In a high-tech world where incidents of ultramodern cybercrime are rapidly becoming the norm, it seems that something as straightforward and arcane as a person’s signature — even an electronic one — would be a simple and effortless target for criminals.
But behind every electronic signature used in banking and tax transactions is a multipronged, and strong, network of security provisions keeping the signers — and their data — secure.
Tom Gonser is the founder and chief strategy officer of DocuSign, which provides e-signature solutions to more than 30,000 clients, including companies like John Hancock and Fidelity Investments.
The tiers of authentication and data storage in DocuSign’s comprehensive platform are designed to give people peace of mind that their digital signatures are safer than the real thing.
"E-signatures give the user the ability to prove that a transaction has occurred that’s way beyond what you can do with paper," Gonser told SecurityNewsDaily.
Gonser explained that when clients upload a document and the e-signature attached to it to the company’s firewall-protected server, DocuSign encrypts it and then "hashes" it — essentially creating a mathematical algorithm of the file that can be examined to determine if it’s been tampered with.
When it’s time for the e-signature, there are several levels of authentication in place to keep hackers at bay.
One security measure calls for biometric phone authentication — the customer calls a designated number and DocuSign sends a code to the user’s phone, which the customer then types into the phone. A recording of the customer’s voice finishes the process, tying the company’s phone, the user’s phone and his voice to the e-signature. DocuSign also uses one-time passwords and knowledge-based authentication methods to back up the e-signatures.
"It’s technically possible, I suppose, to break into a server, but it would take a supercomputer about 1,000 years," Gonser told SecurityNewsDaily. "It could be hacked … but it hasn’t happened and it’s not going to happen."
Gonser said e-signatures have followed the same path toward social acceptance as online shopping, in that purchasing items online was at one point viewed as a risk, but now it’s accepted practice.
"I don’t see the e-signature platform as a cybercrime target," he said.
Cybersecurity experts are inclined to agree with Gonser.
Joe Stewart, director of malware research at SecureWorks, told SecurityNewsDaily that there are few risks in using e-signatures, especially since the signatures themselves are backed by a web of safety measures.
"If e-signatures became the primary method of authentication, they would certainly be targeted," Stewart said. "A better e-signature system would rely on trusted external cryptographic hardware devices using biometrics to sign the data instead."
Which is exactly what DocuSign and many other e-signature companies do.
Roel Schouwenberg, senior malware researcher at the security firm Kaspersky Lab, said e-signature platforms will likely stay off cybercriminals’ radar screens. Unfortunately, hackers don’t need them because there are so many easier security loopholes to exploit available.
"So far, cybercriminals have been successful without having to abuse e-signatures," Schouwenberg told SecurityNewsDaily. "That’s likely not going to change for mass attack."