this post was submitted on 29 May 2024
41 points (97.7% liked)

Asklemmy

43916 readers
1482 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
 

I put in a credit card application for Bilt and they want address and id verification via fax. They really want me to send a fax apparently

Most of my documents are virtual now, and I don't have a fax machine. I see that on Google play there are a variety of apps for sending faxes. Is this a good option to go through? Or should I print stuff and find a library with a fax machine

you are viewing a single comment's thread
view the rest of the comments
[–] explore_broaden@midwest.social 16 points 5 months ago (1 children)

I mean it’s as secure as standard phone call, which most people are comfortable giving things like SSN over, no?

[–] MajorHavoc@programming.dev 12 points 5 months ago* (last edited 5 months ago) (1 children)

Great question. There is an important difference:

A standard phone call places a burden on malicious listening software to decode raw audio into computer parseable text, before it's useful to an attacker. Computers are getting to be pretty good at this, but it's still kinda expensive, relative to the massive amounts of hours of calls that one might need to snoop and parse to get a good tidbit worth stealing.

Fax, being already raw image data, incurs a much lower cost of doing ocular character recognition (OCR).

So an attacker can pay a lot for expensive voice recognition to pull an SSN off a voice call, or pay far less to pull an SSN out of a fax using OCR.

Attackers like both, if they're motivated and well financed. But an underfunded or lazy attacker is going to prefer to listen in on the fax line.

Note that this is a reversal of previous security preferences, when the snooping would have usually been done by a bored human. Bored humans are great at parsing audio calls, and have no idea what they've overheard in a (bleep boop beepity boop) fax call.

This has been: "Cybersecurity insights that make us all sleep a bit more poorly."

[–] explore_broaden@midwest.social 4 points 5 months ago (2 children)

This is a really good point, but I’m still curious how bad actors are doing the actual wiretapping on any more than a targeted scale.

[–] MajorHavoc@programming.dev 5 points 5 months ago

Great point. As far as I'm aware, for the most part, they're not. Lazy bad actors can just buy a bulk set of fresh SSNs and credit card numbers off of the dark web for cheap.

Fax is still a terrible solution, overall. But it's not usually a huge risk - other than as a warning sign that one might be working with an incompetent or malicious organization.

[–] cereals@lemmy.ml 3 points 5 months ago

Probably nothing bad happens with those faxes. A malicous actor would still need access to the physical analogue line or to the network to sniff the RTP packets (depending on how the fax is transmitted) on one of the two sides. In theory all providers involved could also sniff the traffic since calls/faxes are never end to end encrypted. But something could happen, and I dislike it very much that they demand their users to take this risk.