Digital Signatures: The hidden vulnerabilities in the new normal

Dan May, Commercial Director at ramsac, takes a fresh look at how digital signatures work, their security value and their relationship to encryption, along with best practice advice on how to ensure that they are deployed securely in your company.

When we started working from home in March 2020, businesses had to adapt to the new way of working across the UK, which included signing contracts, business documents, and more.

Much like the Zoom database leak of April 2020, hackers have found ways to bypass security and gain access to confidential documents through a variety of methods in digital signature documents.

How does digital signing work?

Digital signature companies, such as DocuSign and Adobe Sign, use Public Key Infrastructure (PKI). PKI uses a public and private key to ensure that the signature provided is authentic. To verify the authenticity, PKI requires key matches between the signer and the signee.

Numerous laws are surrounding digital signatures and their legality and have been since 1999. Regulations such as the Electronic Identification and Trust Services (eIDAS) regulation, was recently adopted in the European Union. Because of the nature of documents involved in digital signing, many legislation protects who can create digital signature companies and how they must work.

Methods of hacking

There are three main ways to hack a PDF. Hide, replace and hide and replace. Together they form the shadow attacks group, and research publicly identified them in July 2020. All three attacks manipulate the PDF between the creator and the signer, so both see a document that is correct.

Hide attack

A hide attack involves concealing the malicious content behind other non-malicious content. This could be an image or box. Once the victim has signed the document and sent it back to the attacker, the attacker reveals the hidden content and can access the information.

Replace attack

A replacement attack can occur by changing or replacing certain minor aspects of a legitimate form. This could be changing fonts to lookalike ones but importing malicious code.

“For instance, the (re)definition of fonts does not change the content directly. However, it influences the view of the displayed content and makes number or character swapping possible,” the researchers explained.

This can be incredibly deceptive as it will look exactly as it should, and for important forms, can steal essential information such as a mortgage application. 

Hide and replace attack

This is considered the most advanced shadow attack as it enables hackers to replace the entire contents of a PDF. The signee sees a correct document and signs. Still, by hiding malicious content behind legitimate content and replacing elements with less than legitimate code, the hacker has multiple ways to access the document.  

Because of the nature of the hide and replace, they can go undetected by security scanners.

Prevention is better than cure

One of the weakest links in cybersecurity is the human. Providing your team with cybersecurity training to know the signs of a scam or fraud and how to question emails. Under GDPR, all staff, including directors and board members, of your company must receive some form of cybersecurity training.

As attacks get more sophisticated, regular and updated training and awareness among staff is key. Ensuring all computers are up to date, with the correct security patches is imperative. Research from January 2021 shows that 26 of the 28 main PDF viewers are susceptible to some or all commonly known attacks. Therefore, choosing a document signing system that is considered secure is also key.

As well as the human aspect, having secured passwords is key, rather than sharing them on unsecure messaging services. Apps such as Password Boss or LastPass can help to encrypt and store passwords safely but ensure collaborative working through team member sharing. Requiring password changes every six months, or a similar time frame is best practice to ensure no repeated or outdated passwords.  

READ MORE: 

Public Wi-Fi is a huge security risk, and it is recommended not to connect in any circumstance for work, even when using it with extreme caution and a VPN. A classic scam involves hackers sitting in the corner of places like coffee shops broadcasting a “free” wireless access point, pretending to be the coffee shop. They can then drop files onto your computer or make a copy of all the internet activity you do. 

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Ab Initio partners with BT Group to deliver big data

Luke Conrad • 24th October 2022

AI is becoming an increasingly important element of the digital transformation of many businesses. As well as introducing new opportunities, it also poses a number of challenges for IT teams and the data teams supporting them. Ab Initio has announced a partnership with BT Group to implement its big data management solutions on BT’s internal...

WAICF – Dive into AI visiting one of the most...

Delia Salinas • 10th March 2022

Every year Cannes held an international technological event called World Artificial Intelligence Cannes Festival, better known by its acronym WAICF. One of the most luxurious cities around the world, located on the French Riviera and host of the annual Cannes Film Festival, Midem, and Cannes Lions International Festival of Creativity. 

Bouncing back from a natural disaster with resilience

Amber Donovan-Stevens • 16th December 2021

In the last decade, we’ve seen some of the most extreme weather events since records began, all driven by our human impact on the plant. Businesses are rapidly trying to implement new green policies to do their part, but climate change has also forced businesses to adapt and redefine their disaster recovery approach. Curtis Preston,...