Is Internet Faxing Secure?

Bob, I need you to "connect the dots" for me. We know not to put private information such as credit card numbers in e-mail messages, because those messages are no more secure than post cards sent through the U.S. Postal Service.

I receive all my incoming faxes as unencrypted PDF documents attached to e-mail messages, from my fax provider. Are those unencrypted PDF attachments any more secure that the e-mail messages they are attached to?

EDITOR'S NOTE: If they are not encrypted, then no.

If you send a fax over the Internet to someone's computer, why not just email it to them? Encrypted of course.

Just used FaxZero about a week ago. I have all-in-one printer but it doesn't do faxing. So I scanned in a couple of signed documents and used FaxZero to fax them to their destinations. I asked on of the places I faxed to if the cover sheet advertisement was annoying and they assured me it wasn't. They thought it was kind of neat, actually.

The cheap scanner software that came with the printer only scans in JPG, GIF or PNG formats (or coverts to text via OCR) so I used Bullzip PDF printer to convert the scan to a PDF (Fax zero doesn't accept image files). Altogether, an easy and effective service.

Sfax (http://www.sfaxme.com) is another service that ensures your document is completely secure by encrypting it throughout its entire journey. It was originally designed for the healthcare industry and only uses email for notifications, and therefore provides the highest levels of document security – all with a complete audit trail.

After being made aware of security issues with unencrypted fax documents attached to e-mail messages, I checked with my provider, FreedomVoice Systems (www.freedomvoice.com). They provide entire virtual office services, including incoming 800-numbers, voice mail boxes, inbound and outbound fax, and more, starting at $10 per month for the basic setup.

I learned that I have three options:

1. Receive unencrypted faxes attached to notification e-mail messages as PDF files. (This is what I've been doing for years, unwittingly inviting security breaches).

2. Instruct the system to ZIP the faxes and password-protect them before attaching them to the e-mail. I specify a password one time, and the same password is used to open all ZIPped faxes going forward, until I change passwords. I understand ZIPped files are not 100% impervious to hacking, but they're sufficient for my purposes, so this is what I'm now doing.

3. Receive notification-only messages from FreedomVoice (on both my cell phone and via e-mail), which allow me to log in to the FreedomVoice web site and download the PDF file directly to my computer. I suppose this provides the highest security, but it interjects the extra step of having to log in to retrieve my incoming faxes.

I've been a delighted FreedomVoice customer for perhaps 10 years (perhaps I sound like a paid spokesperson, but I definitely am not), and I would recommend it to anyone looking for a secure inbound/outbound virtual fax system, with or without voice messaging, virtual office, etc.

FaxitFast.com is also a reliable Internet Fax service.

All of their inbound / outbound faxes sent from the account dashboard are transmitted securely via SSL connection. In addition, they offer a risk-free 30 day trial so that you can try the service before you actually buy. Unfortunately as Lee mentioned, receiving / sending faxes directly from your email account can be difficult to ensure the same level of security compared to viewing faxes from your account dashboard at FaxitFast.com

While encryption during transmission is important, I gotta say this article misses another point, which is actually more important: storage.

Let's put it this way: if I'm using an online fax service, do I know if my documentation stored on a server somewhere? Is any such server encrypted? Is any such server protected in other ways? As a security professional, that's the first thing on my mind.

If I were an unscrupulous person w/ sufficient technical skills, an online faxing service that stores faxes somewhere would be an unbelievably tempting target - especially if they process a lot of faxes in one day.

I am just about to fax some tax paperwork, for instance. This has my name, SSN, address, and primary email. That's a gold mine for an identity thief, and I can't be the only one needing to fax info like this.

So, if people are using that service to fax sensitive information (and they will be), then, as an attacker, I wouldn't give a darn about whether it's encrypted during transmission - I'd be going after the servers. It's easier to hack an insecure server than tap a phone line, and it'll yield much better results (more documents from more sources = more sensitive information).

So, in short: SSL encryption is nice, but unless there's secure storage (or no storage at all), then you're better off using an old-school fax machine.

Security is a state of mind.

Without encryption and/or password protection for attachments, online faxes are certainly vulnerable to security breaches on the receiving side.

Many organizations routinely "trap" all inbound messages, then route and save copies of them internally per their own protocols. Once a file is decrypted, what happen after that is anyone's guess.

The one real advantage of a using old-school dedicated fax phone lines is that it almost eliminates the chance for the message to be copied, diverted, or intercepted during transmission - unless the lines are bugged.

Faxzero used to provide a decent service. But, for the last several months, faxes to congress are not going through. When I reported the problem to Faxzero, their incompetent, rude "support" person (who goes by the name of Connie), kept insisting the fault lies with my computer (singular) --- even though I provided documentation that it occurs with six different computers, five different browsers, five different operating systems, different routers and different ISPs. I've switched to another service permanently. I suggest you do the same.