The number of transactions using electronic signatures is growing as more and more companies see the benefits of going digital. A recent report released by Forrester Research estimates that the market is seeing an average annual growth rate of 53 per cent, with transactions estimated to grow from 210 million in 2014 to 700 million in 2017.
Whilst common drivers behind this significant growth include reducing costs, increasing efficiency, and improving user experience within businesses, the primary decision to adopt e-signatures is often for compliance and regulation requirements. But would all e-signature solutions stand up under court scrutiny?
There are six common threat scenarios that may implicate the validity of an e-signature that every company should be aware of.
A signature could be repudiated
A signature can be easily replicated in the digital world which can lead to identity fraud or repudiating of signatures. At a basic level this can be countered by providing server logs that include information on how the user was authenticated as well as their IP address and geo-location. Even with these measures, the only true way to prove that a document was signed by a specific person, is by using a public key infrastructure (PKI) based digital signature. It uses cryptographic algorithms to issue a unique digital identity, which is embedded when signing and the document is locked from change.
The document was altered after it was signed
An individual could assert that a document was changed after it had been signed. This can be prevented by ensuring the used e-signature solution has strong and standard cryptographic algorithms that detect any changes made to a document.
It is important that these are standard ISO/ETSI PDF/XML signatures, so that documents can be verified in court and are not reliant on a single vendor’s solution, which may be considered faulty or affected by a malicious external influence.
That was not the original document signed
Whilst a cryptographic signature proves who signed a document, this is still not enough if it can be proven that the content of the document is different to what the user saw when it was originally signed. This argument can be difficult to counter. Presenting documents in an advanced PDF (PDF/A) format ensures the document shown to the user at the time of signing was secure. This format is flattened and contains various safeguards.
It is also recommended that the service provider signs the document before sending to a user. This proves the document’s authenticity and shows no changes have been made by Man-In-The-Middle (MITM) or Man-In-The-Browser (MITB) circumstances. Saving a local copy before and after signing for personal records also provides additional proof.
The user’s signing key has been accessed elsewhere
A fraudster could claim that the digital ID used was compromised by a hacker or that the service provider gained a copy of the user’s key if it is held centrally on the server. To counter this claim, the provider would have to prove that best industry practices were used to protect user signing keys and that no one else could have had reasonable access to the key other than its owner. Industry best practice requires that user keys are stored in tamper-resistant hardware security modules (HSMs).
The user’s digital ID had been revoked
If a signature was made after a user’s digital ID was revoked, it can be assumed that someone else must have signed the document. This threat can be countered by creating a long-term e-signature solution that embeds a timestamp clarifying when the document was signed according to a trusted time stamp authority (TSA).
It can also be prevented by embedding the status of the signer’s digital ID, proving validity of the signer’s key at the time of signing. Long-term signatures ensure that even if a key is compromised, revoked or expires after a document is signed, it is considered legally valid.
Not being aware that a signature was being actioned or of legal implications
Online solutions have made it very easy to sign a document, causing many users to click on a button or link to sign. This can lead to claims that they were unaware that their action had any legal significance.
This scenario can be prevented by:
- Including initialling of important paragraphs in the document to prevent claims that sections were missed by the user
- Displaying a legal notice to make the signer aware of the legal implications and preventing them from proceeding until they have approved
- Clearly showing 'Sign' or 'Decline' options to allow the user to have the opportunity to give their consent or cancel the operation even after initiating the process
Implementing a legally binding signature requires businesses to consider every potential threat scenario. Extra trust comes when an independent adjudicator can judge without reasonable doubt as to who signed the document and whether they knew the implications of their actions at the time of signing.
Liaquat Khan, Ascertia
Image Credit: Shutterstock/iCreative3D