Familiar w/ DocuSign? Secure?

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
kaneohe
Posts: 4956
Joined: Mon Sep 22, 2008 12:38 pm

Familiar w/ DocuSign? Secure?

Post by kaneohe » Thu Jun 29, 2017 12:44 pm

I asked CU for a letter documenting beneficiary on account. Instead they told me I hadn't signed application card (even tho account has been open
for 6 mos.) They said they would e-mail me copy of application which had beneficiary listed and to sign it using DocuSign. Then I could keep a copy of the finalized form as documentation of beneficiary.

I was quite surprised and a bit shocked when I opened the e-mail. A simple click of a "View Document" revealed everything you don't want
in a e-mail: SSN/DOB/password to acct. I thought having such info in an e-mail (even via a attached link) was not considered good practice.
What is different about DocuSign that makes CU think things are fine this way?

2retire
Posts: 370
Joined: Wed Jun 13, 2012 9:00 am

Re: Familiar w/ DocuSign? Secure?

Post by 2retire » Thu Jun 29, 2017 1:05 pm

That was a link to a website where the document is hosted. It may be one of DocuSign's servers, or the company that uses their product may host their own internal DocuSign server. If you really wanted to prove it to yourself, you could install something like Fiddler or a packet sniffer on your PC and see that they open a HTTPS request when you click on the link.

User avatar
jhfenton
Posts: 3253
Joined: Sat Feb 07, 2015 11:17 am
Location: Ohio

Re: Familiar w/ DocuSign? Secure?

Post by jhfenton » Thu Jun 29, 2017 1:25 pm

As 2retire said, I would verify that you're on a secure connection to an actual DocuSign server, but once you are sure of that, I would readily trust DocuSign with a document containing confidential information. We use it for highly confidential and multi-million dollar contracts.

I can see your concern with a link in an open email to a document containing pre-populated confidential information. I would prefer that they leave that for me to complete.

User avatar
jharkin
Posts: 1775
Joined: Mon Mar 28, 2016 7:14 am
Location: Boston suburbs

Re: Familiar w/ DocuSign? Secure?

Post by jharkin » Thu Jun 29, 2017 1:33 pm

kaneohe wrote:I A simple click of a "View Document" revealed everything you don't want
Clicking on view document opened it up in your browser on the Docusign server. As others mentioned above it should have been over an HTTPS connection. That information was almost certainly NOT in the email itself.


Electronic verification systems like this are going to become more and more prevalent in t future. If done right they are theoretically more secure than paper docs and easily forged pen signatures.

User avatar
Kenkat
Posts: 4213
Joined: Thu Mar 01, 2007 11:18 am
Location: Cincinnati, OH

Re: Familiar w/ DocuSign? Secure?

Post by Kenkat » Thu Jun 29, 2017 1:34 pm

As others have said, Docusign itself is very secure. They way the CU is using it, not so much. Best practice is that you would be prompted for some additional information after you clicked the link - for example last 4 of SSN and your birthdate or last name. Only then would the document be shown. Docusign supports this but it is up to the CU exactly how they implement it.

kaneohe
Posts: 4956
Joined: Mon Sep 22, 2008 12:38 pm

Re: Familiar w/ DocuSign? Secure?

Post by kaneohe » Thu Jun 29, 2017 3:59 pm

Kenkat wrote:As others have said, Docusign itself is very secure. They way the CU is using it, not so much. Best practice is that you would be prompted for some additional information after you clicked the link - for example last 4 of SSN and your birthdate or last name. Only then would the document be shown. Docusign supports this but it is up to the CU exactly how they implement it.
Thanks to all for your comments. . I am thinking now that the comments above summarize things........that although the process may be very secure, the CU actual process degrades things. The sequence was I was sent e-mail w/ attached document; after I signed on DocuSign, e-mail w/ my signature went to spouse for 2nd signature. After 2nd signature, it was returned to CU, and then I was sent a copy of the finished document w/ both signatures. This final copy had 2 layers of security: the e-mail log in and then when I clicked on the link to view document, another password was required.

However, in the initial stages when I was signing and when spouse was signing, the document w/ all the sensitive info could be seen using only
the e-mail log in info.

kaneohe
Posts: 4956
Joined: Mon Sep 22, 2008 12:38 pm

Re: Familiar w/ DocuSign? Secure?

Post by kaneohe » Thu Jun 29, 2017 4:05 pm

jharkin wrote:
kaneohe wrote:I A simple click of a "View Document" revealed everything you don't want
Clicking on view document opened it up in your browser on the Docusign server. As others mentioned above it should have been over an HTTPS connection. That information was almost certainly NOT in the email itself.


Electronic verification systems like this are going to become more and more prevalent in t future. If done right they are theoretically more secure than paper docs and easily forged pen signatures.
but if someone hacked into my e-mail,wouldn't they have able to view the document just as I did?

User avatar
jharkin
Posts: 1775
Joined: Mon Mar 28, 2016 7:14 am
Location: Boston suburbs

Re: Familiar w/ DocuSign? Secure?

Post by jharkin » Thu Jun 29, 2017 4:22 pm

kaneohe wrote:
jharkin wrote:
kaneohe wrote:I A simple click of a "View Document" revealed everything you don't want
Clicking on view document opened it up in your browser on the Docusign server. As others mentioned above it should have been over an HTTPS connection. That information was almost certainly NOT in the email itself.


Electronic verification systems like this are going to become more and more prevalent in t future. If done right they are theoretically more secure than paper docs and easily forged pen signatures.
but if someone hacked into my e-mail,wouldn't they have able to view the document just as I did?
They could, but didnt the bank give you a code to enter when you clicked that view document link?

When I have had DocuSign documents, the bank emailed me the link, but provided me the code verbally over the phone. Both were needed to get in to see the sensitive information.


If there was not code or password then you are absolutely right - big vulnerability.

mega317
Posts: 2554
Joined: Tue Apr 19, 2016 10:55 am

Re: Familiar w/ DocuSign? Secure?

Post by mega317 » Thu Jun 29, 2017 5:51 pm

Yeah we used docusign for our most recent home sale and purchase. No code, just clicked the link. Not great.

User avatar
Clever_Username
Posts: 1042
Joined: Sun Jul 15, 2012 12:24 am
Location: Southern California

Re: Familiar w/ DocuSign? Secure?

Post by Clever_Username » Thu Jun 29, 2017 6:02 pm

mega317 wrote:Yeah we used docusign for our most recent home sale and purchase. No code, just clicked the link. Not great.
Same. I also used it for a lease on my previous apartment and for leasing out my previous condo.
"What was true then is true now. Have a plan. Stick to it." -- XXXX, _Layer Cake_

kaneohe
Posts: 4956
Joined: Mon Sep 22, 2008 12:38 pm

Re: Familiar w/ DocuSign? Secure?

Post by kaneohe » Thu Jun 29, 2017 6:06 pm

jharkin wrote:
kaneohe wrote:
jharkin wrote:
kaneohe wrote:I A simple click of a "View Document" revealed everything you don't want
Clicking on view document opened it up in your browser on the Docusign server. As others mentioned above it should have been over an HTTPS connection. That information was almost certainly NOT in the email itself.


Electronic verification systems like this are going to become more and more prevalent in t future. If done right they are theoretically more secure than paper docs and easily forged pen signatures.
but if someone hacked into my e-mail,wouldn't they have able to view the document just as I did?
They could, but didnt the bank give you a code to enter when you clicked that view document link?

When I have had DocuSign documents, the bank emailed me the link, but provided me the code verbally over the phone. Both were needed to get in to see the sensitive information.


If there was not code or password then you are absolutely right - big vulnerability.
Nope , no code to view document before signing In the process of signing I was asked to provide a password to be used in the future.
So once the process was complete with both signatures, I got another e-mail with a similar looking link but this time I had to provide that
password to view. So final result seemed ok but the initial interim steps didn't sound very secure.

User avatar
F150HD
Posts: 1570
Joined: Fri Sep 18, 2015 7:49 pm

Re: Familiar w/ DocuSign? Secure?

Post by F150HD » Thu Jun 29, 2017 6:28 pm

ditto. used it to sign some mortgage documents some time ago

MindBogler
Posts: 633
Joined: Wed Apr 17, 2013 12:05 pm

Re: Familiar w/ DocuSign? Secure?

Post by MindBogler » Thu Jun 29, 2017 9:03 pm

I completed every document for new construction except final closing via Docusign. I also sold my last property via Docusign (also minus closing). I believe they are trustworthy.

kaneohe
Posts: 4956
Joined: Mon Sep 22, 2008 12:38 pm

Re: Familiar w/ DocuSign? Secure?

Post by kaneohe » Fri Jun 30, 2017 7:18 am

kaneohe wrote:
jharkin wrote:
kaneohe wrote:
jharkin wrote:
kaneohe wrote:I A simple click of a "View Document" revealed everything you don't want
Clicking on view document opened it up in your browser on the Docusign server. As others mentioned above it should have been over an HTTPS connection. That information was almost certainly NOT in the email itself.


Electronic verification systems like this are going to become more and more prevalent in t future. If done right they are theoretically more secure than paper docs and easily forged pen signatures.
but if someone hacked into my e-mail,wouldn't they have able to view the document just as I did?
They could, but didnt the bank give you a code to enter when you clicked that view document link?

When I have had DocuSign documents, the bank emailed me the link, but provided me the code verbally over the phone. Both were needed to get in to see the sensitive information.


If there was not code or password then you are absolutely right - big vulnerability.
Nope , no code to view document before signing In the process of signing I was asked to provide a password to be used in the future.
So once the process was complete with both signatures, I got another e-mail with a similar looking link but this time I had to provide that
password to view. So final result seemed ok but the initial interim steps didn't sound very secure.
Perhaps this is the explanation..........I do remember the rep saying they would send something to my cellphone. Perhaps that was the code.
I told her I didn't have a cellphone so they sent the e-mail anyway with the contents easily visible w/o code. So as some said, perhaps theDocuSign
process is fine, but the CU cut corners and used a fast & cheap method .......but non-secure.........to avoid a longer & more costly process of US mail.

Post Reply