I put in a credit card application for Bilt and they want address and id verification via fax. They really want me to send a fax apparently
Most of my documents are virtual now, and I don’t have a fax machine. I see that on Google play there are a variety of apps for sending faxes. Is this a good option to go through? Or should I print stuff and find a library with a fax machine
Do they want you to fax them your Id?
Whatever this company is doing, stay away from it. This is ridiculous. Fax isn’t encrypted at all. Anyone asking you to do this has no idea about security and shouldn’t handle your data.
Also please don’t use some random fax app from the play store. They all seem sketchy as hell.
I mean it’s as secure as standard phone call, which most people are comfortable giving things like SSN over, no?
Great question. There is an important difference:
A standard phone call places a burden on malicious listening software to decode raw audio into computer parseable text, before it’s useful to an attacker. Computers are getting to be pretty good at this, but it’s still kinda expensive, relative to the massive amounts of hours of calls that one might need to snoop and parse to get a good tidbit worth stealing.
Fax, being already raw image data, incurs a much lower cost of doing ocular character recognition (OCR).
So an attacker can pay a lot for expensive voice recognition to pull an SSN off a voice call, or pay far less to pull an SSN out of a fax using OCR.
Attackers like both, if they’re motivated and well financed. But an underfunded or lazy attacker is going to prefer to listen in on the fax line.
Note that this is a reversal of previous security preferences, when the snooping would have usually been done by a bored human. Bored humans are great at parsing audio calls, and have no idea what they’ve overheard in a (bleep boop beepity boop) fax call.
This has been: “Cybersecurity insights that make us all sleep a bit more poorly.”
This is a really good point, but I’m still curious how bad actors are doing the actual wiretapping on any more than a targeted scale.
Probably nothing bad happens with those faxes. A malicous actor would still need access to the physical analogue line or to the network to sniff the RTP packets (depending on how the fax is transmitted) on one of the two sides. In theory all providers involved could also sniff the traffic since calls/faxes are never end to end encrypted. But something could happen, and I dislike it very much that they demand their users to take this risk.
Great point. As far as I’m aware, for the most part, they’re not. Lazy bad actors can just buy a bulk set of fresh SSNs and credit card numbers off of the dark web for cheap.
Fax is still a terrible solution, overall. But it’s not usually a huge risk - other than as a warning sign that one might be working with an incompetent or malicious organization.