UBS lays groundwork for e-signatures to protect digital payments

Switzerland's UBS is adopting an advanced type of digital signature technology, with a range of uses that include the capability to secure high-risk digital payments.

UBS is embedding digital signature technology developed by Cryptomathic and SwissSign into its e-banking system to augment its existing authentication system. UBS is starting with wealth management and e-banking, which usually require customers to sign about a half dozen documents per year, but the bank expects the same technology can improve payment security by serving as an authentication factor.

"We want to remove steps and simplify processes for a number of our activities," said Philipp Kuhn, a project manager at UBS who is helping lead the e-signature initiative.

Matthew Lloyd/Bloomberg

The underlying technology can be used to support payments use cases by adding an advanced form of digital signatures called XAdES signatures to an XML file that is ISO 20022 compliant, according to Cryptomathic and SwissSign.

There are also use cases for treasury management, invoicing and other processes related to payments."There are a lot of areas where we would need a signature equivalent, such as for fulfillment, where this would help us," Kuhn said.

"An e-signature can be good at establishing non-repudiation," said Matt Landrock, an executive vice president at.Cryptomathic. "We can say for certain that the user intended to make this transaction."

Writing for PaymentsSource, James Gagliardi, a vice president at Digital River, argues digital signatures may be necessary to protect 'Internet of Things' transactions such as using remote buy buttons such as Amazon Dash that order household items such as toilet paper or soap; or to help secure payments for ride-sharing apps, where there is no exchange of a physical card or overt use of a mobile wallet. Gagliardi argues a digital signature can add an extra layer with an extra step, though it's a small one for the consumer.

Naveen Jakhar, a government official in India who helps oversee the country's telecom industry, also argues that e-commerce can benefit from e-signatures, which provide a private key for the signer and a verification algorithm on the receiving end. Jakhar's presentation notes e-signatures are transportable, cannot be imitated and are time-stamped. For e-commerce, a digital signature can verify the payment's sender because the digital signature key is bound to a specific user, according to Jakhar.

In this way, e-signatures can complement the use of EMV cards at the point of sale. EMV is an anti-counterfeiting measure, designed to assure that the person making the transaction is the only one who can use that payment instrument at that time. With e-signatures, "the idea is to emulate what happens on a chip card," Landrock said.

In an oped for PaymentsSource, Guillaume Forget, director of product management for Cryptomathic, wrote the regulatory environment for digital signatures is improving, as new rules allow consumers and businesses to add e-signatures to document images, giving these the same legal status as paper-based documents.

"Electronic signatures, when properly implemented, can be very helpful in combating online payments fraud," said Avivah Litan, a vice president at Gartner, and a security specialist, who notes there is some friction to the strategy.

First, the technology itself is complex. "There's a need to assign keys to senders and receivers, and both senders and receivers need to participate in the application for it to work properly," Litan said.

Also, enrollment can be complicated, according to Litan.

"This is always the weakest link in any online security system," Litan said. "Fraudsters can impersonate others or use stolen identities, at which point it doesn't matter if the payment transaction is carried out securely because at that point a fraudster is receiving the 'secure payment.'"