• Siax (unregistered)

    Thats the frist time I've heard of this!

  • Sir Wibble St Murphington (unregistered)

    LaserJet will be more than good enough if it's going to be faxed!

    My frist comment was rejected because my identity couldn't be verified so I submitted this one on letterhead.

  • Kev (unregistered)

    My UK mobile phone company does this too. Any time I upgrade my handset I have to include a request on company letterhead paper. The staff I deal with generally recognise it's pretty ludicrous, but they need to include it with their paperwork. I keep a suitable copy in dropbox, and they're normally happy for me to print it out from that in the shop. Insane

  • Little Bobby Tables (unregistered) in reply to Sir Wibble St Murphington

    Sounds English to me. Sure we can trust him enough?

  • Dave (unregistered)

    When I was a teenager (20+ years ago) we had a laser printer at home before they were common in most offices. In those days a good-looking letterhead was enough to make anything look official, because everyone was still ordering headed paper rather than printing their own. I had all kinds of fake IDs, days off school to go to special courses, later parking permits and things.

    These days you don't get away with stuff like that very often anymore. But 'proof of address' is rarely a higher bar to get over.

  • David (unregistered)

    I suffered at the hands of this.

    A company I hosted the website of had an internal dispute amongst the partners and one of them decided to poach all of the employees, clients and cash in the bank from the other partner.

    When it came to doing likewise with the domain all they had to do was send a request to the registrar on letterheaded paper. No amount of time with customer support from me with silly things like incorporation documents for the original company (you know, solid evidence and all that jazz), was enough to halt the process.

  • (nodebb)

    The joy of unwise policies. The German post office offers a service where they'll confirm your identity for registering bank accounts and other services where that's important. They'll copy your ID and fill out a form that you were the one who sent that letter and so on.

    But as an added verification step they'll also "expertly" compare the signature on your ID to your signature on the form and if the worker at the counter isn't convinced that they match sufficiently they'll refuse to confirm that you are the sender of the letter. The problem here is that government ID in Germany is valid for a long time and you sign the thing with a marker instead of a pen when you fill out the forms to get it.

    So your signature already looks different when you sign with a pen and after 10 years it'll have drifted a bit. Not to mention that a random worker at a post office counter is probably not the most qualified for this.

    Long story short, when I went to open a bank account at an online bank I got to try out faking my own signature from 15 years ago about 15 times right in front of the clerk who had just insisted that presenting my ID card, drivers license, passport and my father who had tagged along to mail a package presenting his ID and vouching for me was not enough ID. I had to also produce a signature that matched my 15 year old ID.

    Nowadays online banks are offering webcam interactions for this instead because the post office is such a bad user experience.

  • Decius (unregistered)

    The policy of "company letterhead" isn't to make anything more secure, the purpose is to make it so that a fraudster is actively defrauding both parties and to mobilize the legal department of the company whose letterhead was forged in an attempt to obligate them against the attacker.

    If they just had a written request on paper, the company would say "we never approved that, we won't pay it"; with the request on 'their letterhead', or on a letterhead that looks like it might be theirs, it becomes "someone impersonated us!".

    Back in the days when printing was done with presses, letterhead was nontrivial to duplicate and actually provided a tiny bit of security.

  • (nodebb)

    The real WTF is printing the request on paper to fax it. Printing to a fax modem has been around as long as MS Word.

  • WTFGuy (unregistered)

    OTOH, it's been years since I had a modem in one of my PCs, fax-capable or otherwise.

    Funny enough, demanding letterhead would have been good enough to stop almost all of your garden variety conmen back in the 1970s. We're growing more capable and smarter bad guys all the time.

  • Chris (unregistered)

    I once had a delivery sent to my work. It arrived when I wasn't in the office, so I had to go to the post office with the card left behind (it needed my signature). I showed the guy at the post office my driver's license to prove my identity, but he insisted I needed a business card, since the address on the delivery was to my work. I don't have business cards printed out, but I've got business card paper at home. I could go and print any business card "proving" that I work at anywhere I want. At least he relented and gave me my package, but warned me to bring business cards next time. No-one else at any post office has ever required this.

  • staticsan (unregistered)

    I remember dealing with a domain registrar that wanted things by fax. I remember working hard to get our clients' domains off them largely because of that reason.

  • aaron (unregistered)

    It was to change the punishment,

    lying to a registrar is one thing, sending a fake letterhead fell into some kind of fraud law that made the punishment much higher.

  • (nodebb) in reply to BitDreamer

    Printing to a fax modem has been around as long as MS Word.

    I don't remember there being fax modems as common items in 1989, which is when I first used MS Word.

  • Dave (unregistered) in reply to Steve_The_Cynic

    I remember doing it from Wordstar in the eighties. Digital fax modems came out around the time of 14400 baud - early to mid eighties.

  • Dlareg (unregistered)

    Well to prove I was starting a company I had to send my logo to the tax people.

  • Remco (unregistered) in reply to aaron

    It wasn't fake, it was letterhead v0.1, problem solved!

  • Naveed (unregistered)

    I remember this nonsense, and this is exactly the way I dealt with it too.

  • Franq again (unregistered)

    OTOH it's been years since I had a modem in one of my PCs, fax-capable or otherwise.

    You don't hook a fax line up to your PC, you hook it up to any photocopier made in the last 15 years, and you enable that photocopier's fax print queue.

  • SD (unregistered)

    I ran into this once when I applied for a (no documentation) mortgage. Because I was an independent contractor at the time, they wanted a copy of my business card. I argued that i didn't have one, as I only had one client. No dice, the rules were firm. A couple of minutes in Powerpoint and I had my mortgage.

  • netmunky (unregistered)

    Sounds like all Network Solutions domain registrations back in the day. You had to fax or mail in registration/renewal/change requests based on some .txt template. If you were a poor college student in 1999 registering your first domain, it could take a couple weeks to find out if you got your domain registered.

  • nasch (unregistered)

    Do tech startups have photocopiers?

  • robby the robot (unregistered)

    This type of thing is because misusing company letterheads falls into a different criminal category. It's like doing something which is legal, but if you're asked and you deny it then that denial becomes a criminal matter.

  • BobbyTables (unregistered)

    My wife tried to move our Cable TV account to a new address. This from the company advertising how easy it is.

    Problem is, she isn't officially on the account. They demand that only I can make the changes. She has all my info, but they still want to speak to me, to make sure I'm ok with it.

    So... they ask if they can call me at home. She's calling from the home #. So they ask for my cell number. She gives them my #.

    They call me, ask me if I'm BobbyTables, I say I am, they ask if I will allow my wife to change the account. I agree.

    Now she has full access.

    I nearly questioned them when they called me, on how they were sure it was really me, but my wife would have killed me.

  • Spoad (unregistered)

    I have had something similar happen to me. I rent an apartment through a letting agency who (it turns out really did) change their bank, as a result my rent payments would need to go into a new bank account.

    I come home one day to find a letter on the doormat which tells me "Stop paying large amounts of money into this bank account, pay it into this other one instead!" which obviously, I looked upon suspiciously as not only could this be a scam but one that could have me threatened with eviction.

    Natural I get in touch with the letting agency and the conversation went something like this:

    Spoad: "Hello I've received a letter claiming to be from you stating that you have changed your bank account for rent payments, is this correct?" Estate monkey: "Well what are you calling me for?" Spoad: "Well I just wanted to check that it was indeed the case." Estate monkey: "Duh, of course it is that is why we sent you a letter!" Spoad: "Okay then I will redirect my payments immediately, I just wanted to check the letter was actually from you." Estate monkey: "Well of course it was, it was on our letterhead wasn't it?"

    So yeah, it seems in the world of the bureaucratic dullard, letterheads really are considered totally secure.

    What worries me more (although I should have lower hopes for humanity after working in IT for so long) is the agent's tone and response implying that I was the idiot for phoning, implies that no-one else did.... So presumably if I sent a similar letter to all my neighbours with my bank details on, they would just give me their rent money without so much as raising an eyebrow... because you know, letterheads are secure!

  • jgh (unregistered)

    One year at university the annual student ID card was on laminated white card. I had access to an early laser printer. He he. I made a valid ID card for my neighbour's baby, complete with photo and checksum-correct ID number (the result of the previous year's CompSci project). I also had a laminator. :D :D :D

  • I dunno LOL ¯\(°_o)/¯ (unregistered) in reply to Dave

    You're off by a decade. 2400 baud was still hot shit in 1989.

  • eric bloedow (unregistered)

    reminds me of several "not always working" stories where someone walked into an office and wanted to make an appointment. the idiot receptionist said, "appointments can ONLY be made by phone." so he pulled out a cell phone...

  • TCCPhreak (unregistered)

    On the topic of german post offices and fetching packages: Friend of mine wasn't at home when his delivery arrived so he got a card to visit the post office. He went there but couldn't present enough ID for the post office worker (longer story). He could, however, join up with the random guy behind him, putting his name on the "authenticated for fetching package"-card, sign the card and hand it over. Random guy demands the package from the postal worker, shows authentication and ID.

    Post office worker has "slight" complains - but everything is according to post office rulebook. Random guy gets package, hands it over to the friend of mine.

Leave a comment on “Classic WTF: Security By Letterhead”

Log In or post as a guest

Replying to comment #:

« Return to Article