Hello, I've heard that some courier services use signature pads for handwritten signatures instead of paper ? Is that true ? I was wondering about their safety: if you enter your signature in a digital form once that it's in system and due to its digital nature it can be copied easily. So what stops someone from taking advantage of it e.g. using copy of that signature in your name on the next delivery while actually never giving you the package ? (stealing it etc.)
Are there some differences in security when comparing signature pads used in banks vs. courier services ?
Since signature pads are common in banks - (which seem to be quite trustworthy institutions) the safety probably is there but still - can someone explain to me how is it possible that at some point in time the full unencrypted digital representation of your signature must be in the device and yet it is somehow assured that bank can not use the same signature (by copying the digital data in it) to sing another documents in your name without your knowledge ? Does the signature process require hash of the document being signed on input of the signature pad and then encrypts the hash together with your signature data ? Does each signature pad use device unique encryption keys that are "hardwired" into the device ? Or how else does it work ?
And what if attacker had physical access to the device - wouldn't it be possible for him to reverse engineer whatever the signature pad is doing (all the keys used for encryption etc.) and thus make it appear as if you have signed document which you have actually never even seen ? In other words could it be so that the crucial part of the security lies in the fact that signature pads are "black boxes" where you do not see what exactly is going inside ? (and that maybe they are specially designed to be difficult to reverse engineer ?)
Are there some differences in security when comparing signature pads used in banks vs. courier services ?
Since signature pads are common in banks - (which seem to be quite trustworthy institutions) the safety probably is there but still - can someone explain to me how is it possible that at some point in time the full unencrypted digital representation of your signature must be in the device and yet it is somehow assured that bank can not use the same signature (by copying the digital data in it) to sing another documents in your name without your knowledge ? Does the signature process require hash of the document being signed on input of the signature pad and then encrypts the hash together with your signature data ? Does each signature pad use device unique encryption keys that are "hardwired" into the device ? Or how else does it work ?
And what if attacker had physical access to the device - wouldn't it be possible for him to reverse engineer whatever the signature pad is doing (all the keys used for encryption etc.) and thus make it appear as if you have signed document which you have actually never even seen ? In other words could it be so that the crucial part of the security lies in the fact that signature pads are "black boxes" where you do not see what exactly is going inside ? (and that maybe they are specially designed to be difficult to reverse engineer ?)
