Digital Signatures are the legally recognized means of authentication of electronic documents in India. Though many companies including Banks ignore that Password is not the legally acceptable authentication, it is being widely used for many authentications including the financial transactions. While some Banks have started offering digital signing options for Banking transactions, most of them are banking only on the OTP system to secure the authentication.
The e-KYC system used by Banks is also dependent completely on the security of the OTP system and even though e-KYC can be used for e-Signing which is legally equivalent to digital signature, is still not secure enough beyond what OTP provides.
Most Banks use OTP only on mobiles and the OTP message is sent through an unencrypted SMS message. In such cases, if there is a compromise of mobile through SMS reading apps, or when the customer is subjected to a Voice based phishing, the OTP will be compromised and could lead to frauds.
While it is necessary that Banks need to anticipate such risks of compromise at the user device level and initiate the security measures which overcome OTP compromise risks or bear the responsibility for the fraud losses, we can independently look at one measure which the Controller of Certifying Authorities (CCA) can initiate to improve the reliability of the Digital Signature system.
The CCA should take a leaf out of UIDAI in this regard where some measures have been initiated which appear to be also good for the CCA to introduce.
Firstly, just as UIDAI uses a system of biometric lock, CCA can through the Certifying Authorities provide an option to the digital signature user to lock and unlock his digital signature through the repository maintained by the parent Certifying Authority (CA).
Secondly the usage of every digital signing incident where a verification call is made on the repository could be logged with useful meta data and made available to the digital certificate subscriber. This also has been done by UIDAI though the information logged is sketchy and could be improved.
If such a facility is available, the application developers may also use a “Verification Call” as a mandatory requirement before a digital signature is applied in any usage scenario.
Probably in the case of offline digital signing there could be an issue but such situations can still be logged with a post signing verification whenever the digitally signatory is connected on the internet.
When such verification calls are made, there could be practical issues including privacy issues to be considered but the concerns can be handled since we are verifying through a secure connection between the digital signer and the CA.
I hope the CCA would consider some of these measures as a part of its rule making power until such time that the ITA 2008 itself can incorporate such measures as part of the law.
I look forward to suggestions from security experts in this regard. The request has already been made on the CCA and I am awaiting the response.
P.S: This suggestion arose due to a query from Mr Uday Gupta, one of the readers of an article on this site on digital signatures and I thank him for raising this issue.