Security Measures

Signing on the dotted line is the one action that makes most banking transactions official. It is a verification of identity and a confirmation of action.

Since writing a signature is one of the few things that cannot be done over the Web or via e-mail, it becomes one of the stumbling blocks to conducting complex on-line banking operations.

“Today we are limited by the requirements of a physical signature,” explains John Black, manager of electronic service development with the eCommerce Group of Royal Bank of Canada. “With a loan, for example, people still need to sign the application, so even if they start out on the Web, they have to go into a branch or we have to mail out a form for their signatures.”

In order to do away with this inefficiency and inconvenience, the bank is looking at a technology solution which will act as a substitute for physical signatures and will offer the same verification of identity and legal weight as a hand-written specimen.

“We want to offer complete, end-to-end fulfilment electronically, and the support of digital signatures will make it happen,” Black says.

Incorporating both digital signature technology and a supporting public-key infrastructure (PKI) means Royal Bank will have to reengineer many of its existing practices and applications, but it is work that Black predicts will be well worth the effort. In some circumstances it will give the bank’s corporate customers single sign-on access to an assortment of applications, and in others it will save money by enabling certain transactions to be completed in a totally electronic environment.

For starters, the bank is targeting three distinct market segments: the institutional market place, its largest customers; the commercial segment, businesses classed as slightly larger than small to medium-sized enterprises; and individual consumer professionals and owner-operated small businesses.

Among the services Royal Bank is looking to provide is a newly revamped cash management system which incorporates PKI-based digital certificates.

“Today we offer cash management services through PC software, but we are looking at the Web for the next-generation application. That removes the headache of physically distributing the software, and when you take that step, you look at other elements of the business such as a one-step authentication solution for our customers,” Black says.

“We hope that an officer, a treasurer of a large organization, will be able to use one single digital certificate to access the cash management service. As much as we try today, we are not always successful in creating a single sign-on.”

The bank is working to provide a similar arrangement for companies wanting to offer their customers electronic bill presentment and payment services. Royal Bank wants to give its customers digital certificates they can use to view their utility and credit-card bills on-line, complete with all the transaction details and charges. Using those same certificates, customers will then be able to pay those bills out of their bank accounts.

“The value comes if it becomes a well-ingrained way of doing business. Ultimately, the cost will be offset by the savings,” Black explains. On-line bills mean no charges for paper or printing or mailing.

Of course, giving customers access to new technology also means providing employees with the same tools. Ultimately, Black says, the bank wants a large number of employees to make use of PKI, but initially about 20 per cent will have access to encrypted e-mail and digital signatures and certificates.

Besides using secure e-mail for internal communications, the bank is looking at deploying this method of communications to portions of its customer base.

“The need to support e-mail as an avenue of delivery is becoming more important,” Black says. “We need to be able to send a file containing instructions or information, and our customers need a standard e-mail tool they can use to encrypt the information they send and receive.”

Jim Short, vice-president of sales for Ottawa-based Entrust Technologies Ltd., which is supplying PKI and encryption technology to Royal Bank, says secure e-mail, and in particular electronic forms (e-forms), will become one of the easiest ways for customers to do business with the bank.

“Anybody who has an e-mail account will be able to fill in a form, and get approved for credit.”

At this point, however, the logistics of who will be receiving access to the new systems and how the digital certificates will be issued are yet to be worked out. Royal Bank is only in the initial stages of its PKI project, and the earliest phases aren’t expected to be rolled out until the end of the bank’s fiscal year in October. The basic infrastructure, the core Entrust engine with the certificate authority registration capability, and the directory are scheduled to be in place by the end of summer.

Still, neither Black nor Short expects a problem putting the appropriate keys and certificates in Royal Bank customers’ hands.

“They are dealing with a community of existing customers,” Short says. He explained that all of the bank’s existing customers who do on-line business with the bank already possess digital certificates.

“When we launched our PC banking services in December 1996, we gave out home-grown versions of digital certificates that are not visible to the customers and that are compliant with industry standards,” Black says.

He adds that Royal Bank is still working to define different levels of certificates and set standards around their distribution. He says it is likely the bank will echo the policy used by the federal government which classes certificates into four levels of assurance: rudimentary, basic, medium and high.

Like any other certificate authority, Royal Bank will create a certificate policy document, which it will publish on its Web site, and a certificate practice statement, which will describe the type of certificates issued and to what extent the bank will guarantee the identity of the holder.

While working on the basics of the infrastructure is one task, Black is more concerned with making sure the security initiatives are in line with the bank’s mission to service its customers.

“We are focusing on the business that you know and the applications associated with those businesses. We just want to make the transition to working on-line a little easier.”

Carolyn Gruske is a Toronto-based freelance writer who specializes in IT reporting.


Webster’s Dictionary defines a signature as “the name of a person written with his own hand.”

OK. But how can you be sure a signature in cyberspace is the real thing?

The challenge in e-commerce is to eliminate the risk of false identity, says Paul Donfried, a vice-president at Identrus LLC in New York. Identrus was formed by 12 of the world’s largest banks to provide a global framework for trusted business-to-business e-commerce.

Right now, digital signatures hold the most promise of helping electronic businesses sort through the complex issues of identity risk and liability in cyberspace.

To legally bind a digital signature, you must draw up a contract that defines and legally assigns the roles and responsibilities of the participants. Don’t try this without the assistance of your legal counsel, Donfried says.

The basics should address:

    Who’s liable if the deal goes awry?What’s the certificate authority’s liability if the keys are misused or tampered with?What’s the end user’s liability for protecting the key?What’s the system itself liable for if it damages or exposes the key?How will the contract be enforced?How will disputes be resolved?

The Real Deal

Digital signatures accomplish four things, says Paul Raines, vice-president of electronic security at the Federal Reserve Bank of New York:

Data Integrity — The recipient can tell if the data’s been tampered with.

Confidentiality — The encrypted data is seen by only the sender and the receiver.

Nonrepudiation — You can’t deny receiving the message, because the public key returns a proof of receipt.

Authentication — Both the sender and receiver are identified.