David Baker

Close window

David Baker
www.davidbakeronline.com

Signing by numbers will bar casual snoopers

Digital signatures will allay fears of anonymous hackers getting bank customer details
Financial Times, September 30, 2000

A cartoon in the NewYorker a few years ago showed a dog sitting at a PC. Resting his paw lightly on the keyboard, he turned to his (canine) friend and said: "On the internet no one knows you're a dog."

The punchline has crept into IT parlance to represent the difficulty of identifying who is talking to whom on the internet. Anyone can create an e-mail address that has little or no relation to their actual identity. Men talking to "Gorgeous blonde" on web-based dating services can find the reality is somewhat different. As long as the name is available (it was at time of writing) I could style myself "FTEditor" on one of the free e-mail services such as Hotmail or Bigfoot, but I am not.

Casual dating and unfeasible delusions are one thing. Money is something else and there are currently only two secure ways a business or financial institution can verify that their customer is who they say they are: credit cards and digital certificates.

When you make a transaction using your credit card, your card number and other details are compared with the issuing company's database. If everything matches, the transaction is authorised and the flowers, books, CDs or whatever are sent on their way.

Digital certificates work in a similar way but provide a much higher degree of security. Like a credit card, a digital certificate is simply a number, but unlike a credit card, the number is very long and is produced by a complicated mathematical procedure that makes it hard for casual snoopers to copy and use. When you register to use a banking or stockbroking site, for example, a long, unique number is stored in your web browser as a certificate and, at the same time, an equally long number, again unique to you, is stored in the site owner's database. Each time you log on, your ID and password tell the site who you claim to be and another mathematical algorithm, involving both numbers, is used to confirm your identity. Your certificate number can also be attached to an e-mail and however it is transmitted it is encrypted before sending to prevent eavesdropping.

There are two downsides to this approach: The first is that you have to use the same PC each time you access your account or send an e-mail (as your identification number is stored on your hard disk) or use less secure, password-only access from another. The second is that you have to apply for, and be issued with, a new certificate by each institution you want to do business with. This may be fine when you are dealing with one bank, one stockbroker and an online bookseller, but imagine having to fill in an application form for every shop you might visit on the high street. This is where digital signatures come in.

Digital signatures are in effect portable certificates. Rather than each institution maintaining its own database, banks can use a third- party digital-signature issuer to verify the identity of their customers. At the same time, customers only have to register once - with the third-party provider.

"Digital signatures are the online equivalent of having a passport," says Paola Bassanese, consultant at Ovum, the telecommunications consultancy. "They are issued by a security provider, who can be the same or differentfrom the bank or stockbroker, but can be used for transactions at a number of different institutions."

In the UK, two companies, BT Trustwise (www.trus twise.com) and ViaCode (www.viacode.co.uk), run by Royal Mail, are already marketing themselves as third-party digital-signature providers and there are many more in the US and the rest of Europe. (The cost is between Dollars 1 and Dollars 50 a signature, depending on volume.)

However, the onus is now on the financial services industry and government to make them commonplace.

"I'd love to have digital signatures today," says Phillip Bungey, e-commerce director of Barclays Stockbrokers. "There are, however, a number of hurdles to go through first."

The first of these is legislative. The government's electronic communications bill, which received Royal assent on May 25 this year, essentially paves the way for digital signatures to be legally binding in a wide range of areas.

However, old legislation covering areas such as conveyancing, company reporting, court documents, social security applications and financial transactions, where ink signatures are the only recognised proof of agreement, still needs to be amended.

The Financial Services Authority, for example, requires institutions to show that customers have understood the risks involved in a particular transaction and, at the moment, for that the banks have to be able to produce an (ink) signed document.

The government has delegated responsibility for coming up with a code of practice to the financial services industry itself, which will develop guidelines on how digital signatures are issued and where they will be recognised.

Although, in theory, each financial institution could choose to implement digital signatures in a different way and refuse to recognise those issued by its competitors, this would almost certainly be counterproductive. "There is enormous pressure on banks to be part of the scheme," says Ms Bassanese, "and move towards full inter-operability of signatures."

Forrester, the telecommunications consultancy, has warned that digital signatures could further widen the so-called "e-divide" with banks charging higher fees to customers who insist on using ink. But benefits in terms of speed and cost-savings mean that the advent of digital signatures is likely to be irresistible.

"Already countries such as Finland are piloting use of digital signatures on smartcards as an alternative to passports," says Ms Bassanese. "Once technical and inter-operability issues are sorted out, the only obstacle will be educating the market to accept them."

Close window