Securing Financial Transactions Through Digital Signatures
Electronic documents have become an essential component of a company’s business. Many important commercial and contractual documents are often stored and exchanged in electronic form. Generally, the authenticity of such documents is not questioned, despite the fact that electronic documents can be easily changed without detection. Occasionally, however, disputes do occur and electronic documents that form the basis of business agreements may be called upon as evidence in court. Without some protective measures in place to prohibit the falsifying of electronic documents, important evidence can be rejected. While the occurrence of such a scenario may be small, the financial impact can be very significant.
Digital signatures, such as those that conform to the X.509 standard, are part of the answer to preventing fraud against electronic documents, as they are recognised across Europe as having legal validity and are an important tool for protecting the authenticity of documents. They provide ‘non-repudiable’ evidence of the document source and any tampering with the document is immediately obvious. This and other forms of data used to authenticate digital evidence are referred to legally as an electronic signature.
Businesses worldwide that send and receive automated payments rely on digital signature validation to prove the identity of all users and for protection from fraudulent transactions. With the European banking landscape increasingly operating at an international level, it is vital that the financial community works together to develop agreed security protocols that enable businesses to make and receive payments and transactions securely in the cross-border environment.
The requirement for electronic signatures in the legal arena are complicated due to the differences between countries’ legal systems and differences in the form of electronic signature accepted in each country. Some countries, such as the UK, are based on common law where previous judicial decisions play an important role in defining legal requirements. Other countries, which include much of central Europe, are based on civil law where there is greater emphasis in defining specific technical regulations. Also, pan-European legislation identifies different legal forms of signature with differing technical requirements.
In 1999, the European parliament and council agreed a Directive [1999/94/EC], which provides a framework for legislation on the use of electronic signatures. The Directive identifies three forms of electronic signature with increasingly stringent requirements: electronic signature, advanced electronic signature and qualified electronic signature.
The Directive requirements for electronic signature include the need for authentication but have no requirements that can be related to the degree of assurance of security. The requirements for advanced electronic signatures add functional requirements for integrity and sole control, but do not add any assurance-related requirements. For qualified electronic signatures, the Directive adds requirements on signing keys and their certification that give assurance about the security of the signature.
The application of the Directive varies significantly across Europe. Although British evidential standards recognise an electronic signature using digital signature technology, the UK has adopted a lightweight approach where any form of ‘electronic signature’ is acceptable for many situations. On the other hand, in countries such as Germany and Italy, qualified electronic signatures are required for a range of governmental and commercial applications, including electronic invoicing. Also, in such countries, the requirements of the Directive are further refined, identifying specific technical measures that must be employed. Advanced electronic signatures, however, are generally accepted for pan-European commerce. The same basic technical solution, based around digital signatures, is recognised across Europe and in most parts of the world.
An example of using digital signature validation in finance is VocaLink’s payments network. VocaLink, the UK’s automated clearing house, is employed by the Bankers Automated Clearing System (BACS) Payment Schemes Limited to process its direct debit and direct credit payments in the UK. In an average year, BACS processes more than 5 billion direct debit and direct credit payments on behalf of over 100,000 UK businesses. In order to process automated payments, VocaLink has to receive payment files from businesses. This transmission used to take place over dedicated communications channels or modems until VocaLink developed BACSTEL-IP a few years ago on behalf of BACS. BACSTEL-IP facilitates secure payment transmissions through Internet Protocol. The system uses digital signature validation to prove the identity of all users and protect all payment transactions from corruption or being tampered with.
UK businesses that have migrated to BACSTEL-IP are issued with cryptographic smart cards by their bank. These cards contain digital certificates and keys, issued under a public key infrastructure (PKI), which are used to digitally sign all payment instructions, tying them to the signer and ensuring that they cannot be accidentally or deliberately altered.
Compatibility with all relevant PKI standards is ensured by verifying each transaction against the set of rules defined by the bank that issued the smart card being used to sign the transaction. Generating a random number authenticates the smart card holder. The cardholder responds by signing the log-on challenge using the smart card together with his secret PIN – so-called two-factor authentication. The identity is then cryptographically confirmed against the cardholder’s public key certificate and is validated in real-time with the issuing bank. Similarly, all payment requests and other transactions submitted to BACS are digitally signed by the user with the smart card and PIN and verified in real-time. The system also digitally signs the reports sent by BACS to users, so that the user knows he or she can rely on the contents of the report.
Since all digital certificates used are verified in real-time against the issuing bank, lost or stolen cards cannot be used to sign transactions, and changes in employee status are reflected in the system as soon as the bank is made aware of them. This substantially reduces the risk of fraud. Various levels of security access are supported for different personnel working in the banks or businesses using the system.
Another example of a successful digital signature validation scheme is BankID in Sweden. With government services increasingly moving online, the Swedish government wanted to provide a secure online payment service for citizens that was available 24 hours a day. It soon became apparent, however, that identifying every single citizen online was impossible. Discussions with the banking community led to the creation of BankID, which allows members of the public to identify themselves to government authorities, companies and organisations through the use of a digital signature for online transactions.
The banks verify the user’s identity in person through a passport or a driver’s licence. This then allows the user to request a so-called ‘e-identity’, which the bank provides in the form of a cryptographic key and a digital certificate. This is subsequently used as electronic proof of identity for Internet-based transactions. Users can access more than 20 government services free of charge, ranging from tax declaration to social security services. The infrastructure also allows the banking community to mitigate its risk. Under the scheme, participating banks are able to charge government departments for services that use bank-issued identities.
The lessons learnt from recent digital signature validation projects across Europe will prove particularly valuable in the current run-up to the single euro payments area (SEPA). VocaLink’s BACSTEL-IP migration in the UK has a number of parallels to the eurozone payments landscape that is emerging as a result of SEPA. Consequently, experiences such as that of VocaLink’s with digital signature validation, could act as a valuable best-practice example of how European banks can also exploit this technology to meet their needs. It is therefore likely that digital signature validation of payment transactions will become increasingly widespread across Europe in the coming years post-SEPA.