With the proliferation of hand-held credit or debit card payment
devices popping up in retail establishments, signing with your
finger has become the new norm. But few can master a genuine
signature with a fingertip on such a tiny screen. Are these
squiggly, and often illegible, digital signatures really legally
The answer is a resounding "yes." A fingertip signature is just
as binding as an ink one. "A signature is a mark affixed to a
record showing a person's intent," says John Levy, executive vice
president of IMM, which provides electronic signature and document
solutions. "It goes back to the Civil War when soldiers would sign
up and half of them couldn't read or write. They laid down an X.
That didn't tell you who it was, but it was their mark showing
their intent to sign."
More recently, he says, governments have spoken at both the
federal and state levels. The Uniform Electronic Transactions Act
(UETA), adopted by nearly all states, and the federal Electronic
Signatures In Global and National Commerce Act (ESIGN) both decree
that a record or signature may not be denied enforceability simply
because it is in digital form.
What's more, Levy says that these laws have broadened the
definition of a signature to include a process (such as clicking "I
accept" on a user agreement screen) or even a sound. "Let's say I
call you on the phone and say I want to sell you this magazine and
you say, 'Yes, I'd like to purchase that,'" Levy adds. "With your
permission, I'll record you, and that .wav file can be used as your
How do they know it's you?
They probably can't. "These signatures can be legal by definition
because of UETA and ESIGN. That doesn't always mean if you go to
court it will be enforceable," Levy says. He adds that he's signed
with a fingertip many times himself when taking taxis or renting a
surfboard. "It's a great tool for low-ticket items. I wouldn't want
to sign that way if I were getting a $100,000 line of credit."
How closely finger signatures resemble pen-and-ink ones is a
matter for debate. "A merchant can compare the customer's signature
with the sample on the back of a credit card with the same
accuracy," according to Lindsay Wiese, spokeswoman for Square,
which enables credit card swipes on iOS and Android devices. She
adds that if a signature doesn't look right, the user can shake the
device and start over, much like an Etch A Sketch.
But not everyone experiences fingertip signing as comparable to
signing with a pen or stylus. "A fingertip signature is worse than
a handwritten signature," says McAfee online security expert Robert
Siciliano. "The first time I was asked for one, I thought, 'Really?
What am I, 3 years old? Are we fingerpainting here?'"
It may not matter, though, since pen-and-ink signatures do
little to prove the identity of the signer. "The handwritten
signature is, frankly, a b******* form of authentication,"
Siciliano says. "It really has no security value whatsoever, and
that applies to all handwritten signatures. Do you think the clerk
behind the counter at Wal-Mart is skilled at handwriting analysis?
You think, of the hundreds of signatures she looks at every day,
she'll notice the one that's an imitation? It's a completely false
sense of security."
This is one reason many credit card issuers look for behavioral
cues, such as where a card is used, to help them catch fraud. "We
know that signatures can vary and that it can be difficult for
merchants to compare two signatures and ensure they are from the
same person," says Amelia Woltering, a spokeswoman for American
Express. "Signatures are only one way that
and its merchants can detect fraudulent activity. We have found
that the best way to approach this issue is from a holistic
perspective. This means looking at physical features of the card
and security information only the true card member would know."
And, of course, she adds, "Following a long-standing practice,
we will not hold our card members liable for any fraudulent
charges." This is true for most credit card issuers. So while
signatures don't do much to lower the risk of fraud, consumers are
usually protected. You typically shouldn't have to pay for anything
you didn't actually buy if someone steals your credit card, no
matter what device is used to swipe it.
How secure is mobile swiping?
The security of mobile swiping systems can vary. Inputting credit
card information to a smartphone or tablet can present troubling
security risks, says Jerry Irvine, CIO of the IT outsourcer
Prescient Solutions and a member of the National Cyber Security
Partnership. "They could have a virus on their phone they're not
aware of capturing the data," he says. Smartphones and tablets are
vulnerable to viruses, he says -- even those made by Apple which
once claimed its products were impervious. "The fact that these are
now becoming point-of-sale devices should be concerning everyone,"
But even a device with a virus might not pose a security threat,
since credit card swipe applications usually come with encryption.
Square, for instance, encrypts credit card data as the card is
swiped and never actually stores it on the device. So the
likelihood of an identity thief obtaining your credit card
information from an insecure smartphone or tablet would be very low
(and no higher than if you enter your card number to the device
while shopping online).
On the other hand, Irvine poses a much more troublesome
question. When a waiter or clerk swipes your card into a mobile
device, "How do you know that it's the company's tablet or
smartphone taking the payment, and not that individual's?"
Should you use them to take payments yourself?
The same rules that give you great protection as a consumer can
work against you if you use a Square reader or other such device to
take payments, for instance, at a yard sale or when collecting for
charity. If someone who has stolen a credit card or created a fake
one uses it to buy something from you, will you have to forfeit
The answer seems to be: It depends. "Merchants are governed by
the parameters of their card acceptance agreement," Woltering
explains. "Certain merchants have, as a part of their setup and
processing agreement, full recourse for charges disputed as fraud."
Merchants are also given clear procedures for how to authenticate a
purchaser, she adds, and those who follow those procedures
correctly are not held liable for fraud.
On the other hand, the Square
suggests that the company might well withhold payment if you accept
a fraudulently used card. A transaction may be reversed or
, it says, for any of a number of reasons, including if the
transaction was not properly authorized, or is allegedly unlawful
or suspicious. "You could be accepting a card from someone who
isn't who they say they are, and if your products or services go
out the door, it could be your loss," Siciliano says.
Thus, it's a good idea to closely read any agreement you sign
(including those that bind you when you click "I agree" on a
website) before you start accepting mobile swipe payments. And
depending on the transaction, you may want to take extra
precautions. If you're having a yard sale and a shopper wants to
pay $3 for a spice rack that you would otherwise donate to charity,
it may not be worth your while to ask for proof of identity. But
for larger amounts, it's a good idea to take a quick extra
precaution. One simple step you could take is to ask to see a
driver's license and make sure that the name and the photo match
both the person in front of you, and the name on the credit
What's the future of these applications?
Though fingertip signatures today are no better, and maybe worse,
than pen-and-paper ones, in the future that could change
dramatically. That's because these devices can offer
-- a method of authenticating the signer based on how he or she
moves. "A dynamic biometric identifies you by, for instance, the
way you type on a keyboard," Siciliano says. "The way you sign your
name using a mouse is another dynamic biometric. There are
technologies out there that recognize that only you could sign your
name with a mouse a certain way." These measures are surprisingly
accurate. "They have a very low false-positive rate. There's only a
miniscule chance that someone could forge this and it won't know,"
Fingertip signatures could ultimately provide biodynamic metrics
for authentication. "Unlike paper signatures, we can see how a
signature is made by looking at the speed and directions of the
strokes," Wiese says. "With paper receipts, all you have is the
signature. With digital receipts, we can see how the signature is
made and analyze it."
Is Square doing this already? For security reasons, the company
won't say. But it's clear that someday soon, the particular gesture
with which you sign your name -- along with your fingerprint, which
some phones such as the iPhone 5
can now read
-- will likely prove who you are much better than an ink signature
9 things you should know about your credit card
Credit card biometrics: The future of data