Is it possible to fake an electronic signature?
An electronic signature is a secure carrier of key information on which the owner’s data is encrypted. Documents signed with qualified electronic signatures (CES) are recognized as fully legally significant and correspond to paper registers endorsed by an individual (Part 1 of Article 6 63-FZ of 04/06/2011).
This is the main risk of an electronic signature - the deliberate use of an electronic signature without the knowledge of the owner leads to illegal enrichment and other offenses.
In essence, the electronic signature corresponds in importance to the passport. The use of a digital signature confirms not only the identity of an individual, but also his consent to certain actions. If you signed a document or conducted a remote transaction with an electronic digital signature, these transactions are recognized as legally significant. And in fact, it doesn’t matter who performed them - the owner or another person: it is very difficult to prove in court the intentional use of an electronic digital signature by a third party .
Federal Law 63 stipulates that it is impossible to forge an electronic signature. The electronic signature is created using crypto technologies; it cannot be hacked or faked. EDS fraud involves something else—the theft of a key medium, guessing a PIN code for the private part of a digital signature.
Any electronic device consists of open and closed parts . The open part is the digital signature certificate: it is available for viewing by all recipients of the document. But only the owner knows the private part: it is stored on a key medium (token) or recorded on a PC. The closed part of the electronic signature is protected with a PIN code, which is what scammers are trying to find out.
Previously, in order to obtain fake electronic signatures, fraudsters falsified personal documents of an individual and transferred them to a certification center to obtain an electronic digital signature in the name of this person. But as of July 1, 2020, the rules have changed: in order to receive an electronic signature, the certificate holder must visit a certification center and confirm his identity .
Cases of fraud with digital signature
There are many possible cases of fraud with electronic signatures: documents are signed using another person’s digital signature, money is transferred, and even real estate transactions are concluded. As an example:
- opening a one-day company for an individual;
- closure or transfer of business according to the manager’s electronic signature;
- obtaining loans, microloans;
- withdrawal of money from the company and its liquidation;
- filing false VAT returns for tax refunds;
- bidding fraud when participating in government procurement, blocking a participant’s access to trading procedures;
- remote execution of purchase and sale agreements, donations.
In 2021, a precedent : a Muscovite’s apartment was taken away by completing a transaction using an electronic digital signature. The owner of the property found out that his property was transferred under a gift agreement in the receipt for payment of housing and communal services - the owner of the apartment had changed. Moreover, he did not have a digital signature - the scammers forged his documents and issued a digital signature in his place. Nowadays it is impossible to obtain an electronic signature without the owner. And since 2021, Rosreestr will not conduct real estate transactions for individuals without the owner’s consent to the procedure with an electronic signature.
There are also such frauds: an employee is fired and they forget to revoke his electronic signature. He takes out loans or purchases goods on behalf of the organization and then disappears. The organization pays off the resulting debt.
Since 07/01/2021, many certification centers have lost the right to issue electronic signatures to individuals - they have not been re-accredited according to the new rules . Check the accreditation of your CA: if the center has not been re-accredited, then a signature issued before 07/01/2021 is valid only until 01/01/2022 (Part 4 of Article 3 476-FZ). And from 01/01/2022 you will have to obtain a new electronic signature from an accredited certification center.
To whom is a citizen obliged to give a copy of his passport?
A copy of the passport must be submitted to:
- when participating in electronic trading (Articles 51, 61, 62, 88, etc. Federal Law No. 44-FZ dated 04/05/2019);
- when applying for an official job (Article 65 of the Labor Code of the Russian Federation);
- when opening bank accounts, applying for a loan (clause 1.8 of the Bank of Russia Instruction No. 28-I dated September 14, 2006);
- when performing registration actions with real estate (clause 4, clause 12, article 18 of the Federal Law of July 13, 2015 N 218-FZ);
- a notary when performing notarial acts (Article 15 of the Fundamentals of the Legislation of the Russian Federation on notaries);
- in other cases directly provided for by law.
The worst thing is that any person who has received a copy of a passport can use it illegally, despite the fact that Article 19 of the Federal Law “On Personal Data” No. 152-FZ of July 27, 2006 obliges to take measures to ensure the security of personal data during their processing.
There are common cases where fraud with a copy of a passport was detected even by government agencies. Any unscrupulous employee can leak information to anyone.
Be vigilant and personally supervise the actions of the person when copying your passport. This is your legal right!
What to do if your digital signature is stolen
If your electronic signature is stolen, follow the instructions:
1. Revoke the certificate from the CA. The same must be done immediately after the employee is dismissed.
The procedure is quite simple: you should write an application for revocation to the center where the electronic signature certificate was issued. If you did not issue an electronic signature, but found out that someone issued it for you, trace the digital path of the electronic signature - find the site where the certificate was used and see who issued it. Contact this certification center and revoke your digital signature.
In addition, ask the CA for copies of the documents used to draw up the electronic signature - they will be needed for the application to the police.
2. File a police report.
Indicate in it that the scammers used an electronic signature without my knowledge, provide all copies of supporting documents. If the police do not initiate a case, contact the prosecutor's office or the Ministry of Telecom and Mass Communications.
3. Go to court to annul the transaction.
If you used a stolen digital signature to perform legally significant actions (signed documents, an agreement, conducted a real estate transaction), submit an application to the judicial authority to invalidate the documents or transaction. By analogy, contact the Federal Tax Service if you filed an inaccurate declaration or other information on behalf of an organization, registered or liquidated the company.
To cancel a declaration, submit an application and an adjustment report . To invalidate registration actions, find out the address of the fictitious company from the extract from the Unified State Register of Legal Entities and send an application in any form .
There are two types of document forgery - complete and partial
Complete forgery - production of a document in its entirety with all its details or its form, seal impressions, stamps, signatures in it.
Ways to completely fake it:
· production of the entire document or its form;
· entering deliberately false data into a document (intellectual forgery);
· forgery of the signature of the person certifying the document;
· counterfeiting of seals and stamps.
Partial forgery - making changes to the content or individual details of an original document.
The main methods of partial forgery of documents:
· addition - adding new words, letters or their individual elements to the original text in empty spaces or additions in order to change the semantic content of the document;
· erasure – mechanical removal of strokes, characters, words and individual text fragments;
· reprinting – adding new characters to empty spaces (between lines, words, individual characters) in the text of a typewritten document;
· etching – discoloration of the dye when exposed to alkalis (soda, sodium hydroxide), acids (acetic, citric) or oxidizing agents (hydrogen peroxide, bleach) ;
· rinsing – chemical removal of stroke dye using alcohol mixtures or solvents.
The main signs indicating partial forgery of documents:
when adding and reprinting:
· difference in color, shade of strokes;
· differences in the placement of strokes;
· compressed or, conversely, increased spaces between characters, changes in handwriting;
· different penetration, solubility, copying ability of strokes;
· difference in absorption and reflection of ultraviolet and infrared rays.
when cleaning:
· violation of the structure of the surface layer of paper, ruffled fibers, loss of gloss;
Reducing paper thickness;
· damage to the protective mesh or graphite;
· damage to nearby strokes;
· blurs, deeper penetration of the stroke material into the thickness of the paper;
· remnants of strokes of the original text;
· traces from the object for polishing.
when etching and washing off:
· increased porosity, dullness, fragility and hygroscopicity of the paper material;
· change in paper color;
· changing the protective grid;
· changing the strokes of adjacent records;
· remnants of the strokes of the original recordings.
Basic methods for identifying changes to the original content of a document:
· microscopic examination - examination using a microscope at magnification from 16x to 100x to study the structure of strokes and the surface layer of paper;
· color discrimination - a study using light filters of the spectral composition of reflected (for an opaque object) and transmitted (for a transparent object) light in order to differentiate single-color writing materials in strokes that differ in the dye material;
· chromatography is a method of separating and analyzing the components of a mixture (for example, substances of streak materials), based on the difference in the distribution of their components between the mobile and stationary phases on a strip of chromatographic paper (paper chromatography) or on plates with a fixed or unfixed layer of sorbent (thin layer chromatography);
· electrophoresis – a method of separating test substances in a buffer solution under the influence of electric current;
· research in the invisible rays of the spectrum - the study of differences in transmitted and reflected ultraviolet and infrared rays in order to differentiate single-color writing materials in strokes that differ in the dye material;
· luminescence analysis - the study of differences in the glow of substances of individual objects under the influence of ultraviolet rays and some visible rays.
Some properties of infrared (IR) rays:
· have greater penetrating power than visible ones; a number of objects that are not transparent to visible light are transparent to IR rays (paper, thin wood, etc.);
· are reflected and absorbed by various objects differently than rays of the visible part of the spectrum; different dyes of the same color may differ in absorption and reflection of IR rays;
· in an atmosphere containing various suspended particles (dust, fog) they are scattered much less than the rays of the visible part of the spectrum.
The main areas of application of IR rays:
· reading texts drenched or smeared with ink or blood (if the text itself is written in graphite pencil, ink, or executed on a printing device with black ribbon or in a typographical manner);
· identifying traces of preparation for copying using a pencil or carbon paper when forging signatures or part of a document;
· establishing differences in writing materials (ink, ink, pencil, etc.) used to create individual fragments of the document;
· reading text closed in an envelope or sealed with paper;
· to identify traces of soot, stains and dirt on dark fabrics and clothing (fabrics are transparent to IR rays, but soot is not);
· identification of fabric defects, as well as differentiation of materials;
· study of records, notes, stamps, etc. on contaminated surfaces of leather, cardboard, wood, fabrics;
· identification of additions and corrections in paintings made with paints of the same color as the original ones;
· consideration of the subcutaneous network of blood vessels, subcutaneous hemorrhages, foreign bodies (for example, shot) stuck in the subcutaneous fat, traces of a removed tattoo.
Some properties of ultraviolet (UV) rays:
· absorption and reflection of UV rays by various objects differs from their absorption and reflection of rays of the visible spectrum;
· UV rays can excite luminescence of various substances.
Main applications of UV rays:
· detection of traces of substances invisible to the eye, for example, traces of etching;
· restoration of the contents of etched texts (in some cases);
· study of the content of texts written with sympathetic ink (a colorless or slightly colored liquid used for secret writing; the executed text is revealed under the influence of heat, developing solution and other means); many substances included in such liquids absorb UV rays;
· establishing the difference between the strokes of a graphite pencil and black copy paper;
· establishing differences between strokes made with ink or pencils of the same color, but written at different times or differing in manufacturing technology;
· identification of various stains and marks on textile fabrics and other surfaces.
How to secure electronic signature
Neither 63-FZ nor other regulations provide a direct answer to the dangers of an electronic signature, but like any document (digital instrument), an electronic signature has a high probability of being used illegally. If you have never issued an electronic signature and do not know whether it was done for you, check the current electronic signatures on the State Services portal. Go to your personal account, and then to your profile - to the “Electronic Signatures” section. If there are no issued digital signatures, then there is nothing to worry about.
From practice, it is clear why an electronic signature is dangerous for individuals - because it is used without the knowledge of the owner to sign papers, conduct transactions and register legal entities for illegal enrichment . If you are registered on public platforms (State Services, the official website of the Federal Tax Service), periodically check the section with valid digital signatures. For example, on State Services you can check the latest actions; information about filing applications, registering a company or individual entrepreneur is displayed there. And on the Federal Tax Service website, in the taxpayer’s personal account, check whether someone has sent a report or application to the Federal Tax Service Inspectorate for deductions instead of you.
Here's how to secure an electronic signature for an individual :
- Set up notifications in government resources for logging into the system via electronic signature. Notifications come via SMS and email.
- Do not transfer the electronic signature to other people (including employees); limit access to the private part of the key to third parties.
- Additionally, protect your PC with an electronic signature with a password and antivirus. Be sure to set a password on the token or other key information carrier with digital signature. Lock your computer or laptop when you leave your workplace.
- Do not transfer copies and scans of personal documents to unknown and unverified counterparties, do not leave information on suspicious sites.
- Revoke the digital signature of the dismissed employee if you provided him with a certificate from the organization.
What scammers can do with lost passports or passport data
You need to keep your passport like the apple of your eye - we already know this when we received our very first document at the age of 14. Such attention to the main document of a citizen of the Russian Federation is justified. You can often hear that scammers can use a lost passport in the most sinister way - take out a loan, register a company, register ownership of a car or worse - an apartment, buy a SIM card.
They are especially afraid of loans. Sometimes the victim may not even know about the fraudulent activities - everything is revealed only when collectors start calling, “knocking out” money, or they do not give a new loan due to a bad credit history. Is it really possible for scammers, having obtained someone’s passport, to go to the bank with it and apply for a loan?
The Ministry of Internal Affairs told Gazeta.Ru that such a scenario is still unlikely, but there are risks. “If a loan is obtained at a bank office, the procedure requires the personal participation of a citizen who signs an application, application and other documents. In this case, the citizen’s identity is verified, as a rule, by two representatives of the credit institution, the passport is scanned, and the applicant is photographed. In such cases, applying for a loan using someone else’s passport is possible only if there is an agreement with representatives of the credit institution,” the department explained.
However, in cases where a loan is provided through a remote service, it is more difficult to identify the applicant’s identity, the Ministry of Internal Affairs noted. Then there is a risk of applying for a loan by presenting someone else’s passport, passport scans or passport data.
“In other words, getting a loan using someone else’s passport is difficult, but possible,” the department said.
Fraudsters caught in such a crime are charged under Article 159.1 of the Criminal Code of the Russian Federation “Fraud in the field of lending” - this is the theft of money by providing knowingly false data to the bank. If a loan is received by an individual entrepreneur or the head of a company, having indicated in the documents false information about the financial condition of the organization, then this is 176 of the Criminal Code of the Russian Federation “Illegal receipt of a loan.”
Big trouble
The Central Bank said that the issuance of a loan by third parties using someone else’s passport is a rare case. “However, it should be remembered that a citizen’s personal data, including passport data, is recorded in a variety of places, from hotels to online ticket purchasing services. In modern conditions, it is almost impossible to completely eliminate the provision of your personal data to third parties, but it is recommended to minimize risks by not posting documents publicly on social networks, not sending copies of them by email, not leaving your passport as collateral, etc.,” they warned. at the Bank of Russia.
It is on the Internet that the greatest risks lie, experts in the field of information security confirm. According to Andrey Kostin, senior content analyst at Kaspersky Lab, the main danger is online fraud.
“For example, you supposedly won a prize, but to receive it you need to confirm your age (your identity) and send the scammers your passport details,” Kostin explained.
Pseudo-employers can also lead you into a trap. There are unscrupulous job search services where you will be asked to send a scan of your passport. After this, nothing happens, the scammers get the data, and your song is done. A passport is also asked for when registering at online casinos, as well as on some dating sites. “Such services should not be trusted, because a data leak can happen at any time,” Kostin warned.
Fraudsters have learned to hook victims using phishing. Criminals create a copy of some government service and wait for the desired foreign data to appear there. Then, together, criminals can get an INN, passport, and SNILS.
Another big danger is the black market where passport data is sold. “And at one point the victim finds out that, for example, he is the owner of a problem company or the holder of a large loan. Unscrupulous agents can also use the data to transfer the funded part of the pension to a non-state pension fund. Using passport data, fraudsters can also carry out various frauds on the Internet, produce a fake passport, and so on,” Kostin said.
Confrontation
At the same time, passport data itself, contrary to popular belief, is of less interest to criminals - it is too difficult to monetize, Dmitry Kuznetsov, director of Positive Technologies for methodology and standardization, told Gazeta.Ru. Another thing is copies of passport pages.
“During checks by regulators, the bank must somehow confirm the operation; this is why a copy of the passport is made. The bank employee creates a package of documents related to this operation, which includes a copy of the passport. That is, the copy itself, and not the data in it, confirms that the client performed the operation personally and presented his passport,” he explained.
Indeed, if the employee is an accomplice, then it won’t cost a fraudster anything to commit a crime with a scan of someone else’s passport. “The only difficulty is the client's signature, but criminologists estimate that 87% of people's signatures are too simple to detect a forgery in a document that does not contain other handwritten inscriptions. In this case, it is difficult for the injured client to challenge such an operation,” said Kuznetsov.
Without collusion, applying for a loan at a branch is a tough nut to crack for scammers.
Bad plans are most often thwarted by a thorough check of the borrower. Reliable banks do not issue loans online, even if preliminary verification and approval can take place remotely; a face-to-face meeting through a courier or in a branch cannot be avoided. “In any case, if a person is promised a solid loan online with minimal documents, he needs to be wary, since there are high risks of stumbling upon scammers,” says Sergei Nikitin, deputy head of the Group-IB computer forensics laboratory.
How to protect yourself
Kaspersky Lab warned: never store scans of your passport, driver’s license or any other identification documents on your computer. The fact is that there is virus software that “hunts” precisely for such documents. You cannot send a scan of your passport through instant messengers and social networks. You should not store photos of documents on your phone, because it can simply be stolen.
On the Internet, it is better to be tirelessly vigilant than to later become the unwitting owner of a large loan. You should not follow links in messages from strangers or click on advertising banners on dubious sites. “Do not enter your personal data anywhere except for individual services in which you are completely confident,” Kostin warned.
If the passport has already been stolen or lost not in digital, but in physical form, then you need to immediately report it to law enforcement agencies. “As practice shows, the presence of a police certificate confirming the loss of an identity card on the date of the loan is accepted by banks as evidence that the citizen did not take out a loan,” the Central Bank said.
In the worst case scenario - discovery of a debt that is not yours - you must request from the bank certified copies of documents confirming the issuance of the loan, and also find out all the circumstances (date, time, account details). With this data, go to law enforcement agencies. It is also necessary to submit an application to the bank, attaching documents received from the police.