Airtight security introduced for airline boarding passes

Featured

airport-1515431Because airline boarding passes can be issued up to 24 hours before a flight departs, and due to security gaps in existing boarding pass technology, fraudsters with even limited technical know-how could tamper with and gain access to the information they contain.

The problem

While measures around privacy and security within the air transportation industry have remained largely unchanged over the years, fraudsters’ modi operandi have not. In fact, fraudsters have become more sophisticated with the rise of digital and the proliferation of data – putting both airlines and their passengers, today more than ever, at significant risk.

Airline boarding passes, in particular, have seen numerous systems put in place over the past decade, to help authorities and airline officials identify fake boarding passes, with most of these relying on advanced printing techniques.

The bar-coded boarding pass (BCBP) became widely available in 2010 and comprises a 2-dimensional (2D) bar code printed on a paper boarding pass or sent to a mobile phone for electronic boarding passes (e-boarding passes).

The BCBP standard was originally published in 2005 by the body responsible for global standards for airlines’ safety and security, the International Air Transport Association (IATA), which updated it in 2008 to include symbologies for mobile phones, and again a year later to include a field for digital signatures in mobile bar codes.

While the move to BCBP has made travelling more convenient, in many instances, for travellers who are able to use mobile boarding passes, the technology behind it has not eliminated the risk of ticket fraud or identity theft, because data is not encrypted.

Not only does unencrypted travel material leave it susceptible to being tampered with and being used unlawfully and dangerously, it also leaves passengers wide open to identity fraud, given that airline tickets contain a great deal of personally identifiable information (PII).

SigniFlow Americas CEO, Laila Robak, explains: “Besides the risks involved with ticket fraud, even companies that apply digital signatures to its boarding tickets do so only from a ticket integrity point of view. However, there is still unencrypted data within those tickets, and anyone with access to the bar code has access to the passengers’ data, creating a risk of identity fraud, which is certainly a security and compliance concern.”

The solution

With a team of cryptographic experts and experienced engineers behind it, the SigniFlow solution, which operates in a cryptographic signing environment, is a natural fit to build, develop and enhance the available technology behind boarding passes, and to irrevocably seal the data they contain.

According to IATA’s BCBP Implementation Guide, which outlines the existing barcoded boarding pass solution: “Bar Code on Printed Boarding Pass: the default Bar Code presented on printed boarding pass is a 2-dimensional Bar Code in PDF417 standard containing a structure data message (SDM). On the request from the Airlines version 7 extend the standards to allow Aztec, Datamatrix or QR code formats on printed boarding pass those formats are currently used on Electronic (Mobile) Boarding Pass only.”

SigniFlow Director of Development Eugene Smit explains: “SigniFlow’s microservice architecture allows for signing, encrypting and verifying data on all boarding passes, enabling the generation of datastreams, signature streams or image-based bar codes, such as Aztec, QR, PDF417 and Datamatrix.

“The system produced by SigniFlow, allows a ticket\pass generator to issue a unique private key for the signer, using our microservices, and the signer is then able to sign any datastream, and use complimentary methods to produce bar codes of the data.”

SigniFlow offers two solutions, both of which extend on and secure existing boarding pass technology:

  • The Full Package solution: SigniFlow integrates with the airline’s existing system. When passenger data is inputted, SigniFlow collects the data string, creates the 2D bar code (Aztec, PDF417, QR, Datamatrix), embeds the data string, then encrypts and signs with an ECC (Elliptic Curve Cryptography) certificate, after which it is sent back to the airline for the boarding ticket.
  • Data string encryption & signing: In this case, the airline continues to use its current 2D bar code generation system, and SigniFlow integrates via API to collect passengers’ data, encrypt and sign the string, and then send it back to the airline, which will embed it in the bar code.

Either way, explains Robak, the idea is to provide not only the required digital signature itself, but also encryption of the data, so that only electronic devices – terminals and readers – will have the ability to recognize authenticity, and to decipher the embedded data.

“We also provide the instruction and processes to the certified authorities for access to the public key through either a key distribution to its devices, in case of no network connectivity, or the public key to be included in their key store system where devices can access it and recognize/decode the data.”

The differentiator

Not only is the SigniFlow solution steeped in cryptography, which eliminates tampering and identity theft risks altogether, it also offers seamless integration into companies’ systems.

Because the solution allows companies to add security component to tickets without having to replace their existing systems, but rather by simply adding a new security module, it is simple and safe, and SigniFlow enables them to be compliant with several industry, national and international standards.

“Stronger policies in national security have been enforced in many countries and companies that issue tickets, whether for air travelling, other transportation methods or entertainment, also need to comply with data privacy standards, such as the GDPR. By using our solution they can target both,” says Robak.

How it works

  • Secure cloud HSM where the keys are stored
  • SigniFlow Hybrid server deployed within client control
  • Signing request issues to the SigniFlow Hybrid server
  • Verification Requests issued to the cloud HSM or to a centralized public key store

There are two main Public Key Encryption algorithms: RSA (Rivest–Shamir–Adleman) and ECC (Elliptical Curve Cryptography). While SigniFlow is compatible with both, the ECC certificate has been specifically identified by the IATA for boarding pass signing requirements.

ECC is, in simple terms, an encryption algorithm with higher capacity and lighter weight than the RSA encryption algorithm, which means you need less bits to for stronger keys. Because the keys are smaller, it means it needs less processing, leading to better efficiency and lighter “documents”. For example, the most commonly used RSA encryption algorithm size is the 2048 bit keys, which is the equivalent in security and strength to a 224 bit ECC key.

To find out more about SigniFlow’s cryptography-based solutions, visit www.signiflow.com or contact us on the relevant number below:

International Contact Centre: 002710 300 4899

South Africa: +27(0)11-516-9403

Americas: +1-603-717-4248

United Kingdom: +44(0)208-611-2681

 

[REFERENCES]

  1. IATA – Technical Peripheral Specifications
  2. US Department of Homeland Security – Credential Authentication Technology/Boarding Pass Scanning Technology
  3. IATA – Airlines Complete Move to Bar-Coded Boarding Passes
  4. IATA – Passenger Services Conference Resolutions Manual
  5. Red Goat – The Not-So-Secret Life of Boarding Passes
  6. Tech Target – Personally Identifiable Information
  7. Wikipedia – Boarding Pass
  8. com – Ticketprinting.com Security Features
  9. Wandera – Are Airlines Putting Your Data at Risk?

Brand new Hybrid Server range in the offing

Featured

carbonite-hybrid-server-for-business2The SigniFlow team has once again gone all out to ensure all our customers’ needs are met in every way, with our latest range of Hybrid Server licences.

Following an overwhelmingly positive response to our hybrid server solution, SigniFlow has pulled out all the stops to create a product that covers all bases, serves every one of our customers according to their specific needs and – above all – is first-class and failsafe.

A native cloud application utilising cloud computing frameworks and network-attached Hardware Security Modules (HSMs) to perform cryptographic signature operations, the SigniFlow solution was born out of the need for enterprise-level businesses to have maximum control over their data.

“For most small-to-medium businesses, accessing applications in the cloud was no problem, in fact it was in many cases preferred, but at an enterprise level, where highly sensitive documents and international legislation were involved, the need for more control was imminent,” explains Leon van der Merwe, Digital Director at SigniFlow.

In response to this need, SigniFlow launched its first open-enterprise on-premise SigniFlow Hybrid Server in 2017.

The term ‘Hybrid’, which we’ve used to name our server offering, refers to the combination of technology it employs – a dedicated hosted server, virtualisation technology and cloud-based cryptography.

Although often referred to as an on-premise solution, the SigniFlow Hybrid server is at home in a private server room or data centre, as well as in any hosted environment (private or public-cloud) and in a secure cloud services platform, like the popular Amazon Web Services (AWS) or Microsoft Azure.

The SigniFlow Hybrid brought about the ultimate in customisation, rebranding, enterprise information control, and an unrivalled bespoke integration landscape.

Highly successful among the big businesses the solution was intended for at the time, the technology drew such interest in the market at large during 2018, that suddenly businesses from across the spectrum wanted it.

“By listening to our customers, we realised that the solution, originally built for the enterprise, needed to be more flexible and scalable, to cater to medium – and even smaller – businesses,” says Van der Merwe.

“The SigniFlow team has once again gone full tilt in the idea factory, and we are very excited about our brand new Hybrid Server offerings for 2019.”

How the new licences work

The new SigniFlow Hybrid Server range consist of five new licences, the NANO-50, MEGA-250, TERA-500, PETA-1000 and the exciting new document-based open-enterprise license, the EXA-OPEN.

As its name suggests, the NANO-50 is a single tenant Hybrid that caters for up to 50 users, unlimited documents and unlimited signatures.

Similarly, the MEGA-250, TERA-500 and PETA-1000 cater for up to 250, 500 and 1 000 users respectively, all with document limits removed, and fully scalable and upgradeable licence plans.

From the MEGA-250 onwards, the servers can be duplicated to cater for more than 1 000 users and farmed for high-volume load balancing. Each comes with a second licence that can be used for disaster recovery (DR), or user acceptance testing (UAT or pre-prod). These models are also multi-tenant and can feature multiple business profiles per server.

The EXA-OPEN introduces a new approach to enterprise licensing. Documents, which may contain any amount of signatories, are bought in packs, ranging from 1 000 to 400 000 documents per pack, at incredibly low rates per document.

The real benefit of the EXA-OPEN kicks in for customers with document volumes above 400 000 per year, as the licence has a ceiling-charge equal to the 400 000 pack’s price. This means that after 400 000 documents, a flat annual rate is charged – no matter how many documents are involved or how many users are utilising the system.

The new Hybrid Server Licence Models are available in South Africa, South America, the United States, Europe, the Nordics and the United Kingdom.

 

For more information on how our Hybrid Server range can benefit your company, contact the team via support@signiflow.com  or phone:

South Africa : (+27) 10 300 4898

Americas: (+1) 603 717 4248

Europe: (+32) 494 102 095

Local digital signature company cements global alliance

itologo

Posted by IT Online on 19 November 2018.

 

South African-born digital signature and workflow solution, SigniFlow, offering socially responsible product for business process automation, has landed on American shores.

A woman-owned small business based in New Hampshire, SigniFlow Americas is a member of the New Hampshire Tech Alliance, an affiliation committed to nurturing a technology ecosystem by building partnerships, enhancing knowledge, and shaping public policy.

The woman behind the new digital signature solution is Laila Robak, a Brazil-born entrepreneur with a passion for information technology and the power it has to transform and improve lives.

“We are very excited about the launch of SigniFlow Americas, and with Laila at the helm, this business is destined for greatness. We are proud to welcome all our Americas customers and partners to the global SigniFlow family,” says Leon van der Merwe, director of digital technologies at SigniFlow.

SigniFlow delivers enterprise-grade on-premise, private cloud and cloud solutions with a high level of integration, allowing companies to customise the solution to suit both their specific needs and their budgets. The solution provides legally valid digital signatures (cryptographic e-signing) and accepts digital certificates from almost any e-identity provider, publicly trusted certificate authorities (CAs) and privately signed public key infrastructures (PKIs).

Robak comments: “SigniFlow is a solution that can revolutionise business processes. It has various APIs that give us flexibility to create and integrate with existing systems and platforms, allowing organisations to choose from a range of options, from cloud to local deployments and hosted environments, and to use a mix of digital and electronic signatures – all while guaranteeing the legal validity of documents.”

Data protection: SA companies need to take a global stance

Featured

how-to-comply-with-the-data-protection-act-457501399With the implementation of the EU’s data protection laws just around the corner, local entities need to study up on how it could affect them.

D-day for implementation of the European Union’s (EU) General Data Protection Regulation (GDPR) is just three months away – and South African organisations are by no means off the hook.

If you are a South African entity that handles individuals’ personal data, you will be acutely aware of our country’s data protection law – the Protection of Personal Information (POPI) Act – but have you considered how the looming GDPR affects the way you manage clients’ personal information?

The fact of the matter is, if you are a locally-based business that offers goods or services to EU customers, you also deal with personal information or data relating to EU citizens’ – and you are just as responsible for complying with the GDPR as any EU business.

Leon van der Merwe, head of digital at customer communication firm PBSA, points out that any entity controlling or processing data relating to EU citizens is affected by the GDPR. “Controlling refers to any organisation that states why and how data is processed, while a processor is any party doing the actual processing of the data, whether based in the EU, or not.”

GDPR vs POPI

Van der Merwe says it is crucially important for local companies with dealings abroad to do their homework and familiarise themselves with the GDPR’s ground rules. “Companies could be fined heavily under GDPR regulations if they fail to provide evidentiary and auditable processes, as well as adequate IT security, to protect personal data.”

The GDPR is a regulation borne out of the European Parliament, Council of the European Union and European Commission’s joint intent to strengthen and unify data protection EU citizens.

Non-compliance with the GDPR comes with a hefty fine of up to €20 million (about R290 million) – or 4% of annual sales.

Similar to SA’s POPI Act, the GDPR is all about data protection. Data includes things like a person’s name, email address and phone number, as well as information collected by website cookies like internet browsing habits.

Breaching rules laid out in the POPI Act comes with a R10 million fine and/or a jail sentence.

Van der Merwe summarises the parallels between the two data-protection directives: “POPI and GDPR are similar, in that they both aim to strengthen the protection of personal information. They differ in their approach, in that the GDPR takes a wider, more global perspective that includes anyone, anywhere either controlling or processing – or both – data relating to EU citizens.”

Auditable business processes

A big part of compliance, when it comes to both the POPI Act and the GDPR, specifically involves audit trails – something PBSA’s digital signature and workflow product, SignFlow, is heavily centred on.

For evidentiary purposes and in order for any company to assert GDPR compliance, the automated management of an audit trail is imperative.

Van der Merwe says SignFlow is can assist customers in their strategy to automate and digitise processes in a responsible and compliant manner. “Business Process Automation is at the forefront of our technology development at SignFlow, including tools like DocFlow, CaseFlow and our digital customer on-boarding tools.”

At the core of SignFlow, he says, is Public Key Infrastructure (PKI). “PKI manages users’ private keys, and signs and secures documents using Public Key Cryptography. Not only does this make documents tamper-evident after they’ve been signed, but the entire operation is conducted in a secure network over encrypted secure socket layers between the public, personal devices and private servers.”

Unlike paper files and systems managing email attachments, this portal fully controls and audits the workflow and communication channels between interacting parties. “This greatly reduces the risk of data leaks,” says van der Merwe.

“The system enhances non-repudiation, creating a digital trail of undeniable events that prove intent and identity.”

With GDPR set to come into effect on 25 May 2018, and the high stakes attached to non-compliance, South African companies simply cannot afford not to take a global view on data protection. “The protection of personal information goes far beyond just the POPI Act for local companies dealing with international customers,” says van der Merwe.

 

[REFERENCES]

  1. Digiday – For the GDPR-curious: WTF is the Article 29 Working Party?
  2. The Digiday Guide to GDPR (PDF)
  3. The Sun – What is GDPR, what does it stand for, when is the deadline in 2018 and how can you check if a business is compliant?
  4. Michalsons – What does the GDPR mean for the POPI Act?
    POPI commencement date or POPI effective date starts the clock
  5. Wikipedia – General Data Protection Regulation
  6. IOL – Protection of Personal Information Act soon to become a reality
  7. ITWeb – Unpacking the POPI Act: The ins and outs of protecting personal information

ACS partnership bolsters digital certificate security

Featured

SignFlow has teamed up with Altech Card Solutions to offer Thales hardware security modules to its digital signature customers.

In a move that will see users’ private keys and personal digital certificates receiving a serious security boost, SignFlow has partnered with Altech Card Solutions (ACS), a division of Altron TMT, to offer Thales HSMs (hardware security modules) to digital signature customers.

Using SignFlow’s PKCS#11 cryptographic interface, SignFlow uses Thales NShield Connect HSMs to perform highly specialised cryptographic operations, and to fully manage and secure private keys and personal digital certificates.

Head of digital at SignFlow’s parent company PBSA, Leon can der Merwe, says the partnership with ACS sees SignFlow extending its integration reach to include the Thales NShield range of network attached, FIPS 140-2 Level 3 HSMs.

“Apart from deploying the NShield devices in the highly-secure SignFlow Cloud, we now also offer the NShield range to corporate customers who would like to localise and manage their SignFlow private keys in private data centres.”

The SignFlow HSMs are directly integrated with multiple local and global CA’s (Certificate Authorities) to offer stringent, legally compliant Advanced Electronic Signatures (AES), Qualified Electronic Signatures (QES) and Adobe Approved Trust List (AATL) certificates, which are applied to documents through its digital signature application.

A division of Altron TMT (Pty) Ltd, ACS was formed in 1993 and is today firmly established as a leading player in the secure electronic transactions market.

It is Thales’ established track record in the payments security space and global footprint in hardware and software encryption solutions that makes this partnership so advantageous, says ACS.

SignFlow, an enterprise-class digital signature and document workflow application, was born in a digital era that has seen new business opportunities emerging as paper-based systems are replaced by digital platforms.

SignFlow digital signatures are powered by robust public-key infrastructure (PKI) technology, which is recognised as best practice for ensuring digital accountability. SignFlow digital signatures offer an effective, secure and legally compliant method of providing accountability during electronic transactions.

“Our partnership with ACS will benefit customers across the spectrum – including consumers using SignFlow’s SignFREE to sign documents, businesses using the SignFlow Cloud to distribute documents and government and corporate institutions using SignFlow’s Enterprise Hybrid Servers and Private Network Servers to digitally sign and workflow documents for sign-offs,” says Van der Merwe.

Digital signature technology breakthrough for face-to-face signing

face to faceThe SignFlow team has made a technological breakthrough that gives users the ability to carry out face-to-face document signing and turn a simple electronic signature into a certifiable digital signature with a full audit trail, on the fly.

Ideal for face-to-face contractual signing, the new SignFlow feature allows users to have documents signed in a face-to-face environment, with a graphical signature that is linked to the signer’s identity, cellphone number and email address. This provides the SignFlow user the opportunity to witness the signature, which – backed by a digital certificate – is 100% legal.

While the use of electronic signatures obtained via mechanisms such as handheld signature pads is commonplace, SignFlow has taken the practice to the next level and is the only solution on the market that takes an e-signature and turns it into a digital signature, with the signer’s information embedded into a digital certificate.

SignFlow Face-to-Face is not just the scribble of a signature with a mouse – it is a fully-fledged, legally certifiable digital signature with all the security and non-repudiation benefits that come with it.

On top of this, the Face-to-Face signature from SignFlow has all the auditing advantages of a digital signature – another area in which it trumps electronic signatures. This means that, after the document has been signed and the PDF downloaded, the audit trail of the person that signed can be seen in the PDF document – allowing the user to validate the person’s signature using Adobe Acrobat.

A digital signature differs fundamentally from an electronic signature. An electronic signature has no active verification capability built into it – nor does it come with a traceable audit trail – leaving it wide open to fraud and repudiation.

A digital signature, on the other hand, is created using a cryptographic operation that creates a hash-code unique to both the signer and the content, so that it cannot be copied, forged or tampered with. In this case there is strong proof of the signer’s identity, and the data integrity of the document is totally protected.

ee publishers – Digital signatures with one click

August 6th, 2014, Published in Articles: EngineerIT

by Hans van de Groenendaal, features editor, EngineerIT

New, ground-breaking technology – called “CoSign Click” – is set to revolutionise how companies “on-board’” new customers. No cumbersome and time-consuming manual process of printing out forms, signing in pen, scanning and uploading or emailing the document.

Leon van der Merwe – Business Development Manager

Co-Sign Click is a digital signature solution which enables a company’s customers to sign on-line documents and forms electronically without them requiring a digital signature or any hardware signing device “Until now, signing electronically with a digital signature was only available to licensed subscribers of digital signature applications,” said Leon van der Merwe, business development manager of Pitney Bowes, the first company to introduce CoSign Click to South Africa.  “This new technology will be a boon for companies requiring customers to provide a once-off signature on a document or form.”

In South African law there are certain statutes that require a signature before a document can be considered valid. If this signature is to be applied electronically, the Electronic Communications and Transaction (ECT) Act of 2002 refers to an “advanced” electronic signature (AeS) and is the only type of electronic signature that is recognised as legally acceptable.

“We have partnered with ARX, a leading provider of digital signatures, to offer a legally compliant solution for digitally signing documents which can then be seamlessly integrated with an electronic document management system.”

There are three areas in which the technology ensures compliance: three “I”s: intent (to sign), identity (of the signer) and integrity (of the document).  After a person electronically signs a document the content of the document is protected. If changes are made to the signed document, the signature will no longer be valid. Digital signatures have become increasingly necessary in today’s international and local business world, as companies strive to automate and streamline their systems. CoSign Click provides a slick alternative to what has historically been a paper-intensive and inefficient process. “No printing or scanning, just a digital process”, said van der Merwe .

CoSign is said to be the most widely used digital signature solution. In 2013 it was recognised as “the strongest digital signature solution” in the Forrester Wave: E-Signatures report. Millions of people at large enterprises, SMBs, governments and cloud services around the world use CoSign every day on their computers and mobile devices to easily add secure digital signatures to documents in Word, Excel, PDF, SharePoint, OpenText, Oracle, Alfresco, Nintex, K2, and many other applications and file formats.

CoSign Click is an add-on component to collect digital signatures from partners, customers and other external parties. Documents that need to be signed are exported directly from existing workflows and securely sent to any external party from the CoSign Click interface. A web-based mobile-ready application is used to sign the document and back directly into the sender’s document management system.

View original article – ee publishers:

http://www.ee.co.za/article/digital-signatures-with-one-click.html

EngineerIT