Editor’s note: This is the second in a four-part series about security issues and paperless transaction management platforms. See part one.
Did you know that some agents actually log in to their clients’ accounts and sign digital documents on their clients’ behalf?
As the use of digitally signed documents becomes more widespread, the question for you and your clients is, “What degree of risk are you willing to tolerate in your digital documents and what can you do to protect yourself against fraudulent signatures?”
When I first started in the business, my broker listed two four-unit buildings on adjoining lots. He sold one building to his buyer, and I sold the other. The termite report on his sale came back clear. The building I sold required $2,500 of work.
No problem — he just cut and pasted the two reports together, ran it through the copier, and gave what appeared to be a clear termite report to my buyer. I caught the fraud, advised the buyer to see an attorney, and immediately left the brokerage.
Fast forward to 2013. Unfortunately, as we have moved from paper to electronic signatures, many of the unethical behaviors that took place in the paper world have migrated into the digital world.
Not only are some agents signing digital documents on their clients’ behalf, the documents themselves can be altered electronically, even after they have been signed.
The good news is that digital documents provide better tracking and considerably more security than faxing and copying. Nevertheless, there are vulnerabilities that can put you at risk. In order to minimize this risk, it’s important to understand three key issues:
1. The difference between e-signatures and digital signatures.
2. Knowledge-based authentication (KBA).
3. PDF vs. smart form technology.
E-signatures vs. digital signatures
Mangesh Bhandarkar of Adobe EchoSign described the difference between e-signatures and digital signatures in the following way:
“EchoSign was designed to fill the gap between a ‘hard signed document’ and a digitally signed document. EchoSign uses ‘e-signatures,’ which have a lower security threshold than digitally signed documents.”
“Digital signatures require what is known as a ‘tamper-evident’ seal on the document. Each party signing the document must also have a ‘digital certificate.’ Then, using a process called mechanics cryptography, the algorithm compares the documents to locate if and where any changes have been made.”
In paper transactions, notaries verify the identity of those signing documents. Some digital transactions use a process called knowledge-based authentication (KBA). If you have ever visited a website that asked, “Which of these addresses did you live at in 1998,” that site was probably using knowledge-based authentication.
According to Bhandarkar, while digital signatures require a certificate, the problem is that “you can issue yourself a certificate. Consequently, you should seek certificates issued from authorities such as Verisign, the U.S. government,” or a common access card (CAC).
To obtain a certificate, the person signing the document is required to supply at least two of the three following authentication factors:
- A knowledge factor (something the user knows such as a password, PIN or pattern).
- A possession factor (a physical object the user has in his possession, such as an ATM card, smart card, or mobile phone).
- An inherence factor (something unique about the user, including biometric characteristics such as fingerprints).
Knowledge-based authentication and real estate
Different digital platforms offer different types of verification. According to Austin Allison, the CEO of dotloop, its verification system works by authenticating each signature by coupling a user’s email address with his password. There is no knowledge-based authentication.
The challenge with this approach is that if I use an email address such as Coach@RealEstateCoach.com and create a password tied to that, do you really know who I am?
EchoSign uses Verisign for its KBA process. DocuSign, EchoSign, Instanet and zipLogix Digital Ink provide knowledge-based authentication for a small fee.
What’s disturbing is that because of this fee, very few agents are currently using this service on any platform.
Whether you are an agent, broker, mortgage, title or escrow professional, it would seem that everyone benefits from working with multiple-factor authentication.
Smart forms vs. PDF forms
When you choose an e-signature provider, you must decide whether you want to use standard PDF form-based technology, or “smart form “technology, which is also PDF-based but employs tamper-proof digital seals embedded in the documents.
Dotloop and HelloSign currently use standard PDF forms, while DocuSign, Instanet and zipLogix Digital Ink use smart forms.
Smart forms provide the greatest degree of security available today. They protect the security of both the signatures and the documents by:
1. Using a legally valid consumer consent process.
2. Creating an audit trail and certificate showing the IP address, email address, date/time stamp, and authentication measures used to sign.
3. Providing proof of being “tamper-evident.” In other words, they can’t be changed once they are signed, or if they are changed, the document points to where the changes are made independently of a digital paper trail maintained by the e-signature provider.
4. Using digital signature technology rather than e-signature technology.
In January 2013, Bank of America recognized the necessity for raising the bar on the digital documents used within its system and set forth requirements similar to the ones above.
Dotloop and HelloSign use standard PDF technology that lacks tamper-evident seals embedded in the document itself, although HelloSign is in the process of adding this functionality. Both companies currently require the user to view the digital paper trail on their servers.
In contrast, EchoSign, DocuSign, Instanet and zipLogix Digital Ink use smart form technology that utilizes tamper-evident seals embedded within the document. When the document is changed, a viewer can immediately tell since the document tracks these changes independently of the e-signature provider’s site.
In other words, you don’t have to visit their sites to see the digital paper trail — it exists within the document.
Editor’s note: This story has been updated to clarify that “smart forms” are a type of PDF document, and that some, but not all digital transactions use knowledge-based authentication. DocuSign Founder and Chief Strategy Officer Tom Gonser notes that “PDFs are a global document standard (used by) everyone including DocuSign.” Gonser also notes that EchoSign is not commonly used in real estate transactions “because it does not connect with forms platforms, and does not have the technology required to apply ‘sign here’ tabs and workflow automatically to new documents without the author having to go in and physically edit the underlying PDF.” Matt Cohen, chief technologist, Clareity Consulting, calls knowledge-based authentication “the weakest form” of authentication, noting that real estate professionals often have access to information used to generate KBA challenges, including banking, public records, and previous address information.
Bernice Ross, CEO of RealEstateCoach.com, is a national speaker, trainer and author of the National Association of Realtors’ No. 1 best-seller, “Real Estate Dough: Your Recipe for Real Estate Success.” Hear Bernice’s five-minute daily real estate show, just named “new and notable” by iTunes, at www.RealEstateCoachRadio.com.