Title: – Relevancy of ATM pins as Electronic Signatures

Abstract

A signature is a way of verification mechanism by which the presence of a person or acceptance of a person is verified. Signature can be defined as a person’s name in writing or any mark indicating or verifying the person to be present in himself. Now at present we are living in the digital era and almost everything has been digitalized. So, moving ahead we have adopted electronic signatures and digital signatures which carry the same value as of a physical signature done by any individual. Due to its adaptiveness and wide use among users electronic signatures have become valid under law and comes under the ambit of Information Technology Act of 2000.

Electronic Signature is defined under the Information Technology Act, 2000. Electronic signature as defined under IT act 2000 means authentication of any electronic record by a subscriber by means of the electronic technique specified in the second schedule and it includes digital signature.[1] Digital signature is a part of electronic signature which is issued to the applicant on request from the applicant. Several agencies work on to create digital signatures of people by charging a nominal fee. Once the process is completed by the applicant, the service provider company hand over the digital signature of the applicant to him through a medium of device and that digital signature is known as a digital signature certificate.

Apart from this method there are several other ways to verify a person electronically like the email verification, otp, pins, pictures, signing on a pad by the help of stylus, etc. Signing in through these methods also considered as a valid electronic signature.

Key words: – Electronic Signature, Digital Signature, Authentication, Digital Signature Certificate, Verification.

Introduction

Today we are living in the digital era where almost everything is done and accepted through digital means. However, being digitalized carries its own risk. There is always an increased chance of fraud or any mishappening while doing any actions on digital platform. This risk gave birth to the electronic signature and the concept of digital signature. Electronic signature concept was adopted with the evolvement of dependency on internet; however, this is also not the safest method to secure anyone’s presence or verify or authenticate the presence or validity of a person.

Electronic signatures also include OTP, Pins, Pictures, email verification, biometrics, which means these methods carry sufficient safety measures to verify a person. However, looking into the stance of the real existing world it is clearly visible that the presence or authentication of a person through these mediums are not sufficient and can be easily tampered. Among the methods of electronic signature only the method of digital signature done by the method of digital signature certificate is the safest and most reliable. It is the method which has the least chances of being tampered.

Digital signatures are put on a document by the issuance of digital signature certificates which is issued by several authorized agencies to the applicants upon payment of a nominal amount. This mechanism includes security of a private key and public key which guarantees the security as it is a technical mechanism which needs to be fulfilled in order to open or verify that document. However, every type of electronic signature is valid and carries its own security. Each type of electronic signature when put by a person verifies the identity of the person and allows the individual to enter into a contract.

Research Methodology

This paper is of descriptive nature which focuses on to put light on the legal validity of electronic signatures and digital signatures keeping in view the special focus on whether authentication methods like passwords and pins are to be considered as valid and effective electronic signatures. Secondary sources like books, journals, research websites, and opinions of people working in the field are used to conduct the research on this topic.

Types of Electronic signature:

There are several types of electronic signature but they are mainly categorized into 3 categories. They are based on the security levels they provide. They are mainly divided into class1, class2 and class3 and they provide certificates for each.

Class 1 carries the least protection mechanism with itself as it works by just an authentication or verification process by just sending an email or otp to the consumer. It is a least protected method as it does not verify the person to be true. It just sends an email or one time password to the user who verifies it and upon verification contract is made. Here the main problem lies in confirmation of the real person. As it is verified through a pre decided mechanism not only the real user but any person who will be in the current possession of the email account can accept on the user behalf and there is no chance of verifying the user’s will. For example A sends an otp on the number of B for verifying his will to enter into a contract of sale, during the time the otp was received the device containing the number of b was in possession of c and c accepted the contract without any notice of B, here although Contract was accepted from the side of B but B had no idea of that which can lead to a future dispute as for A the contract was complete but for B the contract was out of his knowledge.

Class 2 is almost similar to the class 1 verification process as here also there is no such proper verification of who accepts the contract. The only major difference here is that the identity of the person is verified by using a pre verified data base. However, the same problem lies here too. Any person can use the pre verified data base and enter into a contract with someone without actual knowledge of the real person on whose name the contract is being made.

Class 3 verification process is the most difficult and the most authentic way of electronic signature. This qualified electronic signature verifies authentication, identification and integrity of the person by providing the highest level of security. This is so much secure because this method requires a certifying authority who will validate the presence of a person either in person or through video.

Mechanism of ATM PINs to be an electronic signature

No doubt pins are considered to be electronic signature in our country as mentioned under the Information Technology Act 2000. However, they are easily vulnerable to tampering. Pins work on the mechanism of matching. i.e. the user sets a pin number for himself which the computer has to verify and once the pin entered matches with the pin given by user at beginning contract is done. The loop hole lies here that here pin does not verify the authenticity of that person, any person who enters the same combination of numbers as set by the user can form the contract even if the real user may have no idea about it.

This is an issue which is likely to happen more and more because when an user issues an debit card in his name and sets a pin to it, it forms a contract with the bank that the bank is liable to pay him the asked amount of money which is in the users account. The catch lies here that bank is liable to pay the asked sum when the given pin by the user is matched. Here, the pin acts like the signature of the user of the debit card. Once the pin entered during any transaction and pin given at beginning matches bank is bound to pay the asked sum to whoever enters the pin. Here the bank has no chance to verify that whether the person asking for the sum is the holder of the debit card or any fraud.

The pin here acts like the signature of the person holding the card by his name. Pins act like electronic signatures as during issuance of debit cards to any person the bank takes the signature of the applicant and issues a debit card on his name. Here, when the user of the card sets the pin for its use the pin automatically gets linked with the signature that he gave to the bank while applying for the card. The bank then links the pin to the signature of that person and believes that whenever the pin is used that is used by the applicant only and not by anybody else. It then works on that mechanism to supply cash to the user on demand. When the person moves to an atm puts his card and enters the pin the pin gets verified with the signature of the user that he once gave to the bank, and when that pin matches with the signature of the user the machine throws out cash.

Validity of Pins and Passwords as electronic signatures

The supreme court in the case of Tamil Nadu organic private ltd and others vs State Bank of India[2] held that Contractual liabilities could arise by way of electronic means as same manner as the contract could be enforced by law. This means that contract made by signing through electronic means will carry same validity as a contract when made physically by the presence of parties. However, the court here didn’t comment anything on the validity of pins and passwords to be considered as electronic signatures.

In another case of State of Maharashtra vs Dr. Praful B. Desai[3] the apex court was of the opinion that the use of digital signatures and electronic signatures are a valid document to verify the presence of a person or is sufficient to authenticate the presence or willingness o a person. This judgement played an important role in describing the importance of electronic signatures in facilitating electronic documents and to make the legally binding.

In the case of Trimex international Fze ltd Dubai vs Vedanta Aluminium limited[4] the apex court was of the opinion that offer and acceptance made through e mails and authentication made through pins and passwords will constitute a valid contract under the Indian Contract Act, 1872.

But there are no such cases in any of the Indian courts which puts light on the debate that whether ATM pins are electronic signatures or not. The courts in cases related to electronic signatures have only focused on the formation of contract between the parties ignoring the threat they impose to the user by means of fraud or mishap. There are judicial opinions where contract formation through electronic signatures is validated but no opinion is currently present which can clarify more on the way of authentication of the user.

However, in several foreign courts the courts have directly denied the fact that pins and passwords constitute electronic signature. The Hon’b court here was of the opinion that passwords and pins are easily vulnerable to fraud and due to its less security of verification it will not be considered as an electronic signature.

At a case in the court of first instance at the Fuenlabrada[5], the court dismissed a claim of the banking entity on the inability to prove the validity of a contract which included Pin of the ATM. In its judgement the court was of the opinion that pins and passwords are only a medium of verification and have no mechanism in them to identify the authentication of that person entering a pin. Instead, it was of the opinion that qualified certificates and electronic signatures are some of the reliable measures, which clearly indicates the court’s view on declining to recognize atm pins as valid electronic signatures. According to the court atm pins were only a medium of verification and not authentication so it cannot be considered as electronic signatures and it strongly held that atm pins in no way can be equivalent to electronic signatures.

Pros and Cons of Passwords and pins as Electronic Signatures

Pros

  • Simple verification technique to verify any transaction or document
  • Easy access
  • Effective method to verify

Cons

  • Only verifies the combination of numbers and does not authenticate the person
  • Unsecure method
  • May be easily tampered
  • Not capable of being authenticated

Issues for considering Pins and Passwords as Electronic Signatures

No doubt that pins and passwords are considered as electronic signatures and the companies forming this for the use of their business claim that this technology is a full proof tech backed by security. However, each of the password entered every time is identical as if they are a rubber stamp and any person may use it on the name of the company who has issued the stamp. Since any person who types the correct pin even if by chance or by fraud can use the services linked with it. This will leave no stones unturned for any individual or investigating agency to recognise who has been benefitted from the service in the name of another and whether that person was authorised to do so or has done the act fraudulently.

If ever the security gets breached or gets compromised every other document that the person used to access through the pin may be compromised. If ever the scenario takes place, it will become almost impossible to prove who has put the signatures and which signature is the authentic one. Systems that use passcodes as electronic signatures for authoristaion are like a rubber stamp that anyone in the possession of such stamp can give authority. They carry less weight than the photocopy signatures or signatures done digitally through pad and stylus. Passwords only work to manage access of information or services and signing electronic communications.[6] However, they are the most widely used method for verification of identity of any individual and also is involved in a large area of transactions of banking institutions including ATMs, online banking, credit card banking facilities, etc.

Conclusion

Digital signatures are a way to authenticate the presence or willingness of a person while any act is being committed on the name of that person. It is a modern way to bridge the gap between the availability of a person while attesting his willingness to enter into a contract. Digital signature provides the ease to a person to give his willingness and empowers the contract to authenticate the real owner by giving a chance to the person to put his signature anywhere anytime. Digital signatures are a way of mathematical algorithms where every step after step need to be matched in order to authenticate the willingness of a person, but in the case of electronic signature this algorithm misses out. It works on an easier procedure where the system has only to verify the person through a given code or command. It misses out the security that whether the person fulfilling the passcode is the person authorised with the passcode use or any fraud. Most of the banking and financial services use the method of electronic signature to validate a contract which results in increasing bank frauds and financial disorders.

Suggestion

ATM pins and passcodes are considered as an electronic signature at the present time in our country. However, there is no such special judgment given by any of the Indian courts which can clarify more on its use. Although there are several cases related to bank frauds in our every day journey our judiciary has not yet focused on this issue. The main purpose of signatures are to authenticate a person so as to prevent any fraud or mishap. But, if the signature itself isn’t capable to fulfill for what it was once created the what’s the purpose of this security? Considering ATM pins as electronic signatures, there is no or very negligible security present in itself. The loophole lies here that the ATM machine will encash every time the given pin by the user is entered maybe it is the user itself or any fraud. It cannot catch the fraud if anyone other than the user encash any amount fraudulently.

Considering such a situation it can be said that signature has failed in itself to fulfill its work for what it was created. The main catch is that signatures were created for security as it varies from person to person, but here in the concept of electronic signatures there is no way to authenticate whether the user is the person availing the benefit or any other person is being benefitted unethically.

Comparatively digital signature process is a more backed and successful procedure for the safety of the user. The algorithm-based plan which backs the concept of digital signature makes it a complete and absolute procedure. This method of protection shall be used in ATMs to make it more secure. Although this process is itself a complicated one of forming the digital signature certificates, technology shall evolve with time to create something more secure than the pins and passcodes which are easily tamperable.

So, in my opinion ATM pins and passcodes shall not be considered as electronic signatures rather it shall be only considered as a way of verification of transaction whose purpose should only be a medium of communication to the user that the card has been used for transaction.

Author: – Ahan Kumar Pattnaik

SOA National Institute of Law, Bhubaneswar


[1] Ins by Act 10 of 2009 s.4, effective 27 October 2009

[2] Tamil Nadu organic private ltd and others vs State Bank of India AIR 2014 103 Mad (India).

[3] State of Maharashtra vs Dr. Praful B. Desai (2003) 4 SCC 601 (India).

[4] Trimex international Fze ltd Dubai vs Vedanta Aluminium limited (2010) 3 SCC 1 (India).

[5] Signing a Contract with an OTP or PIN Invalidates the Agreement, available at: https://anf.es/en/signing-a-contract-with-an-otp-or-pin-invalidates-the-agreement/ (last visited June 13, 2024).

[6] UNCONSCIOUS MIND: AUTHENTICATING WITH SOMETHING YOU DON’T KNOW? OR JUST AN INFALLIBLE LIVENESS TEST? Available at: https://www.researchgate.net/publication/224175017_Unconcious_mind_Authenticating_with_something_you_don’t_know_Or_just_an_infallible_liveness_test (last visited June 13, 2024).