(Click here to view the video here
The problem with email is that it is easy to intercept, and it is easy to be manipulated. Unprotected documents attached to the emails can then be edited without detection.
There are two ways to overcome this problem, one is email encryption and the other is to encrypt or digitally sign the document. In this article I will focus on digitally signing the document and in another I will talk about email encryption.
The native encryption in your standard Adobe Acrobat Reader is very easy to break, since there are many websites that offer password removal as a free service. A user simply has to upload the password protected document to the website, the protection will be removed and the fraudster is again able to change the detail and continue preying on innocent victims.
Digital signatures on the other hand are not as easy to break. This case study will look into the use of digital signatures in the South African context as a means of preventing email fraud.
In non-technical terms, a digital signature is a digital certificate that is embedded in the document, which prevents tampering with it. In a physical world, think of it as a fingerprint. Each fingerprint is unique and can belong only to one person. A digital signature can be seen as a digital fingerprint belonging only to a specific person that only that person can use to sign documents digitally.
So, what is the nature of this digital signature? In South Africa this type of certificate-based digital signature is referred to as an Advanced Electronic Signature (Aes) in the Electronic Communications and Transactions Act of 2002. In terms of the Act, an Aes must possess the following characteristics.
• It must be uniquely linked to the user (in other words it can only be used by one person, such as the fingerprint example)
• It must be capable of identifying the user (the nature of the Aes must be such that the digital certificate contains information identifying the user such as name, surname and other additional information)
• It must be created using means that can be maintained under the sole control of the user (the person using the Aes to sign the document must be the only one able to control how and when it is used.)
• It must be linked to the data message in such a way that any subsequent change of the data message is detectable (in this context, see the data message as the PDF invoice. As explained above, the certificate cannot be removed from the document and it will indicate if the document was changed in any way after it was signed)
• Is based on the face-to-face identification of the user (this one is probably the most important requirement of the lot. With all the other security features above, how do you know that the person who uses the Aes is in fact the person whose name appears on the certificate? I will elaborate on this separately below).
The entire process of obtaining an Aes certificate, requires that it can only be issued by an organization accredited by the South African Accreditation Authority, a division of the Department of Telecommunications and Postal Services. Such an organisation has to demonstrate that it has the technological and security mechanisms in place to ensure that strictest confidentiality and security is maintained when issuing Aes, before it will be accredited. It is also subject to an extensive annual audit to ensure that these standards are maintained.
Once such an organisation has been accredited, they are allowed to issue Aes-certificates. The issuing process involves a face-to-face identity verification process whereby the person’s identity if verified against an identity document or passport. The person’s details are then captured in the Aes digital certificate. Only after this process has been completed, will the Aes certificate be issued to the person. As it stands, in South Africa, only two organisations are accredited to issue Aes certificates, the South African Post Office and LAWtrust.
So, what does this all mean in the case of email fraud? The Aes digital signature goes a long way in preventing email fraud. As stated above, standard encryption can easily be broken but a document signed with a digital certificate is protected by very strong cryptographic techniques that are not easily broken. Should someone tamper with a signed document, Adobe Reader will raise an alert that will show the reader that the document cannot be trusted.
Below are two screenshots showing a PDF document signed with an Aes digital certificate. The first one is the validly signed document. Note, in the upper left-hand corner, the green tick and confirmation that states “Signed and all signatures are valid”
In this second image below, you cannot even see the change made to the document, but note the red tick and notice that at least one signature is invalid. Because I was not able to make any changes to the document, I clicked on the properties tab and tried to change the name of the author. Even that showed that the document had been tampered with and that it cannot be trusted.
In email interception scenario, where the email is intercepted by fraudsters, they will find that the intercepted document is locked and cannot be edited. Even if they try to edit it, the document will show that it has been tampered with and that it cannot be trusted. This means that by the time the ‘doctored’ document arrives at the intended recipient, they will be warned not to trust this document, which in turn will save them from paying out thousands or even millions of Rands to the wrong recipients.
With the rapid increase in email fraud and other similar crimes, companies have a duty to protect themselves and their customers from the onslaught of cyber criminals. Simple to implement technologies such as digital signatures make it easy to do this and with fast and efficient onboarding processes available, you have to ask yourself if you can really afford not to take the steps to protect yourself and your customers from digital fraud.
is Head of Legal and Compliance at LAWtrust
and passionate about security and privacy in an online world. LAWtrust provides a number of information security tools protecting South Africa’s most important information infrastructure and online transactions.