Why Faxing is Less Secure Than Email

scottalanmiller

Similar goes for home users... if someone hands over an email address we normally check it to see if we can read it. It is super simple for humans to remember the basics of an email address. Not so with phone numbers. In "one off" scenarios, emails get some verification 99% of the time, fax numbers less than 1% of the time.

Dashrender

You're example works when you are sending emails to the same person or group of people. But if that's not normal, i.e. you send to random people all the time, which we would be doing when sending data to patients, then the email address becomes as meaningless as the fax number does - in fact it could be worse because if you are sending to someone locally with fax, you would think someone would know the local available area code numbers.

scottalanmiller

@Dashrender said in Why Faxing is Less Secure Than Email:

You're example works when you are sending emails to the same person or group of people. But if that's not normal, i.e. you send to random people all the time, which we would be doing when sending data to patients, then the email address becomes as meaningless as the fax number does - in fact it could be worse because if you are sending to someone locally with fax, you would think someone would know the local available area code numbers.

You were too slow, I mentioned that in the second update. Even the local part because I've had so many places refuse to send me things over the years because they can't tell what local phones are and now as phones don't have locality any longer, it's so much worse. NTG HQ's numbers are all from a different LATA than they are in (about two cities to the east of them) and my home number is in a different country than me physically and uses a local code that even the locals think is somewhere far away. Even pizza people used to refuse to deliver to me within walking distance. Numbers even two decades ago were useless for security as locality is not actually as meaningful as it seems.

Dashrender

I think we are both saying that neither email address nor phone numbers are good indicators of identity. If not, you still haven't sold me on why email addresses are better in that regard - but again, really doesn't help solve the problem at hand.

scottalanmiller

@Dashrender said in Why Faxing is Less Secure Than Email:

I think we are both saying that neither email address nor phone numbers are good indicators of identity. If not, you still haven't sold me on why email addresses are better in that regard - but again, really doesn't help solve the problem at hand.

It's that they almost always offer some verification instead of never offering any. Neither are good, but one is better. In essentially all cases, you get some security.

momurda

https://en.wikipedia.org/wiki/Fax

Fax machines are archaic; first one patented 150 years ago. 'New' ones from ATT designed in the mid 1920s. I try to avoid them, though i imagine they will never go away.

tonyshowoff

@Dashrender said in Why Faxing is Less Secure Than Email:

@scottalanmiller said in Why Faxing is Less Secure Than Email:

Faxing is totally open an unsecured from the device through the network to the other device. It is analogue and well defined standard that any old fashioned modem, fax machine or similar can reproduce.

Tapping fax lines is the easiest method of accessing them. Faxes go our over lines that cannot be secured and can be tapped without physical access. PHI in transit is essentially, exclusively a "local" activity either to the recipient or to the sender, and both sides of a fax transaction have to be completely exposed. Even if the building is secured, the external phone lines are not and those are where the biggest vulnerabilities are.

Fax lines are also vulnerable to a man in the middle attack due to the lack of authentication. If someone is being targeted, the opportunity to intercept a fax and repeat it on is trivial, unlike phone calls where you have to speak "live" to the person on the other end.

Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.

How can you say this but then also talk about FreePBX and other things which can intercept and redirect fax calls? Clearly if they can detect them by tone, they can record them. Root a FreePBX box and you're on your way, that doesn't work for already-encrypted email traffic though.

Lest we forget about things like Switch Access Service for digitally tapping phone lines that AT&T still has that has been used by criminals in the past, unencrypted VoIP, etc. By default it's just security through obscurity, because you don't consider actually how easy it is compared to breaking SSL and/or PGP.

scottalanmiller

@Dashrender said in Why Faxing is Less Secure Than Email:

I think we are both saying that neither email address nor phone numbers are good indicators of identity. If not, you still haven't sold me on why email addresses are better in that regard - but again, really doesn't help solve the problem at hand.

No, but email is better. Neither is good, but one is 100% useless, the other is 50% useful. That's a huge increase.

scottalanmiller

https://www.schneier.com/blog/archives/2004/11/hacking_faxes.html

Faxes are insecure in both directions, as well. Not only can you not trust where the information went, you can't trust what you receive.

dafyre

All that being said... both my Pops and I heard a fax machine go off in the reception area while we were having our ears reprogrammed yesterday.

Dashrender

@scottalanmiller said in Why Faxing is Less Secure Than Email:

https://www.schneier.com/blog/archives/2004/11/hacking_faxes.html

Faxes are insecure in both directions, as well. Not only can you not trust where the information went, you can't trust what you receive.

When I learned that a caller could spoof their number without any help from the phone system provider, it was a WTF day for me.

travisdh1

@Dashrender said in Why Faxing is Less Secure Than Email:

@scottalanmiller said in Why Faxing is Less Secure Than Email:

https://www.schneier.com/blog/archives/2004/11/hacking_faxes.html

Faxes are insecure in both directions, as well. Not only can you not trust where the information went, you can't trust what you receive.

When I learned that a caller could spoof their number without any help from the phone system provider, it was a WTF day for me.

It makes social engineering all that much easier if people don't know about that.

coliver

Number spoofing has been around for quite a long time. You can do it with just about any SIP trunk or POTS hand-off with the right knowledge.

Dashrender

@travisdh1 said in Why Faxing is Less Secure Than Email:

@Dashrender said in Why Faxing is Less Secure Than Email:

@scottalanmiller said in Why Faxing is Less Secure Than Email:

https://www.schneier.com/blog/archives/2004/11/hacking_faxes.html

Faxes are insecure in both directions, as well. Not only can you not trust where the information went, you can't trust what you receive.

When I learned that a caller could spoof their number without any help from the phone system provider, it was a WTF day for me.

It makes social engineering all that much easier if people don't know about that.

Exactly - what an absolutely horrible setup! Many people believe the number showing on caller ID is the number in question - what about 911? I know from setting up a PBX now that you can spoof to them too.

Why would the public at large believe that literally anyone can just send out any CID info? just DAMN!!!!!

travisdh1

@coliver said in Why Faxing is Less Secure Than Email:

Number spoofing has been around for quite a long time. You can do it with just about any SIP trunk or POTS hand-off with the right knowledge.

You can do it with a touch-tone phone for crying out loud. Security? What security?

scottalanmiller

@travisdh1 said in Why Faxing is Less Secure Than Email:

@Dashrender said in Why Faxing is Less Secure Than Email:

@scottalanmiller said in Why Faxing is Less Secure Than Email:

https://www.schneier.com/blog/archives/2004/11/hacking_faxes.html

Faxes are insecure in both directions, as well. Not only can you not trust where the information went, you can't trust what you receive.

When I learned that a caller could spoof their number without any help from the phone system provider, it was a WTF day for me.

It makes social engineering all that much easier if people don't know about that.

Makes it trivial. When you assume something is secure when it is not at all, it's almost not even social engineering. Like thinking that you are safe from bombs because you think that planes don't exist.

scottalanmiller

@Dashrender said in Why Faxing is Less Secure Than Email:

Why would the public at large believe that literally anyone can just send out any CID info? just DAMN!!!!!

Well, far more importantly, why would they assume that people can't?

Dashrender

@scottalanmiller said in Why Faxing is Less Secure Than Email:

@Dashrender said in Why Faxing is Less Secure Than Email:

Why would the public at large believe that literally anyone can just send out any CID info? just DAMN!!!!!

Well, far more importantly, why would they assume that people can't?

I understand your question and don't have an answer, but let me ask you the opposite, why would you assume they can?

Is it better to live with trust or no trust? Most people I believe live with trust, and expectation that things around them are setup to not be able to hurt them. So I believe that people look at the phone system and believe that it should be setup in a manner that protects them - sadly it clearly does not.

coliver

@Dashrender said in Why Faxing is Less Secure Than Email:

@scottalanmiller said in Why Faxing is Less Secure Than Email:

@Dashrender said in Why Faxing is Less Secure Than Email:

Why would the public at large believe that literally anyone can just send out any CID info? just DAMN!!!!!

Well, far more importantly, why would they assume that people can't?

I understand your question and don't have an answer, but let me ask you the opposite, why would you assume they can?

Is it better to live with trust or no trust? Most people I believe live with trust, and expectation that things around them are setup to not be able to hurt them. So I believe that people look at the phone system and believe that it should be setup in a manner that protects them - sadly it clearly does not.

And most of those people are idiots. We know that most things are designed to be the least costly and sold for the most money. It is common knowledge that people aren't educated consumers so businesses can take advantage of them left and right. Why would you assume a technology developed in the mid to late 1800s would have any semblance of security?

scottalanmiller

@Dashrender said in Why Faxing is Less Secure Than Email:

@scottalanmiller said in Why Faxing is Less Secure Than Email:

@Dashrender said in Why Faxing is Less Secure Than Email:

Why would the public at large believe that literally anyone can just send out any CID info? just DAMN!!!!!

Well, far more importantly, why would they assume that people can't?

I understand your question and don't have an answer, but let me ask you the opposite, why would you assume they can?

You don't need to. Just don't make any assumption and you are all set. It is the assumption alone that makes people vulnerable.