Digital Signatures: The hidden vulnerabilities in the new normal

Dan May, Commercial Director at ramsac, takes a fresh look at how digital signatures work, their security value and their relationship to encryption, along with best practice advice on how to ensure that they are deployed securely in your company.

When we started working from home in March 2020, businesses had to adapt to the new way of working across the UK, which included signing contracts, business documents, and more.

Much like the Zoom database leak of April 2020, hackers have found ways to bypass security and gain access to confidential documents through a variety of methods in digital signature documents.

How does digital signing work?

Digital signature companies, such as DocuSign and Adobe Sign, use Public Key Infrastructure (PKI). PKI uses a public and private key to ensure that the signature provided is authentic. To verify the authenticity, PKI requires key matches between the signer and the signee.

Numerous laws are surrounding digital signatures and their legality and have been since 1999. Regulations such as the Electronic Identification and Trust Services (eIDAS) regulation, was recently adopted in the European Union. Because of the nature of documents involved in digital signing, many legislation protects who can create digital signature companies and how they must work.

Methods of hacking

There are three main ways to hack a PDF. Hide, replace and hide and replace. Together they form the shadow attacks group, and research publicly identified them in July 2020. All three attacks manipulate the PDF between the creator and the signer, so both see a document that is correct.

Hide attack

A hide attack involves concealing the malicious content behind other non-malicious content. This could be an image or box. Once the victim has signed the document and sent it back to the attacker, the attacker reveals the hidden content and can access the information.

Replace attack

A replacement attack can occur by changing or replacing certain minor aspects of a legitimate form. This could be changing fonts to lookalike ones but importing malicious code.

“For instance, the (re)definition of fonts does not change the content directly. However, it influences the view of the displayed content and makes number or character swapping possible,” the researchers explained.

This can be incredibly deceptive as it will look exactly as it should, and for important forms, can steal essential information such as a mortgage application. 

Hide and replace attack

This is considered the most advanced shadow attack as it enables hackers to replace the entire contents of a PDF. The signee sees a correct document and signs. Still, by hiding malicious content behind legitimate content and replacing elements with less than legitimate code, the hacker has multiple ways to access the document.  

Because of the nature of the hide and replace, they can go undetected by security scanners.

Prevention is better than cure

One of the weakest links in cybersecurity is the human. Providing your team with cybersecurity training to know the signs of a scam or fraud and how to question emails. Under GDPR, all staff, including directors and board members, of your company must receive some form of cybersecurity training.

As attacks get more sophisticated, regular and updated training and awareness among staff is key. Ensuring all computers are up to date, with the correct security patches is imperative. Research from January 2021 shows that 26 of the 28 main PDF viewers are susceptible to some or all commonly known attacks. Therefore, choosing a document signing system that is considered secure is also key.

As well as the human aspect, having secured passwords is key, rather than sharing them on unsecure messaging services. Apps such as Password Boss or LastPass can help to encrypt and store passwords safely but ensure collaborative working through team member sharing. Requiring password changes every six months, or a similar time frame is best practice to ensure no repeated or outdated passwords.  

READ MORE: 

Public Wi-Fi is a huge security risk, and it is recommended not to connect in any circumstance for work, even when using it with extreme caution and a VPN. A classic scam involves hackers sitting in the corner of places like coffee shops broadcasting a “free” wireless access point, pretending to be the coffee shop. They can then drop files onto your computer or make a copy of all the internet activity you do. 

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...