Security

Formatta products provide unparalleled levels of security to both the form publisher and users across the Internet.  Formatta's e-forms technology incorporates unique security features for each of the potential security risks identified below:

 

Security Issue

Formatta Solution

Form spoofing - What would happen if a hacker created a look-a-like version of your form and then claimed it was your form?  A customer might fill out the form with his/her confidential information, thinking it was your form.  Just how does a user know that a particular form came from your company or agency?

Form Signing - Formatta allows the form author to digitally sign a form with a digital certificate (X.509). When users open a form, they can check the certificate and verify that the form came from your company.

Form tampering - How do you know that the form sent to you was, in fact, your original form?  What would happen if someone copied your form and changed a few sentences:  Instead of your verbiage, "...I declare under penalty of perjury...", the statement was changed to,  "...I do NOT declare under penalty of perjury...".  This forces the form author (business or government agency) into the unfortunate (and expensive) position of proofreading both the form data and the form itself to ensure it hasn't been changed.

Form Lock - Formatta's Form Lock allows the form author to lock a form so that no one else can edit it, even with a copy of Formatta Designer.

 

Form Verification - Using Formatta's Form Verification feature, the form author can always determine if the form is legitimate (is your original form) or has been tampered with.  This means companies or government agencies need only process authorized versions of their forms.  

Form repudiation - What is a legally-binding electronic transaction?  If only data is submitted to a site (as opposed to both form and data), can the submitter be held legally responsible, or can their entire transaction be repudiated?

Form architecture - Formatta's form architecture (binding form and data together) meets case law and legislation for legal contracts. This architecture specifies:

  1. The form, data, and rules used to drive end-user input must be able to be accurately reconstructed to the state at the time the original contract was entered. In lay terms, that means if data is imbedded in a database, it must reflect exactly the data from the original form.  

  2. The resulting electronic transaction must be tamper-evident.

  3. All parties to the transaction must have unconditional access to the information in the transaction.

Hacking - What if a hacker somehow obtained a completed form through interception or penetration? Is the form data encrypted?  If so, is the encryption strong enough to withstand a brute force attack to decrypt the data in the form?

Encryption - Using encryption (either Formatta's built-in encryption or digital certificates), both the form author and person filling out the form (Formatta Filler user) can specify their own unique passwords for encrypting data fields. This means that the form designer and form filler user never need to share passwords in order to encrypt or decrypt text fields or file attachments (passwords should never be disclosed).

 

  • Encrypting Data - Using Formatta Designer, the form author specifies the master password for the form as well as the field(s) that can be encrypted once a form is filled out. Using Formatta Filler, users encrypt their data with a password of their own choosing. The completed form can then be securely sent using the Internet.

 

  • Decrypting Data - Encrypted forms can be decrypted in Formatta Filler with one of two passwords:  (1) Master password - specified by the form designer in Formatta Designer; or, (2) User password - the password(s) entered by the person(s) who filled out the form.

Interception - What if an employee or customer emailed a form with financial information and it was misdirected or intercepted?  Alternatively, what if your company/agency pre-filled a form with personal information and sent it to a user.  Could the form then be opened and read by someone other than the intended recipient?

Secure Data Exchange - Form authors (the agency or business that created the form using Formatta Designer) will never know the passwords used to encrypt forms by form Filler users; likewise, people filling out a form will never know the master password used by the form publisher.  With Formatta Filler, encrypted data can be securely exchanged between form authors and form fillers.  For example:  There may be times when a form must be sent back to the person(s) who filled it out.  The form author can re-encrypt the form using the master password and return it via email.  Upon receiving the emailed form, the form filler user can decrypt it with his/her original password.  Even if the form were intercepted, it could not be decrypted without the correct password.

ID spoofing - How do you know the identity of the person who actually completed the form?  In the paper world, an inked signature (also called a wet signature) is the commonly accepted method for verifying a user's identity because wet signatures are difficult to forge.  This is not usually the case in the electronic world.

Authentication - Formatta fully supports X.509 digital certificates for signing forms.  Filler users can check revocation servers to ensure the signature is valid.

Spam - Suppose an individual or group of individuals made a concerted effort to flood your server with bogus e-forms?  Would this information be written to your production database, overwriting legitimate data?

Validation - Formatta E-Forms Manager can automatically validate and authenticate incoming e-forms and reject unauthorized forms at the source, before processing by a production database.

Spoofing printed forms - Printed forms offer a special case of form spoofing.  If someone prints a form on his/her local printer, signs it with a wet signature, and then sends the form via surface mail, how do you know this was your original form?  What if someone redesigned the form using a word processing application and changed it (either on purpose or accidentally).  Would this document hold up in a court of law?

Dual Dimension Technology - Form authors can incorporate Formatta's Dual Dimension Technology into forms printed by an end-user.  As the form is printed, a small two-dimension barcode is dynamically generated that contains all of the data entered in the form, together with the appropriate XML tags.  In addition, this barcode is encrypted so that only the form author can decrypt it.  What was once a blank piece of paper is now a valid document which can be authenticated by the form author.