On January 16, Sign.Me founder and CEO Alexander Kofanov told Izvestia about the types of hacker attacks on electronic signatures (ES) and methods of protection.
According to the expert, in the field of electronic signatures, three types of fraudulent schemes can be distinguished. The first is attacks on software. In this case, electronic security measures are analyzed, they are searched for vulnerabilities, and attackers try to force the user to sign the documents they need.
“The success of an attack on software in the case of an electronic signature tends to zero. But we will still focus on the rare case when this is theoretically possible – if a simple electronic signature is used (for example, login-password, code from SMS). This type of electronic signature does not have such serious protection as enhanced electronic signatures, which are created using a cryptographic encryption system. A hacker attack on a simple electronic device can be a brute-force attack. Possible consequences of the attack: compromise of the signature and certification of documents without the user’s knowledge,” Kofanov said.
The second type of fraud is attacks on infrastructure (network environment, operating system). According to the expert, the most popular attack is DDoS (Distributed Denial of Service, overloading a server with a network of many devices, making it difficult for ordinary users to access it).
“Over the 12-year experience of our company, several attempts were made to DDoS attacks on the Sign.Me infrastructure, websites of various certification authorities and infrastructure nodes in the Russian Federation, but all of them were largely unsuccessful. Russian specialists have learned to work with them at the standard level,” said Kofanov.
The third type is social engineering (deceiving people). The publication’s interlocutor noted that 99% of cybercriminals’ schemes with electronic signatures are precisely fraud, not hacker attacks.
“For example, forging a passport and issuing an electronic signature certificate for it, deceiving an employee or user, a stolen PIN code from a token, and so on. Such cases have nothing to do with the reliability of the technology – this is purely a human factor resulting from a violation of safety rules. If your electronic signature is stolen, criminals can sign any document. In practice, fraudsters using social engineering methods can be exposed, since an electronic signature forces them to leave behind a lot of digital traces and evidence,” he said.
Kofanov gave a number of recommendations that will help avoid hacker attacks and fraudulent electronic signature schemes. Thus, you should use reliable electronic signature services with cryptographic encryption, a good reputation and certification with non-retrievable keys.
“Do not transfer digital storage devices, mobile phones or PCs to other people. Regularly go to the State Services section “Electronic Signature Certificates”, all electronic signature certificates issued to the user are displayed there. You can also check the email linked to your State Services account; when an electronic signature certificate is issued, a notification will be sent to your name. Keep your passport and other documents in a safe place. Update applications and programs as soon as new versions are released. Use antivirus software,” he said.
The specialist also advises carefully analyzing the source that requests your data, using different passwords for accounts and two-factor authentication, and using a MCD (a machine-readable power of attorney indicating a person who can use a signature other than the one for whom it was issued) so as not to transfer your personal token, for example, ES of the general director to an accountant for signing reports.
At the end of December, the head of the legal department of Sign.Me, Vadim Deryuzhinsky, told Izvestia in what situations you can use an electronic signature.
#expert #gave #recommendations #protecting #electronic #signatures
