paint-brush
Do Digital Services Actually Make Document Forgery Easier?by@noprofile
366 reads
366 reads

Do Digital Services Actually Make Document Forgery Easier?

by noprofileJuly 22nd, 2019
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

In reality, all protection measures in digital services can be bypassed. This false sense of security makes it easier for fraudsters to get what they want. HTTPS protects only the connection, it doesn’t protect the server or prevent it from getting hacked. One of the most successful attacks was performed in 2017 on Classic Ether Wallet, which was actually protected by SSL. The only way to protect yourself is to stay cautious and never send any sensitive information through a website. The same story is with messengers, with message encryption between parties, but it doesn't matter when it comes to end-to-end.

People Mentioned

Mention Thumbnail

Companies Mentioned

Mention Thumbnail
Mention Thumbnail

Coins Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Do Digital Services Actually Make Document Forgery Easier?
noprofile HackerNoon profile picture

As an ordinary user, should you care about your privacy when transferring data or documents from one place to another? For a long time now, privacy was never a huge concern for anyone. Large companies were harvesting personal data for advertising purposes or to sell it to third parties, but now the times have changed and people have recently started to care about their privacy more and more. Now the trend among tech companies is to give their users the tools to protect their data, documents, and digital lives. We’re seeing encrypted browser connections, private messengers, secure file-sharing services, but are they as secure as they want us to believe? 

In reality, all protection measures in digital services can be bypassed, and this false sense of security makes it even easier for fraudsters to get what they want. In this article we’re going to briefly observe all of the popular methods of digital security, including blockchain services such as Authpaper Delivery, BlockSign, OpenSign, and KeeeX, to find their weak spots and discover their advantages. 

It’s meant to be secure, but it’s not - HTTPS protocol

Let's start with the security protocol for surfing the web. HTTPS (HyperText Transfer Protocol Secure), which is an extension of the Hypertext Transfer Protocol, is the most basic protocol for exchanging information between two parties: client and server. Usually, this protocol serves to transmit hypertext pages, the usual pages that we see in our browser. The basic version of HTTP, however, has a lot of vulnerabilities. The HTTPS version is encrypted with TLS or SSL, special cryptographic protocols for communications security, so no one is able to read the sent information. At least in theory…

Source: https://www.lullabot.com/articles/https-everywhere-security-is-not-just-for-banks 

However, it’s not necessary to read it and then decrypt the messages! HTTPS protects only the connection; it’s only about preventing web traffic from being read, it doesn’t protect the server or prevent it from getting hacked. A common practice nowadays is to hack the server or to use a fake domain with a similar name. Take Binance, the most popular crypto-exchange right now, which has copies on domains like bїnance.com (as you can see, “ї” has two dots above) or with a Cyrillic “а”, which represents a different character encoding. This type of phishing attack is called typosquatting.

But one of the most successful attacks was performed in 2017 on Classic Ether Wallet, which was actually protected by SSL. The hacker persuaded the support team of the site’s hoster that he was the owner. As a result, he got the access he needed and redirected all requests to his own site, stealing all funds that belonged to users trying to use the wallet during those days. 

Even more, there is a version of SSL, that is vulnerable by itself. It’s the second oldest version of the protocol, but it can be scanned and cracked by special programs, as described here. The problem is that you don’t know the version of the protocol when you connect to a site, so the only way to protect yourself, in this case, is to stay cautious and never send any sensitive information through a website. 

Private messages and emails - impersonation without borders

Messengers and emails serve one purpose - to connect people from far off distances without them having to meet in person. Herein lies the problem, however - it's hard to understand if the message that came from some person was really sent by that person. And there are plenty of methods that frauders use to get what they want. Here is one such method of “social engineering”. 

Usually, it is supposed that the identity of the sender is confirmed by the email address itself. But it can be imitated to make the “From” field look like it was sent by someone else. It’s very easy - some mail clients allow writing any info in the field “from”. It’s possible even in Microsoft Outlook client. 

Source: https://www.mailguard.com.au/blog/netflix-phishing-180110 

The same story is with messengers. They might seem to be secure, with message end-to-end encryption between parties, but it doesn’t matter when it comes to social engineering. Many people dealing with ICOs have seen this kind of trick being used in Telegram, when fraudsters create a clone account of the admin or the founder of a channel dedicated to a particular ICO. As the only difference is one or two letters in the nickname, inside the profile details are different. Some people get fooled and send money. 

It’s easy to get fooled online - some people download false torrent files containing viruses and trojans, and then execute them without a proper scan, only because they don’t know about this type of online threat. 

Again, the only way to prevent falling into this trap is to be cautious and use dedicated software when it comes to handing over sensitive data or important documents. 

Microsoft solution and deepfakes

For a long time, Microsoft has been known as a leader in business software. No wonder they’ve tried to expand their ecosystem, and launched a service for storing, sharing, signing and encrypting documents. This product is called the Microsoft Azure Rights Management System (RMS), and it may be familiar to any Windows user, as it’s used in the family of Microsoft Office products. By its very design, users use this to keep their documents inside of cloud storage and assign rights and permissions to other people when necessary. 

The problem here is that hackers constantly try to find new ways to bypass security measures of every service and program, it’s in their very nature. That’s how they found a way to stealthily remove the write protection of a document, modify it, and still claim that the document was modified only by the victim. It's easy to imagine that this kind of vulnerability can be used for creating fake evidence, and that's leading to a much more serious problem than merely faking messenger accounts. 

Source: https://www.wired.com/story/these-new-tricks-can-outsmart-deepfake-videosfor-now/ 

This same type of data forgery can be seen in deepfake technology. This type of machine learning gets used to create videos of people doing things they didn't do, and it looks disturbingly real. In the modern era, videos are used as evidence - and the existence of deepfake technology poses the big question; should video be considered a trustworthy source of evidence from now on, and what technology should be considered reliable? An easy answer would be, you guessed it, blockchain technology. 

Blockchain registries can't be easily faked 

The blockchain is immutable, so all of its records can be considered genuine proof for a legal dispute or even simple fact checking. Every entry and change has a timestamp of creation, and it’s possible to store any necessary information there, including names, digital signatures, and email addresses.  

There are various blockchain services for storing and signing documents:

  • Authpaper Delivery can be used to deliver and sign confidential data, and create records about successful delivery. These records are stored on the blockchain, so they can’t be forged as easily.
  • OpenSign, as a blockchain-based service for electronic signatures, allows for mobile devices to sign a document with a private key, and then publish the document’s fingerprint to the Bitcoin blockchain. OpenSign doesn’t have any additional functionality, such as a network for sharing files or encryption; its main feature is the electronic sign. 
  • BlockSign is used for signing documents online and creating invoices. Of course, it’s blockchain-based. It creates the 32-digit hash for any document, writing it to its own blockchain, and it adds this hash to the transaction block every time this document is signed. So if there are four signatures on a document, the 32-digit string will show up four times in the blockchain.
  • KeeeX allows for the injection of blockchain-verified metadata into 250 types of files, and to sign for them with an electronic signature. The metadata gets backed up in the Bitcoin blockchain. At this point, this service can be used only by requesting access from the developer, as it’s not public. 

Out of all of them, Authpaper Delivery seems to be the closest solution to a functional anti-forgery system that is resistant to most types of attacks.

Authpaper Delivery’s protocol is based on the BitTorrent network. BitTorrent is a huge network accounting for nearly 3% of all traffic on the planet. It’s decentralized, it’s a peer-to-peer protocol for transferring files, but it lacks digital signatures and a blockchain to suit our needs: preventing document forgeries. Authpaper Delivery expands on this idea by adding these missing elements and giving its users true confidentiality.

What makes it the best contestant for making document forgery obsolete:

  1. First of all, it’s based on an existing protocol with millions of users, and the security of Authpaper Delivery is amplified by the security of BitTorrent.
  2. There’s no need for it to build additional infrastructure to incentivize the participation of nodes; having a node is similar to hosting a BitTorrent upload. But in addition, every node gets rewarded with the platform’s tokens, Authpaper coins (AUPC). The main function of nodes is storing the encrypted data, verification, and recording all operations on data and its delivery. All other blockchains have to build their own infrastructure for this. 
  3. Authpaper Delivery allows sending very large-sized files, including movies, software, or system images. None of the competitors can offer this option. 

Using this mix of technology there’s no more reason to worry about the protection of the sent data, as it is encrypted with two keys, and only the keyholders can decrypt it. Two parties can exchange any file, and the nodes that share it can’t see the content of those files they host. They’re just in charge of making sure that the transmission is successful, for which they are rewarded with tokens. The actual verification is handled by the anti-forgery system who prevents forging signs and stamps on the document, ensuring that once the document is signed, the receiver can’t deny the fact of the transfer. 

Source:https://xkcd.com/ 

Conclusion

As we’ve seen, the most vulnerable link in the chain of security solutions is human. Blockchain-based systems can’t be easily hacked. The blockchain isn’t a miracle solution for every problem in the world, but it sure can be of some use in those areas where it’s important to track time and participants, like document and data transmission. So next time when you need to handle important digital assets, you should consider using the proper tool for it!