Best Practices of Electronic Signature Security

Electronic signature security is one of the top concerns of digital transactions as more and more businesses empower customers to make secure and faster transactions on the web. When you collaborate with an eSignature vendor, don’t look for an eSignature service that is ESIGN compliant or has a particular security specification. We recommend you to take a broader view of the e-signature security that also addresses:

  • Selecting appropriate authentication levels
  • Making esigned documents tamper-proof
  • Easier verification of esigned documents
  • Reliability of records independent of the vendor
  • Verifying vendor’s track record of protecting customer’s data
  • Creating trusted experience through white labeling

Such a focused multi-directional strategy protects the organization’s reputation, reinstates customer confidence, and reduces the risk of non-compliance fines in electronic signature security.

To identify the esignature security requirements against which you should evaluate solutions, you should proactively check these security best practices before finalizing and working with an esignature vendor.

Best practices for implementing Electronic Signature Security

Identification, Authentication, and Attribution

Identification: The identification process identifies first-time applicants using two types of information:

  • Personally Identifiable Information(PII) like Driving license, Aadhaar Card, Passport number
  • Nonpublic Personal Information(NPI) like credit score, income, social security number

You get Verified PII or NPI information through third-party identification services. In this case, look for an e-signature solution provider that smoothly integrates with third-party identity verification services to establish genuine esignature users’ identities.

Authentication: Once a signer’s identity is verified, organizations issue electronic credentials to the users to facilitate secure digital transactions. The organization dealing with high-value, high-risk business transactions use robust multi-factor authentication services to ensure a safe environment and protect identities, data, and digital lives.

In this case, look for an e-signature solution that easily integrates with authentication services and offers a wide range of authentication options for a smoother user experience like:

  • User authentication through user id and password
  • User authentication using secret Questions & Answer (Q&A)
  • Using e-Sign sessions for verification of email address
  • Uploading identification images for e-sign transaction

Attribution: Use the attribution process to prove the identity of the person who clicked to apply an esignature.

One of the quickest and cost-effective ways to establish attribution is to use affidavits.

Take a case where the signer has to click a button to e-sign a document on the agent’s device. Just before handing over the device’s control to the signer, the device handling agent or representative gets an affidavit text confirming that the signer has received the esignature device. The affidavit text successfully captures the transfer of control as a part of the audit trail.

Another easier way is to send a one-time passcode (OTP) via SMS text to the signer’s Smartphone for gaining access to the e-sign session.

Document and electronic signature security

The security of electronic signature and the esigned documents are equally crucial for a signed contract.

There are several points for consideration:

  • Electronic signature and the esigned documents must be secured using the digital signature security technology that creates a digital fingerprint of the signed document ( called a hash) used for verifying the integrity of the signed records. If there is an attempt to tamper with the documents, the electronic signature is visibly invalidated.
  • If signers esign a document on different days, then a comprehensive audit trail should include each signature’s date and time.
  • All electronic signatures, timestamps, and audit trails should be embedded directly within the document rather than stored separately in the cloud.
  • It must be easy to verify that there are no changes in the signed record, independent of the vendor.
  • One should avoid e signature solutions that require you to access servers to verify the signature or documents. It can pose significant problems for you if the subscription services stop or the e signature vendor goes out of business.

LunarPen uses audit trails to store and track every change in the document starting from tracking the date of signing a document to change signs in the document and retrieve data anytime for legal purposes.

Cloud Security

eSignature solutions are available both on-premises and in the cloud.

The on-premises esignature solution runs entirely within the company’s network without the need for any external connection to keep the data on-site. On the other hand, a growing number of companies are adopting cloud storage to access documents for esignature transactions as it is speedy and cost-effective. However, it comes with several security risks like data privacy, shared servers, data leakage, and lack of data backups.

It would be best to look after esignature vendors that provide tailor-made secure storage solutions as per the organization’s need.

LunarPen understands these security risks very well and has partnered with leading cloud infrastructure service providers like Onedrive, Google Drive, and Dropbox to access documents securely and send them for e signature to respective signers and signees in a few seconds.

These cloud solutions follow world-class SSL and Perfect Forward Secrecy (PFS) encryption systems. With PFS, a user can’t reuse a private SSL key for sessions that have occurred in the past. Even if an unauthorized person gets access to the SSL key, it isn’t easy to decrypt older traffic, making cloud solutions highly safe for day-to-day business transactions.

Use white labeling to safeguard signing service & customers against phishing attacks

Enhancing customer experience is the prime focus area of digital transformation. Organizations often depend on third-party solutions to support their day-to-day business process. A slight mistake ruins customer experience, leaks confidential information, and endangers the company’s finances that can tarnish its image.

So, a company must safeguard itself, its clients, and the brand name by ensuring a safe and transparent online transaction process.

The best practice is to white label the entire e-signing experience so that only your brand is visible across the transaction and not the vendor’s brand. White labeling prevents fraudsters from attacking your valuable customers through phishing emails.

Organizations should look for esignature service providers that enable the use of white labeling in esign process.

As a responsible esignature company, LunarPen recommends white labeling in every aspect of the esign process.

The best esignature solution service provider should allow you to

  • Use the company’s email servers to send direct emails and not through third-party service providers.
  • Customize the brand’s logo, theme color & visibility of header, footer, navigation bar,
  • Personalize the content, look & sound of email notifications
  • Customize dialog boxes and error messages

Case Study: How Hackers used fake DocuSign email for phishing

Hackers used DocuSign documents to steal user credentials from all the major email providers.

The attack began when a user received an unknown email that appeared to be from DocuSign as it included its original company logo and the email content seemed like real emails sent from the company.

The email’s first line didn’t have any recipient’s name and only mentioned “Good day.”

Cofence, phishing detection, and response platform analyzed the email header. They realized that the threat source originated from an unknown domain narndeo-tech.com owned by Hetzner, a well-known web hosting service provider and data center operator in Germany.

Its researchers found an embedded hyperlink pointing towards six different options for users to enter their credentials and access DocuSign documents. Fake login pages were recreated for Ms. Outlook, Office 365, Gmail, and Apple iCloud so that users enter and reveal their original login credentials.

It is the best example of a phishing case where cybercriminals used a well-known company’s brand name to steal customer information using emails.

LunarPen strongly advises its users to be extremely cautious when using an external link on an email that asks them to share their user credentials.

If you are keen on learning more about the electronic signature security checklist, click here.

Conclusion

When businesses implement an e-signature solution, It is always advisable to take a broad view of the electronic signature security, starting from identification, authentication and ending with the solution provider’s ability to build trust and a smooth user experience.

Trusted service means stringent security measures. But at the same time, the security level of an esignature solution should not conflict with the customer experience. It is important to balance security concerns with the solution usability as over-engineering can negatively affect solution adoption and usability.

Frequently Asked Questions

What is an eSign document?

eSign document means an electronically signed document in PDF, Doc, Xls formats. Such documents are signed using an ePen, mouse, or finger movement on any smartphone, laptop & Tablet securely using an e signature app protected by 256-bit HTTPS advanced encryption.

What is the purpose of esigning a document?

Its purpose is to authenticate and quickly identify the person who has initiated the written communication and ensure a secure exchange of information between different parties. The esignature made by an individual on the document signifies knowledge, approval, acceptance, or obligation.

What are the benefits of an electronic signature?

These are the significant benefits of using electronic signature:

1) Save Costs: Save time in doing paperwork, printing, scanning, mailing, delivering, and storing the document
2) Save Time: Saves you from age-old rituals of paperwork. Going digital saves a lot of time, allowing you to focus on other essential tasks.
3) Legal Compliance: Electronic signatures are legally binded and acceptable all over the world.
4) Mobility: A significant advantage of eSignatures is helping businesses function irrespective of location & time.

How can I eSign documents for free?

Follow these simple steps to eSign a document for free:

Step 1: Click LunarPen to open a free account
Step 2: Create or upload a document using templates, Google Drive & Dropbox
Step 3: Use the signed document sharing feature
Step 5: Send the document for signature
Step 6: Use the LunarPen interface to esign your documents for free
Step 7: Receive signed documents by email

Posted by Lunar Pen

Leave a Reply