With the proliferation of hand-held credit or debit card payment devices popping up in retail establishments, signing with your finger has become the new norm. But few can master a genuine signature with a fingertip on such a tiny screen. Are these squiggly, and often illegible, digital signatures really legally binding?
The answer is a resounding “yes.” A fingertip signature is just as binding as an ink one. “A signature is a mark affixed to a record showing a person’s intent,” says John Levy, executive vice president of IMM, which provides electronic signature and document solutions. “It goes back to the Civil War when soldiers would sign up and half of them couldn’t read or write. They laid down an X. That didn’t tell you who it was, but it was their mark showing their intent to sign.”
More recently, he says, governments have spoken at both the federal and state levels. The Uniform Electronic Transactions Act (UETA), adopted by nearly all states, and the federal Electronic Signatures In Global and National Commerce Act (ESIGN) both decree that a record or signature may not be denied enforceability simply because it is in digital form.
What’s more, Levy says that these laws have broadened the definition of a signature to include a process (such as clicking “I accept” on a user agreement screen) or even a sound. “Let’s say I call you on the phone and say I want to sell you this magazine and you say, ‘Yes, I’d like to purchase that,'” Levy adds. “With your permission, I’ll record you, and that .wav file can be used as your signature.”
How do they know it’s you?
They probably can’t. “These signatures can be legal by definition because of UETA and ESIGN. That doesn’t always mean if you go to court it will be enforceable,” Levy says. He adds that he’s signed with a fingertip many times himself when taking taxis or renting a surfboard. “It’s a great tool for low-ticket items. I wouldn’t want to sign that way if I were getting a $100,000 line of credit.”
How closely finger signatures resemble pen-and-ink ones is a matter for debate. “A merchant can compare the customer’s signature with the sample on the back of a credit card with the same accuracy,” according to Lindsay Wiese, spokeswoman for Square, which enables credit card swipes on iOS and Android devices. She adds that if a signature doesn’t look right, the user can shake the device and start over, much like an Etch A Sketch.
But not everyone experiences fingertip signing as comparable to signing with a pen or stylus. “A fingertip signature is worse than a handwritten signature,” says McAfee online security expert Robert Siciliano. “The first time I was asked for one, I thought, ‘Really? What am I, 3 years old? Are we fingerpainting here?'”
It may not matter, though, since pen-and-ink signatures do little to prove the identity of the signer. “The handwritten signature is, frankly, a b******* form of authentication,” Siciliano says. “It really has no security value whatsoever, and that applies to all handwritten signatures. Do you think the clerk behind the counter at Wal-Mart is skilled at handwriting analysis? You think, of the hundreds of signatures she looks at every day, she’ll notice the one that’s an imitation? It’s a completely false sense of security.”
This is one reason many credit card issuers look for behavioral cues, such as where a card is used, to help them catch fraud. “We know that signatures can vary and that it can be difficult for merchants to compare two signatures and ensure they are from the same person,” says Amelia Woltering, a spokeswoman for American Express. “Signatures are only one way that American Express and its merchants can detect fraudulent activity. We have found that the best way to approach this issue is from a holistic perspective. This means looking at physical features of the card and security information only the true card member would know.”
The first time I was asked for one, I thought, ‘Really? What am I, 3 years old? Are we fingerpainting here?’
|— Robert Siciliano |
McAfee online security expert
And, of course, she adds, “Following a long-standing practice, we will not hold our card members liable for any fraudulent charges.” This is true for most credit card issuers. So while signatures don’t do much to lower the risk of fraud, consumers are usually protected. You typically shouldn’t have to pay for anything you didn’t actually buy if someone steals your credit card, no matter what device is used to swipe it.
How secure is mobile swiping?
The security of mobile swiping systems can vary. Inputting credit card information to a smartphone or tablet can present troubling security risks, says Jerry Irvine, CIO of the IT outsourcer Prescient Solutions and a member of the National Cyber Security Partnership. “They could have a virus on their phone they’re not aware of capturing the data,” he says. Smartphones and tablets are vulnerable to viruses, he says — even those made by Apple which once claimed its products were impervious. “The fact that these are now becoming point-of-sale devices should be concerning everyone,” he adds.
But even a device with a virus might not pose a security threat, since credit card swipe applications usually come with encryption. Square, for instance, encrypts credit card data as the card is swiped and never actually stores it on the device. So the likelihood of an identity thief obtaining your credit card information from an insecure smartphone or tablet would be very low (and no higher than if you enter your card number to the device while shopping online).
On the other hand, Irvine poses a much more troublesome question. When a waiter or clerk swipes your card into a mobile device, “How do you know that it’s the company’s tablet or smartphone taking the payment, and not that individual’s?”
Should you use them to take payments yourself?
The same rules that give you great protection as a consumer can work against you if you use a Square reader or other such device to take payments, for instance, at a yard sale or when collecting for charity. If someone who has stolen a credit card or created a fake one uses it to buy something from you, will you have to forfeit that payment?
The answer seems to be: It depends. “Merchants are governed by the parameters of their card acceptance agreement,” Woltering explains. “Certain merchants have, as a part of their setup and processing agreement, full recourse for charges disputed as fraud.” Merchants are also given clear procedures for how to authenticate a purchaser, she adds, and those who follow those procedures correctly are not held liable for fraud.
On the other hand, the Square user agreement suggests that the company might well withhold payment if you accept a fraudulently used card. A transaction may be reversed or charged back, it says, for any of a number of reasons, including if the transaction was not properly authorized, or is allegedly unlawful or suspicious. “You could be accepting a card from someone who isn’t who they say they are, and if your products or services go out the door, it could be your loss,” Siciliano says.
Thus, it’s a good idea to closely read any agreement you sign (including those that bind you when you click “I agree” on a website) before you start accepting mobile swipe payments. And depending on the transaction, you may want to take extra precautions. If you’re having a yard sale and a shopper wants to pay $3 for a spice rack that you would otherwise donate to charity, it may not be worth your while to ask for proof of identity. But for larger amounts, it’s a good idea to take a quick extra precaution. One simple step you could take is to ask to see a driver’s license and make sure that the name and the photo match both the person in front of you, and the name on the credit card.
What’s the future of these applications?
Though fingertip signatures today are no better, and maybe worse, than pen-and-paper ones, in the future that could change dramatically. That’s because these devices can offer dynamic biometrics — a method of authenticating the signer based on how he or she moves. “A dynamic biometric identifies you by, for instance, the way you type on a keyboard,” Siciliano says. “The way you sign your name using a mouse is another dynamic biometric. There are technologies out there that recognize that only you could sign your name with a mouse a certain way.” These measures are surprisingly accurate. “They have a very low false-positive rate. There’s only a minuscule chance that someone could forge this and it won’t know,” Siciliano says.
Fingertip signatures could ultimately provide biodynamic metrics for authentication. “Unlike paper signatures, we can see how a signature is made by looking at the speed and directions of the strokes,” Wiese says. “With paper receipts, all you have is the signature. With digital receipts, we can see how the signature is made and analyze it.”
Is Square doing this already? For security reasons, the company won’t say. But it’s clear that someday soon, the particular gesture with which you sign your name — along with your fingerprint, which some phones such as the iPhone 5 can now read — will likely prove who you are much better than an ink signature ever could.