ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Why Faxing is Less Secure Than Email

    Scheduled Pinned Locked Moved IT Discussion
    securityfaxemail
    68 Posts 10 Posters 26.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      This comes up a lot, especially with HIPAA discussions. Faxing is generally accepted to be the least secure form of modern communications, but in the medical space is often defended because HIPAA authorities often give it a reckless, free pass for use. We need a real discussion and a single place to show why faxing is less secure than the alternatives.

      1 Reply Last reply Reply Quote 5
      • scottalanmillerS
        scottalanmiller
        last edited by

        I think that we can assume that S/MIME, GPG, PGP and similar email encryption schemes are extremely secure and go way beyond the discussion into a "clear win" category.

        1 Reply Last reply Reply Quote 2
        • scottalanmillerS
          scottalanmiller
          last edited by

          Also, enforced TLS would do the same. So far and away more secure than faxing, not really any possible discussion.

          1 Reply Last reply Reply Quote 2
          • scottalanmillerS
            scottalanmiller
            last edited by

            So really, this is about open, unencrypted SMTP from one MTA to another. Go....

            1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller
              last edited by

              Faxing is totally open an unsecured from the device through the network to the other device. It is analogue and well defined standard that any old fashioned modem, fax machine or similar can reproduce.

              Tapping fax lines is the easiest method of accessing them. Faxes go our over lines that cannot be secured and can be tapped without physical access. PHI in transit is essentially, exclusively a "local" activity either to the recipient or to the sender, and both sides of a fax transaction have to be completely exposed. Even if the building is secured, the external phone lines are not and those are where the biggest vulnerabilities are.

              Fax lines are also vulnerable to a man in the middle attack due to the lack of authentication. If someone is being targeted, the opportunity to intercept a fax and repeat it on is trivial, unlike phone calls where you have to speak "live" to the person on the other end.

              DashrenderD 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                Open Email is, of course, not super secure but is very secure compared to faxing. Even insecure email scenarios standardly have email servers at a different location than the place from which the email is sent initially. And the connection between sending and MTA is usually secure and can always be in cases where we are concerned about security. This trivially eliminates the possibility of location based attack on the sending side.

                MTAs typically sit in datacenters of some sort and connect directly to ISP connections inside of a secure facility and have no real risk of exposure at that stage. Even without encryption, the SMTP data is onto the ISP's internal network immediately or very rapidly in a way that makes tapping unreasonable at best.

                This process is repeated on the receiving side. In some rare cases people may run in house MTAs that are not using TLS and accept email locally but this is rare, non-standard, totally optional and still harder to tap than a fax line if locality is the concern.

                DashrenderD 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  Some people mention concerns around the security of email in transit with the ISP. But this is moot as faxes have to transit the same ISPs and if the ISP themselves are the thread, both cases leave us totally exposed to that threat. So while this is a valid concern, it is not "more" of a concern with one approach or the other.

                  DashrenderD 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller
                    last edited by

                    Faxes are circuit based, so tapping physically is much easier because the connection is stable. Email is packet based so is far less reliable of a target for tapping to occur.

                    1 Reply Last reply Reply Quote 0
                    • BRRABillB
                      BRRABill
                      last edited by BRRABill

                      @scottalanmiller

                      Security of faxing and its place in a HIPAA discussion, as you have said many times, are not related.

                      Mailing a letter via USPS is super not secure, but considered acceptable for HIPAA.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @BRRABill
                        last edited by

                        @BRRABill said in Why Faxing is Less Secure Than Email:

                        @scottalanmiller

                        Security of faxing and its place in a HIPAA discussion, as you have said many times, are not related.

                        Mailing a letter via USPS is super not secure, but considered acceptable for HIPAA.

                        Right, faxing is totally allowed under HIPAA, but not when someone is trying to be secure. That it is allowed is one thing, but email would be allowed as well given that it is an improvement over faxing. HIPAA doesn't make real specific requirements, only levels of effort and the effort demanded is far below business standards.

                        BRRABillB 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller
                          last edited by

                          A lot of people mention the total lack of authentication with faxing as a means of breaching security, but this is normally mentioned in the context of mistakes and is countered with the fact that obscurity makes that a non-issue. And that is basically true, the same goes for email, the chances that you would type in a keying error and get a real email address and one that would exploit the contents of the email are super low. So that's negligible in both cases.

                          However, what is often ignored, is that the real risk is in tricking people into using the wrong phone number. We are talking about focused security attacks here, in both cases. This is not someone trying to access stored data, this is about data in transit. If you want to get a fax sent to the wrong number, you use social engineering to get people to send to the wrong number. Same can happen with email, but it is likely harder. Fax numbers are totally anonymous, have zero authentication and involve "tossing the critical security data over the wall" and hoping for the best. It's blind, and no secure process can be blind.

                          DashrenderD 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said in Why Faxing is Less Secure Than Email:

                            Open Email is, of course, not super secure but is very secure compared to faxing. Even insecure email scenarios standardly have email servers at a different location than the place from which the email is sent initially. And the connection between sending and MTA is usually secure and can always be in cases where we are concerned about security. This trivially eliminates the possibility of location based attack on the sending side.

                            No it doesn't. If you are targeting someone, you send them an ebomb and infect their computer, because, well everyone loves cat videos, now you're watching everything they do their computer, not just email.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • BRRABillB
                              BRRABill @scottalanmiller
                              last edited by

                              @scottalanmiller said

                              but email would be allowed as well given that it is an improvement over faxing.

                              Good luck documenting and proving that as reasoning for use.

                              1 Reply Last reply Reply Quote 1
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said in Why Faxing is Less Secure Than Email:

                                Faxing is totally open an unsecured from the device through the network to the other device. It is analogue and well defined standard that any old fashioned modem, fax machine or similar can reproduce.

                                Tapping fax lines is the easiest method of accessing them. Faxes go our over lines that cannot be secured and can be tapped without physical access. PHI in transit is essentially, exclusively a "local" activity either to the recipient or to the sender, and both sides of a fax transaction have to be completely exposed. Even if the building is secured, the external phone lines are not and those are where the biggest vulnerabilities are.

                                Fax lines are also vulnerable to a man in the middle attack due to the lack of authentication. If someone is being targeted, the opportunity to intercept a fax and repeat it on is trivial, unlike phone calls where you have to speak "live" to the person on the other end.

                                Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.

                                BRRABillB tonyshowoffT 2 Replies Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in Why Faxing is Less Secure Than Email:

                                  Some people mention concerns around the security of email in transit with the ISP. But this is moot as faxes have to transit the same ISPs and if the ISP themselves are the thread, both cases leave us totally exposed to that threat. So while this is a valid concern, it is not "more" of a concern with one approach or the other.

                                  I agree, this is not part of the concern.

                                  1 Reply Last reply Reply Quote 0
                                  • BRRABillB
                                    BRRABill @Dashrender
                                    last edited by

                                    @Dashrender said

                                    Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.

                                    Pretty easy to get access to phone lines if you are in any sort of business complex.

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller
                                      last edited by

                                      Another massive factor is that email is sent to a person, faxes are sent to a machine. The machine might be shared, might be insecure, might be unmonitored, might be in a public space, etc. Mailboxes can be as well, in theory, but the idea is that a person is supposed to hand over a mailbox for a person or a role. Faxing do not work this way. People do not have their own lines, faxes, etc. They never have and faxes were never expected to work like that.

                                      This makes for a fundamental difference in security. One goes to whom you intended it to go to, one goes to the machine you intended it to go to... and immediately gets automatically translated into paper and left there for anyone to find.

                                      DashrenderD 1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in Why Faxing is Less Secure Than Email:

                                        A lot of people mention the total lack of authentication with faxing as a means of breaching security, but this is normally mentioned in the context of mistakes and is countered with the fact that obscurity makes that a non-issue. And that is basically true, the same goes for email, the chances that you would type in a keying error and get a real email address and one that would exploit the contents of the email are super low. So that's negligible in both cases.

                                        However, what is often ignored, is that the real risk is in tricking people into using the wrong phone number. We are talking about focused security attacks here, in both cases. This is not someone trying to access stored data, this is about data in transit. If you want to get a fax sent to the wrong number, you use social engineering to get people to send to the wrong number. Same can happen with email, but it is likely harder. Fax numbers are totally anonymous, have zero authentication and involve "tossing the critical security data over the wall" and hoping for the best. It's blind, and no secure process can be blind.

                                        Email is no different in this regard.

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said in Why Faxing is Less Secure Than Email:

                                          @scottalanmiller said in Why Faxing is Less Secure Than Email:

                                          Open Email is, of course, not super secure but is very secure compared to faxing. Even insecure email scenarios standardly have email servers at a different location than the place from which the email is sent initially. And the connection between sending and MTA is usually secure and can always be in cases where we are concerned about security. This trivially eliminates the possibility of location based attack on the sending side.

                                          No it doesn't. If you are targeting someone, you send them an ebomb and infect their computer, because, well everyone loves cat videos, now you're watching everything they do their computer, not just email.

                                          I don't even know what you are disputing here. If you are saying that email gets spam, so do fax machines. I've gotten plenty of fax spam over the years.

                                          You say that it does not eliminate location based attacks but mention cat videos from a non-location attack. What is that comment in reference to?

                                          DashrenderD 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @BRRABill
                                            last edited by

                                            @BRRABill said in Why Faxing is Less Secure Than Email:

                                            @Dashrender said

                                            Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.

                                            Pretty easy to get access to phone lines if you are in any sort of business complex.

                                            Even if you are not. In rural areas it is especially easy to tap lines. There is even equipment that allows you to tap the lines without climbing the poles, you can do it, touchless, from the ground!

                                            J 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 1 / 4
                                            • First post
                                              Last post