this post was submitted on 29 May 2024
41 points (97.7% liked)
Asklemmy
43916 readers
1482 users here now
A loosely moderated place to ask open-ended questions
Search asklemmy π
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I mean itβs as secure as standard phone call, which most people are comfortable giving things like SSN over, no?
Great question. There is an important difference:
A standard phone call places a burden on malicious listening software to decode raw audio into computer parseable text, before it's useful to an attacker. Computers are getting to be pretty good at this, but it's still kinda expensive, relative to the massive amounts of hours of calls that one might need to snoop and parse to get a good tidbit worth stealing.
Fax, being already raw image data, incurs a much lower cost of doing ocular character recognition (OCR).
So an attacker can pay a lot for expensive voice recognition to pull an SSN off a voice call, or pay far less to pull an SSN out of a fax using OCR.
Attackers like both, if they're motivated and well financed. But an underfunded or lazy attacker is going to prefer to listen in on the fax line.
Note that this is a reversal of previous security preferences, when the snooping would have usually been done by a bored human. Bored humans are great at parsing audio calls, and have no idea what they've overheard in a (bleep boop beepity boop) fax call.
This has been: "Cybersecurity insights that make us all sleep a bit more poorly."
This is a really good point, but Iβm still curious how bad actors are doing the actual wiretapping on any more than a targeted scale.
Great point. As far as I'm aware, for the most part, they're not. Lazy bad actors can just buy a bulk set of fresh SSNs and credit card numbers off of the dark web for cheap.
Fax is still a terrible solution, overall. But it's not usually a huge risk - other than as a warning sign that one might be working with an incompetent or malicious organization.
Probably nothing bad happens with those faxes. A malicous actor would still need access to the physical analogue line or to the network to sniff the RTP packets (depending on how the fax is transmitted) on one of the two sides. In theory all providers involved could also sniff the traffic since calls/faxes are never end to end encrypted. But something could happen, and I dislike it very much that they demand their users to take this risk.