text, are less likely to be passed on or found by a search. On the other hand, if a criminally minded employee walks out of the office with a paper fax, how is that traced? There may not even be a record of the fax ever having been received, on an old style fax machine. If such an employee forwards an email to themselves, at least that leaves a trail.
This.
Also, this.
I can think of several scams, malware, etc. that target email and anything associated with such. How many people do you think are trying to intercept faxes either over a phone line, or physically at the receiving machine?
I sent a joke email to a pilot friend of mine that seemed to be from the official FAA.gov domain, it’s not that hard to do.
I access full credit card numbers and expiration dates on a daily basis. If a merchant just needs a few, I’ll read them over the phone, if they have hundreds, I have to ask for a fax. I can’t email that sort of thing.
Perhaps encoding has more to do with this than encryption? I could be wrong.
Any way you slice it, emails are far more subject to compromise than faxes are, based on both technology and the value of a potential target for fraud. That’s my 2cents
It isn’t, but does your grandmother know how to send an encrypted email with a digital signature? Does her bank know how to receive it?
I agree with your overall point that information is compromised more from abuse and invasion than by interception. But on this one point I disagree. It is quite trivial to spoof email addresses, and if the recipient has caller ID it is hard to spoof a phone number (although it is trivial to make the *contents *of a fax look like it’s from whomever you want).
There are so many misconceptions in this thread I don’t know what to think. Who can so many people on the SDMB be so wrong?
-
Caller ID is trivial to spoof. It’s done all that time. All those calls from “Carol in card services”? They use a fake number. Caller ID proves squat.
-
At the receiving end of a fax, there is most likely a fax-modem. The fax doesn’t get printed out and it’s saved as a file. No more secure at that end than any other file, like an email.
-
While email headers can be faked, if you use encryption and public key signatures, an email can be established as coming from the sender to such a strong extant that any legal eagle would be satisfied. And the encryption ensures no one in between can see it. Something that a fax cannot do. (There are fax encyption devices, but they are rarely used.)
-
Tastes of Chocolate: It’s the receiver’s error in believing it’s somehow magically more secure. There is no security to bypass. You are just doing what is most convenient for you. This is Pointy Haired Boss thinking. “It’s secure, therefore anyone bypassing it is a fool.” No, the fool is the PHB. Once you realize there is no security, the rest of the statement makes no sense.
Somebody upthread mentioned inertia. This can be a very important reason, and not necessarily an irrational one.
Imagine you work for a trading organisation. One of your processes (involving trades valued in the millions and tens of millions) requires bids to be submitted by fax, in a prescribed format, from pre-agreed numbers, to a designated and secured fax machine, within a prescribed window of time. (Other, very similar, processes are done on screen-based interfaces, so it’s not that your organisation is simply living in the past.)
Why don’t you just change the process and receive bids by e-mail? Even if you could convince people that e-mail could be made just as secure as faxes (big if!), such a change could not be made instantly on a whim. A change process would need to identify all risks introduced by the change, and demonstrate that any increased risk was justified and had been mitigated. All system and resource implications would have to be quantified and funded. Legal advice would be sought and legal document redrafted.
Numerous stakeholders (including regulatory stakeholders) would have to be consulted and advised on the implications of the change for their processes.
New controls would have to be designed and implemented, new supporting documents would have to be prepared and disseminated.
The change would have to be approved at the appropriate level by people whose job it is to ask tough questions and not to be easily convinced.
Given all of the above, any cost-benefit analysis would be likely to conclude “if it ain’t broke, don’t fix it”.
Who’s talking about “at that end”? Once the fax is received all bets are off.
What we’re talking about, primarily, is risk that the transmission is intercepted. An e-mail is easier to intercept than a fax, which is a factual claim for several reasons.
An encrypted, digitally signed email cannot be intercepted. A fax sent using one of the Internet services mentioned above can be.
In addition, the biggest security holes are at the ends, sending and receiving. A malware infected machine at either end is what people realistically need to be concerned about.
You apparently have a very different concept of “factual claim” than I do.
People who go along with “fax is more secure than email” are engaged in what is called security theater by experts.
Caller ID spoofing is not that hard but requires special equipment, a third-party service, or software applications in conjunction with VOIP, and probably some cost. OTOH, email spoofing can be done with any email client, which exist on virtually every computer, not to mention phones.
Absolutely true, but nobody said anything contrary to this, and encryption and public key signatures are not understood by the average person who uses email. So it can’t really be seen as the obvious solution to this whole issue. Let me give you a simple example. We had a word document that needed a signature, and we had a PM who referred to using her “digital signature.” I was impressed until I found out she meant an image of her signature that she had scanned in.
Traditional fax machines cannot be infected by malware. If infected computers are what people realistically need to be concerned about, then faxes remain the best choice for security.
Shoot, lately, I’ve signed things like NDAs and other contracts, just took a pic of it with my iPhone and emailed it.
In this day and age, anything, can be forged very easily; be it a fax (especially faxes, since the reproduction on the other end is usually very low fidelity), emailed scans, digital encrypted sigs in a PDF, a photo (of which I just shot a pic on my phone of my drivers license last week and emailed it from the phone to the dealership to get my new lease rolling), etc.
So, it’s mostly just an archaic status quo thing that no one’s bothered to take another look at, depending on policy.
Why do people hate change? Especially very convenient change.
How do you know a fax came from a traditional fax machine?
Did you read my post? For large organisations, legitimately concerned about security, change is never “very convenient”.
I am currently trying to file a claim with my pet insurance company which allows e-mail submission. But what I have to do is to print a claim form (with prefilled information), then complete the form and sign it. Then I have to scan it, scan the vet bills and then e-mail it to the company.
It would be much faster to just mail it in.
Bob
Not in the short run, but it’s imperative for the long run. When businesses only care to look at how to make gains by not taking the trouble to keep pace with technology and especially when the world at large adopts new standards and technologies (i.e. their customers), their short sightedness will only come back to bite them in the ass, after it’s too late.
The world is digital now. To resist only for the short term bottom line and PITA factor, well, that mentality dooms your business. Look at the RIAA, Blockbuster Video, Microsoft, and probably a billion other companies that resisted the change in catering to their customers, then tried to copy the competition that was current, innovative and willing to go to lengths to make whatever it is they’re selling, easy, convenient or even cool for their consumers, a day too late and a dollar short. Ouch.
And it seems like a petty thing, right? They require a fax… no big deal. That is until their competitor employs more modern and convenient policies and technology for their customers, and they start stealing their business.
Yes, a seemingly minor oversight like that can doom your company before you even know what happened.
Tsk, Tsk.
Maybe they put all received faxes on the dashboard of the company van for a week before they file them, so if you give them trouble, they can just point to a scroll of dark brown paper and say this is all they got 