Electronic Signature & Digital Signature

Electronic signature and digital signature are not the same and from my perspective, the digital signature is a subset electronic signature that used certificated-based digital ID to link the signer and the documents. Since digital signature required users to enroll a certificate from licensed CA authority, the secure user enrolment process and information verification make it offers higher security and protection compare to eSignature

What is Electronic Signature?

An electronic signature is broadly defined under the ECA as “any letter, character, number, sound or any other symbol or any combination thereof created in an electronic form adopted by a person as a signature”.
Electronic signature is legally binding in most of the country (Subject to in-country laws) as long as meet the following requirements.
• It is uniquely linked to the signatory and under the control of the signer only;
• It is capable of identifying the signatory and or logically associated with the document;
• It is created using means that are under the signatory’s sole control;
• It is linked to other electronic data in such a way that any alteration to the said data can be detected.
• Any change to the e-signature post signing is detectable;

Electronic signatures are popular because they are easy to use. Peoples can have several methods to indicate their eSignatures.

• Clicking on a website button to accept, sign, initial, and confirm. (e.g. “I Agree”, “I Accept”)
• Click of the mouse to trace a handwritten signature
• Typing the signatory’s name
• Pasting a scanned version/image file of the signatory’s signature

What is Digital Signature?

The Digital Signatures Act 1997 (“DSA”) defines a “digital signature” as “a transformation of a message using an asymmetric cryptosystem (“an algorithm or series of algorithms which provide a secure key pair”) such that a person having the initial message and the signer’s public key can accurately determine (a) whether the transformation was created using the private key that corresponds to the signer’s public key and (b) whether the message has been altered since the transformation was made.”
• In Malaysia government authorized CA are allowed to issue a digital certificate to users as a digital identity to perform an electronic transaction. The use of recognized digital signature can fulfill requirements of confidentiality, identity authentication, non-repudiation, and integrity of information. Compare to Electronic Signature, “Digital Signature” is different as following
• User signature created using the private key that corresponds to the signer public key. To comply non-repudiation, private key always generated and stored in secure elements like smart card and hardware security.
• It can detect whether the message has been altered for each signatory
• User can embed own “unique fingerprint” into the document.
• They private key is unique for each user.
• Signature information permanently embedded into the document

Mobile Authentication in FinTech

We first start with what is the definition of Authentication. Refer to https://en.wikipedia.org/wiki/Authentication, Authentication (from Greek: αὐθεντικός authentikos, “real, genuine”, from αὐθέντης authentes, “author”) is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. From my perspective, an Entity can be a real user, a device or application that have to “show” the “server” “something they have” before system access allowed.
In short, users must securely protect the “authentication data/attribute” or else when someone steals the data or reproduce the same credential, they can easily access the system with the same piece of data. This especially is important when the system only enforced password authentication (Single Layer Security). In general a complex password rule is not a good choice especially for a consumer-facing application, users will easily forget the password if it is not daily used application. This caused most of the mobile APP only go for the minimum password rule in order to maintain good user experience.
This short article mainly explains from a product design perspective, “What is the mobile application security design in term of authentication?” We will try to understand from the context of “Mobile Authentication” and what exactly it should look like?
• Is that securely authenticated the user/identity from application to authentication server only?
• Is that means mobile app/devices authentication from the devices to authentication server while identity verification remains the same method?
• Or combined both methods to achieve multi-layer security from mobile to server?

The main difference between web-based application versus mobile app is mobile app is natively designed as a Rich-Client (Access the device info, geo-location and etc) while Web Browser unable to access local resource due to the Operating System security design. Some argue that possible to perform the same with “web browser plug-in” or “endpoint client software”, however from my perspective, this is not natively available as you need to maintain the tasks like OS update, JAVA component update and etc.
With this mobile App offer more “authentication options” like
• Live Biometric gesture like “SHAKE” the handphone and system will know this pattern will match your registration profile.
• Face/Iris Recognition
• Fingerprint authentication as most smartphone come with this feature.
High-level authentication options available as follows,
• Password with well-defined rules
• Digital certificates that bind an identity to a public/private key pair.
• Hardware tokens/Soft Token/SMS Token
• Biometrics fingerprints, voiceprints, iris scans, handwritten signatures,
• Proximity-based authentication
• Keys-based authentication
Before going further, we also have a quick overview of the technology buzzword available today

Adaptive authentication

– Depends on risk profile defined, users required to authenticated based on the user access environment and all contextual attributed collected (GeoLocation, Browser Information, device information and etc)

Seamless authentication

is a method where the user is authenticated towards an entity without the burden of credential requests.

Behavioral Authentication

continuous user access authentication security monitoring and scoring, For example, speed of typing, application time usage, mouse movement, transaction information are some of the samples.

The concept covered above generally shares the same objective, “Minimize user intervention (Offer best user experience) while providing the highest security whenever needed”.

Many time customers wanted to deploy the One-Size-Fit-All authentication solution, but the reality was the more security you add, the cost of investment will go higher. Since Fintech app do not have strict regulated policies and procedure to comply like PCI DSS(Based on my best knowledge), they will go with the minimum requirements that fit their business requirements needs.
I tested a few eWallet mobile apps in Malaysia and quick fact-finding as below.

1. Some eWallet app enforces user MUST complete the user authentication successfully before proceeding to the service page while some other not?

From my point of view, this is the product manager to design it out. For example, if you offer wealth management app, do you required the user to complete the signed-up and log in again before showing your offer?
If I am the users of food delivery app, I would expect the app can quickly show me the food delivery services before I did my registration

2. Mobile application to log out the users if user login from other devices?

This is minimum control that I think it should deploy especially eWallet that deal with monetary transaction. This can effectively notify the “Owner” immediately if someone takes over your account remotely. TNG ewallet that notify users via the app when you pass over the toll is a good example, real time with almost zero cost.

3. User can log in with Mobile No/Email and PIN

When you access the app with either password or PIN, the strength of the authentication is almost the same. While shorter PIN Is weaker if the app does not apply any “key based authentication” or “Device Binding” mechanism. Attacks like phishing, fake-app download, and others attack can easily sniff the PIN easily.
According to the Verizon Data Breach Investigations Report, 30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link.

4. What is the best way for “forget password” implementation?

eWallet apps have a different way of design when coming to user account binding. How the user identification flow work and the system will know each user is “unique”? Common options available as below
• Mobile No
• Email
• User Name
• Social Identity (Facebook/ Google)
• Combination of above

Example of Lazada Wallet, Wallet account is built based on the unique combination of an email address and phone number as below

https://www.lazada.com.my/helpcenter/miscellaneous-my.html?spm=a2o4k.helpcenter-topic.articles-list.5.46c34bd6OR8CeS

Some mobile App does not function as eWallet from day one. The mobile no & social identity seems the first choice to complete the registration as fast as possible. We must take into consideration like if users top up their money into the wallet, how they claim back the ownership if mobile no changed?
For instance I remember an eWallet player in Indonesia setup a services counter in shopping mall, besides reset the password, change the mobile no and top up the wallet credit as well. This can effectively perform the face-to-face and personal detail verification as well.
The minimum control that I think should be apply is the OTP for password reset MUST send to user email or via SMS. A wallet implemented both to ensure the user account security is worth to highlight from security point of view. When you use social identity like linked-in, google or facebook, by default it has built in good user verification capability.

Also tested with log in the app from different devices with the same credential like Mobile No + PIN/Password, I will be surprised that some of the apps didn’t require 2 factor SMS session verification for a new device that never used before.

eWallet is a TRUST business, NO SECURITY = NO TRUST = NO USERS.

I suggest FinTech App should take more effort and consideration into the “Security vs User Experience” design.

“Trust takes years to build, seconds to break, and forever to repair” “Unknown”

Facebook Private Social Platform (The future is Private)

Refer to Mark Zuckerberg gives keynote speech at Facebook Developer F8 Conference, CEO Mark Zuckerberg stressed his vision of building a new “Privacy-Focused” platform that’s covered few priorities as below
• Private Interactions
• Encryption
• Reducing the permanence of posts
• Safety
• Interoperability
• Secure data Storage
Zuckerberg said that huge effort needed to build the infrastructure to support this “Privacy” vision. From a product manager perspective, we will try to explore what the top challenges if any other enterprise wanted to implement encryption technology.

Security vs Convenience and Cost

Security and convenience are always functioned in opposition and security experts are finding hard to get the right balance between these. Although encryption can be used to protect the sensitive data and system however, this will increase the cost in term of technology investment, people hiring and at the same lower down the convenience with newly added security control.
Refer to https://enterprise.verizon.com/resources/reports/dbir/, in 2018, 53,000+ incidents and 2,200-odd breaches happened globally. High level this show that the need to get more stake-holder buy-in to resolve the data security or information security investment remain high.
You need to find the right “Adoption driver” or “Motivation” to justify the investment.

People

In short you need someone who understands encryption technology well and more importantly is know how to apply and fit your organization needs. “Applied Cryptography” expert or practitioner is important in defining the problems and project scope, cryptography strategy and implementation strategy as well.

For example security controls below is not sufficient to protect end-to-end data security.
• “Proprietary” way to secure the data …
• Deploy SSL for our mobile application already ….
• Application that enforces strong password rules ….

Technology (Standards & Tools)

Compare to your own defined standards, you can start with look into two widely accepted cryptography industry standard as below
• https://www.nist.gov/topics/cryptography
• OASIS Key Management Interoperability Protocol (KMIP) TC (https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)

In commons both standards introduce concepts, provides cryptography key management guidance best practices, key management specification requirements and etc.

Depends on scope and team ability you can choose the right tools based on few options as following
• Open source software – https://www.ibm.com/developerworks/library/se-kmip4j/
• https://www.bouncycastle.org/
• Enterprise Key Management Software / Appliance
• Build your own KMS based on Java Cryptography or .Net Framework Cryptography

More information explained from this link. https://en.wikipedia.org/wiki/Key_management#cite_note-14
We will share more detail about “What is Key Management System?” in our next blog

Unified Signing Server & Solution

Unified Signing Server & Solution (USSS) is a complete digital signature solution that capable to create and verify advanced long-term digital signatures.
• Offer most features rich signing capabilities with advanced cryptography key management module, remote signing and mobile signing
• Flexible integration interface, easily to comply different type of PAdES signature
• Plug-and-Play document signing solution to manage your workflow
• Verification services support certificate validation and digital signature verification based on trusted CA and key usage policy

WHY IdThrivo USSS SERVER?

• Provide non-repudiation of documents or transactions. Digital signed document and transaction are sealed electronically
• Improves the efficiency of organization data workflow
• Increase document security and privacy of the organization and of its consumers
• Apply digital signatures on documents within few minutes
• Integrated with Secure Signature Cryptographic Devices
• Built-in timestamping server module ensure accuracy of data existence
• Assurance of data integrity and thus resistant to fraud and tampering
• Utilizing standard-based digital signatures and X.509 certificates
• Complete signing option, either remote signing, local signing or mobile signing option(upcoming release)
• Providing a complete out of the box PKI infrastructure, including real-time Validation Authority (VA) and Time Stamp Authority (TSA) servers
• Strong security based on PKI technology to guarantee signer identity and intent, data integrity and the non-repudiation of signed document

BENEFITS OF USSS SERVER

• One-Stop solution to enable CA business expansion, government document security and enterprise paperless working environment
• Complete signing mechanism such as Remote Signing, Local Signing and Mobile Signing
• Flexible Integration via web services support
• Faster time to market
• Integrated “Entities” life cycle management
• Central management system and system logging
• Signing profile definition and policy setting
• Loose couple integration or tight integration with Third Party CA