I put in a credit card application for Bilt and they want address and id verification via fax. They really want me to send a fax apparently

Most of my documents are virtual now, and I don’t have a fax machine. I see that on Google play there are a variety of apps for sending faxes. Is this a good option to go through? Or should I print stuff and find a library with a fax machine

  • cereals@lemmy.ml
    link
    fedilink
    arrow-up
    40
    ·
    5 months ago

    Do they want you to fax them your Id?

    Whatever this company is doing, stay away from it. This is ridiculous. Fax isn’t encrypted at all. Anyone asking you to do this has no idea about security and shouldn’t handle your data.

    Also please don’t use some random fax app from the play store. They all seem sketchy as hell.

      • MajorHavoc@programming.dev
        link
        fedilink
        arrow-up
        12
        ·
        edit-2
        5 months ago

        Great question. There is an important difference:

        A standard phone call places a burden on malicious listening software to decode raw audio into computer parseable text, before it’s useful to an attacker. Computers are getting to be pretty good at this, but it’s still kinda expensive, relative to the massive amounts of hours of calls that one might need to snoop and parse to get a good tidbit worth stealing.

        Fax, being already raw image data, incurs a much lower cost of doing ocular character recognition (OCR).

        So an attacker can pay a lot for expensive voice recognition to pull an SSN off a voice call, or pay far less to pull an SSN out of a fax using OCR.

        Attackers like both, if they’re motivated and well financed. But an underfunded or lazy attacker is going to prefer to listen in on the fax line.

        Note that this is a reversal of previous security preferences, when the snooping would have usually been done by a bored human. Bored humans are great at parsing audio calls, and have no idea what they’ve overheard in a (bleep boop beepity boop) fax call.

        This has been: “Cybersecurity insights that make us all sleep a bit more poorly.”

        • explore_broaden@midwest.social
          link
          fedilink
          arrow-up
          4
          ·
          5 months ago

          This is a really good point, but I’m still curious how bad actors are doing the actual wiretapping on any more than a targeted scale.

          • MajorHavoc@programming.dev
            link
            fedilink
            arrow-up
            5
            ·
            5 months ago

            Great point. As far as I’m aware, for the most part, they’re not. Lazy bad actors can just buy a bulk set of fresh SSNs and credit card numbers off of the dark web for cheap.

            Fax is still a terrible solution, overall. But it’s not usually a huge risk - other than as a warning sign that one might be working with an incompetent or malicious organization.

          • cereals@lemmy.ml
            link
            fedilink
            arrow-up
            3
            ·
            5 months ago

            Probably nothing bad happens with those faxes. A malicous actor would still need access to the physical analogue line or to the network to sniff the RTP packets (depending on how the fax is transmitted) on one of the two sides. In theory all providers involved could also sniff the traffic since calls/faxes are never end to end encrypted. But something could happen, and I dislike it very much that they demand their users to take this risk.

    • stoy@lemmy.zip
      link
      fedilink
      arrow-up
      3
      ·
      5 months ago

      The financial, legal and medical sectors are built on fax, I know that companies often use efax services.

      This means that you email the efax provider, they turn the attached document into a fax and send it, then if the recipient uses an efax service the fax gets turned back into an attachment and emailed to the recipient.