Digital signatures may be prone to scams

Security firm says BT's Trustwise digital signature technology can be tricked

The document digitally signed by the Secretary for the Department of Trade and Industry Wednesday can be easily fooled, or "spoofed", according to British security and software development firm Skygate.

BT responds, however, that the trick is of limited application and points out that it doesn't really affect Trustwise's security.

On Thursday Skygate posted a Web page claiming to show how the verification of a signature can be forged using simple HTML and JavaScript. On the page, Skygate argued that a user who is not overly cautious can be fooled into thinking that any signature has been authenticated by BT's Trustwise service. In actual fact the spoofing method transports them to a different BT Trustwise page that did originally authenticate a signature.

Skygate says a simple way to avoid this sting is to disable JavaScript in a browsers preferences.

As of Thursday afternoon, however, the page had been taken down, leaving only a note with the explanation that "this page has been withdrawn following discussions with BT."

Skygate Director Pete Chown sees the spoofing method as a potentially serious flaw in BT's security plans. He says, "There is the possibility that someone could set up a fake site for, say, paying your phone bills, and capture people's credit card details. This could be particularly serious if this becomes a public service. BT should make sure that their pages really authenticate a signature instead of just throwing HTML back at you."

Neil Barrett, security specialist at Information Risk Management, believes however that for the security-conscious user this shouldn't be a particular threat. "It's like a spoofed email. If you look at the guts of the page and really test it, you will see that it's fake. If you actually go to the Trustwise site and ask whether the page is recognised it won't verify it."

Barrett sees this example as further evidence of the need to make people aware of the security risks that do exist online. He adds, "It's a flaw in the degree of trust you put in it. If there is one thing wrong with e-commerce it is that the public is being swayed into thinking that everything is secure."

According to Barrett, there is another very simple way in which the Trustwise verification system could be unscrupulously exploited. "Another way is to register another very similar name. The system is obviously not clever enough to do name mapping." This means that by misspelling or adding an initial to a name it might be possible to fool someone into thinking the digital signature belongs to an entirely different individual or organisation.

Skygate's Trustwise criticism comes just a day after the technology's public endorsement by DTI secretary Stephen Byers.

A BT spokesman plays down the significance of the stunt saying, "It's not a breach of security, they haven't got into the Trustwise site. Also, with the real system you can verify a whole site and you can't do that with this. We are in discussions with the people who have done this and are working on ways to stop it happening anymore. It's an inconvenience rather than anything else."

What do you think? Tell the Mailroom. And read what others have said.