I don't know directly, but I've heard that there are special laws regarding fraud via fax. Even though fax has no technical protection, it may have legal ones, that might give the counterparty some recourse if things went bad.
In Germany, a fax is legally considered an original copy, a scan/print is not, despite a fax often being a scan that’s then transmitted via fax protocols. Law hasn’t caught up with technology yet in that area.
You also get a confirmation from the recipient when using fax.
All the while we actually have a pretty good law about digital signatures since basically forever, but ~nobody supports those. (and they missed the chance of using the new ID cards to establish them more widely, which was really stupid)
Dialup modems speak the protocol, or at least they used to, so it was possible to send or receive a fax without a physical copy of the document. Just by "printing" from word to the modem and entering a phone number. I remember writing an excel macro to iterate over a list of customers and send a personalized word document to them. (This was 20 years ago I think and not all of our customers had an email)
Sure, but that's still "a scanner attached to a modem." Nothing about a scanner implies that it must buffer the input, just like nothing about a printer implies that it buffers the output.
There are/were "line printers" doing "latch a character from the input line, print the character, unlatch" serial output (which were so common that Unix pipes are designed around the foibles of outputting to such devices.) Most POS thermal receipt printers are still line printers!
I don't know as much about scanners, but I can't imagine that the original (digital, attached to a computer) scanners weren't also "serial scanners"—i.e., rather than a 1D scan head with a long CCD strip that could latch an entire line at a time into a shift register, they would have had 2D scan-heads that would scan one pixel at a time, in a "read brightness, signal ready, wait for return line to unlatch" serial loop. No memory required, just terribly slow.
When the relevant laws were made, fax machines were purely analog devices, not a scanner attached to a modem. And once fax was legally privileged, it stuck around exactly because it was legally privileged - despite the change in technology.
Sounds like their document management system was tied to a fax line and they didn't want to bother upgrading. IT departments at banks have like, zero budget.
I read on NH yesterday (or perhaps the day before) that in the USA HIPAA (Health Insurance Portability & Accountability Act 1996) carves our a special exemption to consider faxes ‘secure’.
If you pass a law stating you are a Triceratops, it would become 'true' in the legal sense... and since we are dealing with legality, it being declared 'secure' does matter
It depends on the threat model. If I need to prove to a court in the US, then I'm signing paper and faxing it. To do it differently would be more expensive to prove.
I'm talking about the technical sense. Where there is no encryption at all, anyone with a phone line splitter can listen in, and the machines are usually not in a secured area so anyone could just pick up the fax and walk away. Not secure at all.
I don’t think you need to argue that fax is not technically secure on HN. Pretty sure we are all on the same page there. What matters is legal precedent and existing policy in various countries.
It depends on what your threat model is. The attacks you're talking about are real, absolutely.
For the threat model of a physically local attacker with either the right timing (for grabbing an incoming fax) or the right knowledge (for the phone system equivalent of tcpdump), you're quite right that fax is insecure. Likewise for state sponsored adversaries or certain organized crime groups.
But if you just want to make it hard for people scanning the internet to see what juicy corporate espionage they can find and resell, without specifically targeting you, fax is probably less vulnerable to that threat model than, for example, an undermaintained email server. Likewise if you piss off script kiddies somewhere on the internet with botnets and exploit kits, your website is probably a bigger risk than your fax machine.
They're secure in the sense of being low-risk for active content shenanigans and a small surface area for vulnerabilities. Attacking a network through a .tiff of a fax is a lot harder than attacking it through an email, pdf, word doc, http session, etc.