The signatory's problem with the onus of proof

Digital signatures allow relying parties to take to validity of an e-Signature as granted. Unfortunately there are many attacks possible against the signatory, like untrusted client devices (What You Sign is Not What You See), keyboard loggers or even corrupted card terminals with dedicated keyboards.
If there was an abuse a problem occurs when a signatory repudiates a signature. The onus of proof is under current legislation with the signatory, and it is very difficult to proof for a plain consumer that a signature was abused, e.g. by malware on the user’s device.

A solution to provide the signatory with a feedback loop in analogy to bank account statements would be following model:

  • Each signature must be validated by an trusted third party validation service

  • Each transaction validation includes a reference in clear text.

  • All transactions are submitted to the signatory using another channel (like billing from telcos or bank account statements)

  • The signatory may cancel signed transactions without having the onus of proof within some period (e.g. 60 days).

 

As the usage of eSignatures outside of legally and technically closed communities is almost non-existent, there is no threat so far. If that would change, the well-developed economy of cybercrime will find ways to exploit known and unknown security issues. There is no technical prevention to this problem. The solution must focus on safeguards on the business level and liability restrictions on the legal level.