Why Faxing is Less Secure Than Email
-
This comes up a lot, especially with HIPAA discussions. Faxing is generally accepted to be the least secure form of modern communications, but in the medical space is often defended because HIPAA authorities often give it a reckless, free pass for use. We need a real discussion and a single place to show why faxing is less secure than the alternatives.
-
I think that we can assume that S/MIME, GPG, PGP and similar email encryption schemes are extremely secure and go way beyond the discussion into a "clear win" category.
-
Also, enforced TLS would do the same. So far and away more secure than faxing, not really any possible discussion.
-
So really, this is about open, unencrypted SMTP from one MTA to another. Go....
-
Faxing is totally open an unsecured from the device through the network to the other device. It is analogue and well defined standard that any old fashioned modem, fax machine or similar can reproduce.
Tapping fax lines is the easiest method of accessing them. Faxes go our over lines that cannot be secured and can be tapped without physical access. PHI in transit is essentially, exclusively a "local" activity either to the recipient or to the sender, and both sides of a fax transaction have to be completely exposed. Even if the building is secured, the external phone lines are not and those are where the biggest vulnerabilities are.
Fax lines are also vulnerable to a man in the middle attack due to the lack of authentication. If someone is being targeted, the opportunity to intercept a fax and repeat it on is trivial, unlike phone calls where you have to speak "live" to the person on the other end.
-
Open Email is, of course, not super secure but is very secure compared to faxing. Even insecure email scenarios standardly have email servers at a different location than the place from which the email is sent initially. And the connection between sending and MTA is usually secure and can always be in cases where we are concerned about security. This trivially eliminates the possibility of location based attack on the sending side.
MTAs typically sit in datacenters of some sort and connect directly to ISP connections inside of a secure facility and have no real risk of exposure at that stage. Even without encryption, the SMTP data is onto the ISP's internal network immediately or very rapidly in a way that makes tapping unreasonable at best.
This process is repeated on the receiving side. In some rare cases people may run in house MTAs that are not using TLS and accept email locally but this is rare, non-standard, totally optional and still harder to tap than a fax line if locality is the concern.
-
Some people mention concerns around the security of email in transit with the ISP. But this is moot as faxes have to transit the same ISPs and if the ISP themselves are the thread, both cases leave us totally exposed to that threat. So while this is a valid concern, it is not "more" of a concern with one approach or the other.
-
Faxes are circuit based, so tapping physically is much easier because the connection is stable. Email is packet based so is far less reliable of a target for tapping to occur.
-
Security of faxing and its place in a HIPAA discussion, as you have said many times, are not related.
Mailing a letter via USPS is super not secure, but considered acceptable for HIPAA.
-
@BRRABill said in Why Faxing is Less Secure Than Email:
Security of faxing and its place in a HIPAA discussion, as you have said many times, are not related.
Mailing a letter via USPS is super not secure, but considered acceptable for HIPAA.
Right, faxing is totally allowed under HIPAA, but not when someone is trying to be secure. That it is allowed is one thing, but email would be allowed as well given that it is an improvement over faxing. HIPAA doesn't make real specific requirements, only levels of effort and the effort demanded is far below business standards.
-
A lot of people mention the total lack of authentication with faxing as a means of breaching security, but this is normally mentioned in the context of mistakes and is countered with the fact that obscurity makes that a non-issue. And that is basically true, the same goes for email, the chances that you would type in a keying error and get a real email address and one that would exploit the contents of the email are super low. So that's negligible in both cases.
However, what is often ignored, is that the real risk is in tricking people into using the wrong phone number. We are talking about focused security attacks here, in both cases. This is not someone trying to access stored data, this is about data in transit. If you want to get a fax sent to the wrong number, you use social engineering to get people to send to the wrong number. Same can happen with email, but it is likely harder. Fax numbers are totally anonymous, have zero authentication and involve "tossing the critical security data over the wall" and hoping for the best. It's blind, and no secure process can be blind.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Open Email is, of course, not super secure but is very secure compared to faxing. Even insecure email scenarios standardly have email servers at a different location than the place from which the email is sent initially. And the connection between sending and MTA is usually secure and can always be in cases where we are concerned about security. This trivially eliminates the possibility of location based attack on the sending side.
No it doesn't. If you are targeting someone, you send them an ebomb and infect their computer, because, well everyone loves cat videos, now you're watching everything they do their computer, not just email.
-
@scottalanmiller said
but email would be allowed as well given that it is an improvement over faxing.
Good luck documenting and proving that as reasoning for use.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Faxing is totally open an unsecured from the device through the network to the other device. It is analogue and well defined standard that any old fashioned modem, fax machine or similar can reproduce.
Tapping fax lines is the easiest method of accessing them. Faxes go our over lines that cannot be secured and can be tapped without physical access. PHI in transit is essentially, exclusively a "local" activity either to the recipient or to the sender, and both sides of a fax transaction have to be completely exposed. Even if the building is secured, the external phone lines are not and those are where the biggest vulnerabilities are.
Fax lines are also vulnerable to a man in the middle attack due to the lack of authentication. If someone is being targeted, the opportunity to intercept a fax and repeat it on is trivial, unlike phone calls where you have to speak "live" to the person on the other end.
Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Some people mention concerns around the security of email in transit with the ISP. But this is moot as faxes have to transit the same ISPs and if the ISP themselves are the thread, both cases leave us totally exposed to that threat. So while this is a valid concern, it is not "more" of a concern with one approach or the other.
I agree, this is not part of the concern.
-
@Dashrender said
Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.
Pretty easy to get access to phone lines if you are in any sort of business complex.
-
Another massive factor is that email is sent to a person, faxes are sent to a machine. The machine might be shared, might be insecure, might be unmonitored, might be in a public space, etc. Mailboxes can be as well, in theory, but the idea is that a person is supposed to hand over a mailbox for a person or a role. Faxing do not work this way. People do not have their own lines, faxes, etc. They never have and faxes were never expected to work like that.
This makes for a fundamental difference in security. One goes to whom you intended it to go to, one goes to the machine you intended it to go to... and immediately gets automatically translated into paper and left there for anyone to find.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
A lot of people mention the total lack of authentication with faxing as a means of breaching security, but this is normally mentioned in the context of mistakes and is countered with the fact that obscurity makes that a non-issue. And that is basically true, the same goes for email, the chances that you would type in a keying error and get a real email address and one that would exploit the contents of the email are super low. So that's negligible in both cases.
However, what is often ignored, is that the real risk is in tricking people into using the wrong phone number. We are talking about focused security attacks here, in both cases. This is not someone trying to access stored data, this is about data in transit. If you want to get a fax sent to the wrong number, you use social engineering to get people to send to the wrong number. Same can happen with email, but it is likely harder. Fax numbers are totally anonymous, have zero authentication and involve "tossing the critical security data over the wall" and hoping for the best. It's blind, and no secure process can be blind.
Email is no different in this regard.
-
@Dashrender said in Why Faxing is Less Secure Than Email:
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Open Email is, of course, not super secure but is very secure compared to faxing. Even insecure email scenarios standardly have email servers at a different location than the place from which the email is sent initially. And the connection between sending and MTA is usually secure and can always be in cases where we are concerned about security. This trivially eliminates the possibility of location based attack on the sending side.
No it doesn't. If you are targeting someone, you send them an ebomb and infect their computer, because, well everyone loves cat videos, now you're watching everything they do their computer, not just email.
I don't even know what you are disputing here. If you are saying that email gets spam, so do fax machines. I've gotten plenty of fax spam over the years.
You say that it does not eliminate location based attacks but mention cat videos from a non-location attack. What is that comment in reference to?
-
@BRRABill said in Why Faxing is Less Secure Than Email:
@Dashrender said
Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.
Pretty easy to get access to phone lines if you are in any sort of business complex.
Even if you are not. In rural areas it is especially easy to tap lines. There is even equipment that allows you to tap the lines without climbing the poles, you can do it, touchless, from the ground!
