This course teaches how to install and configure Windows Server 2012 R2. It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).
Scanned copy of signatures included in email.
I have been wondering about scanned copies of physical signatures. My financial institution sent me a document with a scanned copy of my signature on it. I know that these signatures can be found in the county under public records, but I am wondering if it is a good idea security wise, to have these signatures flying around the internet with the inherent insecure nature of unencrypted email. They pointed out to me that they did not share anything that they are disallowed by law. Unlike a physical letter that you sign to a friend, it is out there for others to see and one less piece of information for a scammer to steal an identity.
Am I just overthinking this or is this a real issue?
Thanks for your thoughts.
Am I just overthinking this or is this a real issue?
Thanks for your thoughts.
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most email transmissions are encrypted nowadays, so the issue is who has access to signatures. As long as parties ate bound by normal confidentiality, there should not be an issue. Little different to signatures using faxes and that method was used for decades. It is not new.
I use and send scanned documents a lot.
I use and send scanned documents a lot.
Hi Barry,
Many (maybe most) of us probably have scanned copies of our signatures publicly available due to official documents that have to be signed and become part of the public record.
Governments and the law will lag behind technology - they are essentially reactive, especially in countries that try to keep the government out of as much as possible.
It seems to me that handwritten signatures are almost as much a problem as biometrics and need to be consigned to history as a means of authentication. Some people say that handwritten signatures aren't as bad, because you can change your signature if you want or need to, but reality is that it doesn't work - if someone accepts your signature from last year as authentication, you are still left having to prove it false, since it is usually taken as prima facie proof.
Soon (in fact already, but few people know how) we will move to electronic signatures and periods of validity, so that a signature and the time it is used are absolutely tied together, meaning we will be able to withdraw those signatures anytime we want, publish such withdrawals, and everyone will know (or will be deemed to know) that it is invalid from there on.
Consider that back in the late 90s we were printing, signing, scanning, and emailing documents all the time, but nowadays that has become rare for anything significant or high value - many (maybe all?) of the banks etc no longer allow that type of exchange due to the potential for signatures to be easily lifted from online sources.
Its no different really to how we all used to have magnetic strips on our cards, and they were phased out fifteen years ago - times move on, and some stragglers hold out, but eventually the world wins and they are forced to catch up or die.
Alan.
Many (maybe most) of us probably have scanned copies of our signatures publicly available due to official documents that have to be signed and become part of the public record.
Governments and the law will lag behind technology - they are essentially reactive, especially in countries that try to keep the government out of as much as possible.
It seems to me that handwritten signatures are almost as much a problem as biometrics and need to be consigned to history as a means of authentication. Some people say that handwritten signatures aren't as bad, because you can change your signature if you want or need to, but reality is that it doesn't work - if someone accepts your signature from last year as authentication, you are still left having to prove it false, since it is usually taken as prima facie proof.
Soon (in fact already, but few people know how) we will move to electronic signatures and periods of validity, so that a signature and the time it is used are absolutely tied together, meaning we will be able to withdraw those signatures anytime we want, publish such withdrawals, and everyone will know (or will be deemed to know) that it is invalid from there on.
Consider that back in the late 90s we were printing, signing, scanning, and emailing documents all the time, but nowadays that has become rare for anything significant or high value - many (maybe all?) of the banks etc no longer allow that type of exchange due to the potential for signatures to be easily lifted from online sources.
Its no different really to how we all used to have magnetic strips on our cards, and they were phased out fifteen years ago - times move on, and some stragglers hold out, but eventually the world wins and they are forced to catch up or die.
Alan.
It seems the technology has moved on significantly since I was learning about smtp and pop3. I did not know the current state of email that most messages are encrypted in transit these days. I wonder how the big hacks we hear about are occurring then. Is it that the whole network or mail server has been compromised? Wondering with the frequency of attacks if it is a good idea to rely solely on the in transit encryption to protect our inboxes.
Maybe I'm overthinking this? Wonder how many criminals have used public records access to signatures combined with other info to steal identities?
Maybe I'm overthinking this? Wonder how many criminals have used public records access to signatures combined with other info to steal identities?
Public records have real signatures, scanned signatures and faxed signatures so the risks (low) at similar
Hi Barry,
It is a very real concern - hence as I mentioned, the banks no longer accepting faxed / emailed scanned documents like they were twenty years ago.
However, I do not know of any specific cases myself of where it has happened (to me or anyone I know such as accounting or business consulting clients), so the overall risk might be low today, or I might just have been lucky as have the people I know.
Alan.
It is a very real concern - hence as I mentioned, the banks no longer accepting faxed / emailed scanned documents like they were twenty years ago.
However, I do not know of any specific cases myself of where it has happened (to me or anyone I know such as accounting or business consulting clients), so the overall risk might be low today, or I might just have been lucky as have the people I know.
Alan.
That depends on the bank . One of the big Five banks here accept scanned signed documents. So the method goes on and may change for some other method in future
Hi John,
I guess different countries will have different systems - not all countries have the same level of regulations for banks too.
I was working with a client last week, and they had made a payment from their bank overseas to another bank (same country and not third world) and it took two days for it to show in the recipient's account - haven't seen that in a long time either.
Alan.
I guess different countries will have different systems - not all countries have the same level of regulations for banks too.
I was working with a client last week, and they had made a payment from their bank overseas to another bank (same country and not third world) and it took two days for it to show in the recipient's account - haven't seen that in a long time either.
Alan.
It depends on institutions and practices. The risk in a secured business environment (which i think was the subject) is not high.
Hi John,
I agree - it is probably a low risk of the email being intercepted, but very easy for scanned copies of signatures to be lifted from public records.
Also, I would always *assume* all email to be sent in the clear. Much (probably most) is not nowadays, but always best to assume the worst case, and handle accordingly if you are concerned about security.
Alan.
I agree - it is probably a low risk of the email being intercepted, but very easy for scanned copies of signatures to be lifted from public records.
Also, I would always *assume* all email to be sent in the clear. Much (probably most) is not nowadays, but always best to assume the worst case, and handle accordingly if you are concerned about security.
Alan.
We may be getting into differing grounds here. Public records are just that and signatures (real, signed signatures) exist there.
That is different from non-public records (which I was speaking to above). So we agree on some ground here, but public records are subject to risk on any kind of signature.
That is different from non-public records (which I was speaking to above). So we agree on some ground here, but public records are subject to risk on any kind of signature.
If it's just a physical signature that's scanned, those are not legal enough for some of the things you're worried about. You frequently need an original signature, not a copy for things to be accepted. Some documents need a notary. Some documents need a digital signature, such as those from Docusign.com, docmagic.com, or the Adobe Digital signatures.
The actual signature is not sufficient in all cases. It's an artifact of a previous era, and not entirely sufficient on its own as a verification. It's basically a rubber stamp.
The actual signature is not sufficient in all cases. It's an artifact of a previous era, and not entirely sufficient on its own as a verification. It's basically a rubber stamp.
Barry - some of the comments about the deficiencies of real signatures and public documents may be true to some lesser or greater extent.
But your question was about sending signatures by email. As noted, if the sender and receiver are both secure (normal business practice) then there is no substantially greater risk this way than sending a real signature by mail or courier.
But your question was about sending signatures by email. As noted, if the sender and receiver are both secure (normal business practice) then there is no substantially greater risk this way than sending a real signature by mail or courier.
Wow. Thanks some really great input. John, my question has actually morphed into 3 areas from this discussion and I think the discussion has answered much of them. 1. Public record access to signed signatures and whether or not those documents leave us vulnerable to attack. 2. access to emailed document signature scans in email systems and in transit. 3. Would it be considered a best practice to keep scanned signatures out of emails, due to reducing your overall exposure to theft, i.e. Does increasing the number of access points to this kind of info increase the chance that it can be used for fraud? As someone pointed out the signature itself is not enough to lift an identity, but from my understanding of how identity thieves work the more information they can get on you, the easier it becomes for them to steal an identity.
thanks again.
thanks again.
On 2 and 3, Most email in transit is encrypted and you can use such an email system, so not much vulnerability to attack.
Increasing the number of access points could increase the risk, but if access points are secured in a normal business way, then again not much increase in risk.
Increasing the number of access points could increase the risk, but if access points are secured in a normal business way, then again not much increase in risk.
Also remember, relatively new, is that you can now deposit cheques in your bank account by taking a photo of it on your smart phone. This is a growing practice.
1. Public records are meant to be public. They've always been available to anyone that searches. There's a reason many documents require an original signature. A copy is insufficient.
2. Email is only encrypted in transit from your endpoint to the service provider server that you access. However, email between service providers and between servers, as they are routed or relayed around the internet, are still in plain text. This is a much reduced overall attack surface than it was previously. At least now, someone can't just hop on your network and read your transactions directly. They have to at least be somewhere along the more major pathways between service providers. The practice of encrypting email is still too ponderous for the average user. Yes, there are people that use PGP or GPG to encrypt the actual content of email, but that's still a very small segment of the population.
3. Fraud due to a copied signature is actually much less of an issue than you think. A lot of transactions do not rely on email at all. They just require a portion of your other pieces of data, which unfortunately, is being leaked all the time by various data brokers on the internet. The signature is a smaller issue than the other data they can gather about you.
2. Email is only encrypted in transit from your endpoint to the service provider server that you access. However, email between service providers and between servers, as they are routed or relayed around the internet, are still in plain text. This is a much reduced overall attack surface than it was previously. At least now, someone can't just hop on your network and read your transactions directly. They have to at least be somewhere along the more major pathways between service providers. The practice of encrypting email is still too ponderous for the average user. Yes, there are people that use PGP or GPG to encrypt the actual content of email, but that's still a very small segment of the population.
3. Fraud due to a copied signature is actually much less of an issue than you think. A lot of transactions do not rely on email at all. They just require a portion of your other pieces of data, which unfortunately, is being leaked all the time by various data brokers on the internet. The signature is a smaller issue than the other data they can gather about you.
Thanks everyone. I wish I could vote several answers. I think this question was really answered by a team and not just one individual.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial