Dynamic Biometric Signature In Common User’s Eyes
Have you ever been asked to sign some kind of a box rather than a paper? If not, you are likely to experience it soon. If you already have this experience you may have felt somewhat uncertain at that moment, or you even had some concerns about this process. If that is the case you should read on.
Today, more and more companies are getting rid of the dependency on paper documentation in favour of electronic ones. This also concerns concluding contracts and other documents, which until now used to be signed by traditional means. How should we tackle the issue of document signing in this digital world? Electronic signature based on qualified certificate issued by an accredited certification authority was established in Czech law system already almost 15 years ago. Therefore both legal and technical frameworks for electronic signing have existed for quite a while, but the truth is that it has not been adopted in practice. Getting, renewing and maintaining a personal qualified certificate is for an average citizen an insurmountable obstacle.
As a result in the last 2-3 years, the Czech Republic has been experiencing a boom of another electronic signature technology called Dynamic Biometric Signature. A number of banks, lenders, Telco companies, insurance companies and other entities have recently deployed or have got involved in deploying dynamic biometric signature at their branches and for their agents "in the field". The main advantage of this approach is that it is based on centuries of the ‘old’ handwritten signature that is known to the public, i.e. everyone ‘has it on them’ without being inconvenienced in any way.
There have been written many articles (one of which is in our blog) targeted primarily at companies that could or should want to introduce biometric signatures. Today we shall look at the topic from the perspective of a common user to answer some questions such a user may pose, especially regarding security.
How does it work?
A detailed explanation would go beyond the scope of this article. Yet it can be simply described as follows, one signs with the means of a specialized equipment (i.e. Signature pad), optionally with the means of a tablet supporting biometrics (currently only certain models sufficiently support this). The device records the signature and the data obtained is then inserted into the electronic document in a fashion, which ensures that
- Neither the document nor the signature data can be altered (any amendment is technically detectable)
- The signature data cannot be transferred from the document or used in other document
- The signature data cannot be read by unauthorized persons
The whole magic is based on asymmetric cryptography and a number of principles and mechanisms loaned from the world of traditional electronic signatures based on certificates.
Why would someone want me to sign some kind of a box and rather than a paper? What is s/he after?
Companies use this technology to simplify, speed up and reduce the price of their internal processes. The reasons for this is that documents are usually sent in mail, delivered by courier, or otherwise transported in person. Subsequently, hard copies of such documents are archived. Such paper processing is laborious, expensive and slow. Electronically circulating documents allow speeding up a number of processes or even automatizing them. Consequently, this means cheaper and faster services for the client.
Do I need to be afraid when someone produces a box to sign?
Most importantly, that depends on who presents you the box. If you sign something presented by a swindler aiming to trick you it does not really matter whether it is a hard copy or an electronic document.
Technology can ensure many things; the bottom line is that at the end of the day you will have to trust someone. In principle, no one can be prevented from presenting you a box that is not working as described above. Yet this is not an attribute of biometrics signatures only. It is also a characteristic of classic electronic signatures - you have to trust the certification authority, you have to trust that the hardware and software performing the signing act using your private key will not use the key for something else. This aspect applies to any operation performed using computers - only the software producer knows all the features. You simply have to believe that Microsoft (or its wicked employee) will not include a reader of your e-banking password into your Windows. In reality it is an aspect of any operation involving more than one party. Even money has some value only because you believe that your government will not introduce a monetary reform tomorrow. Nothing can exist without trust. Completely bulletproof security or provable exploitability of anything is not possible, in principle, as much as perpetuum mobile is neither. There is no 100% guarantee of anything in real world. There are only means how increase trust (security).
If you have confidence in your bank to entrust your money to it (and have them keep a hard copy of your specimen signature), despite the fact that you have no means of verifying nothing fishy is being done with your signature, why would you not trust it enough when signing biometrically? We regularly entrust our credit card details and other personal data to possibly less trustworthy entities; we even let them have our ID card to make a copy of it!
The possible risk you take when biometrically signing is no higher than the risks you take in many other situations.
What if I come across such a fraud?
Some might think that the difference is that in the case of a hard copy signature fraud the hustler attains only one genuine hard copy signature/one document, which you did not actually mean to sign. (Let’s disregard that s/he can also fake signatures and signature experts are not 100% flawless in their determination of genuineness), while electronic signature could be stolen and freely copied and pasted into any document.
Yes, if CIA (NSA, Mosad, FSB,..) decided at any cost (regardless of the resources that would be needed for it) somehow to get your biometric signature and use it to forge a document that you have in fact never signed, they could certainly do it.
So why is there no reason to worry? First of all you are not rich enough so that it would be worthwhile investing the necessary resources to get what you have. And if you happen to be a billionaire and a promissory note for all your assets mysteriously turns up it would be highly suspicious regardless what the signature on it looks like. Not to mention that the crook has much easier ways to rob someone ... Secondly, only in fairy tales once the devil has you sign the contract you go to hell and there is nothing you can do about it, even if the signature was obtained in a scam. In the real world you always have lots of ways to prove that you did not sign something. Moreover, no signature is an absolutely valid and unquestionable act of agreeing to a document even if the authenticity cannot be refuted by an analysis of the document and the signature. If it were otherwise, there would be no need for sophisticated crimes, let alone such complicated things as counterfeiting biometrically signed documents. Pointing a gun to someone’s head and getting him/her sign anything would be much easier ... Anyway in the Czech Republic today you can even avoid, with the blessing of the court (which is in my opinion sad), fulfilment of rightful contracts, which you consciously signed and do not dispute neither your signature nor the content. But that is another story.
To sum up, everywhere is possible risk, including hard copy signatures. However, stealing and successfully misusing your biometric signature (so that it would not be easy to detect) is extremely difficult, on the assumption that it was a credible organization you provided the signature with; this entity was not deliberately trying to deceive you from the very start and had no pre-prepared special trickster HW and SW. To shed more light on the risks, it is incomparably more difficult to steal your biometric signature than to successfully forge your handwritten signature (so that the expert witness does not describe it as an unmistakable fake), or to complement your handwritten signature with a clipped text not belonging to it, as much as to steel your ID card and misuse it.
I would always wonder where this box I am signing comes from. And yes, once we start in the course of time biometrically signing all over the place there might turn up targeted scams. Though there already are scams with hard copy signatures and stolen or otherwise counterfeit identification documents. As well as the risk of you dying in a car does not mean that people will or should stop driving cars. Neither it means that it should be outlawed (for their own good). By the same token the risks associated with biometric signature should not be a reason not to use it, for the risk of misuse is very low. And even if it occurred, the impacts would not be major – it is only about money and we can fight back as no genuinely looking signature is not indisputable. Let’s compare this with the car accidents above. There are more car accidents than signature frauds despite the fact that they are about health and life and that they are irreversible...