Encryption of pdf

tenifan

Hi all. Not new to boards, but new to this forum (and deleted my last account ages ago). Need some advice..

I work for a company that sends pdfs to licensees. The creation of the pdfs is automated. There are no logos, it's just tabular data in pdf format for the use of the licensees.

Everything was going fine, until one licensee edited the pdf (by right-clicking, opening in notepad, and changing the figures). They inflated their figures and used them to get funding from a bank.

Internal audit flagged the issue by saying our internal controls relating to the storage and transmission of data aren't sufficient. They believe at the least the data should be encrypted to stop people with only basic understanding of IT to be able to edit it.

I think internal audit do not understand what they are talking about! I think any fix would cost a lot of money to implement and ultimately will be ineffective if someone wants to falsify our data. And also, the control they are quoting (storage and transmission to maintain the integrity and confidentiality of the data) should not apply to whatever a licensee does with our data once they receive it.

Has anyone experienced a similar problem, and what is the quickest and cheapest fix?

FSL

Encryption is not the answer, you may as well not send it as they would have to be able to decrypt it in order to read it.

Even sending them it as read only can be got around.

The problem lies fairly and squarely with the bank. To give a loan on the basis of data not verified by the originator of that data demonstrates criminal stupidity.

tenifan

Sorry, encrpytion maybe wasn't the correct word!

If you open a regular pdf in notepad, there'll be very little clear text in there, just a jumble of random characters.

However, when you open our pdf's, you can clearly see the figures and edit them. I thought it's because our files are so simple (as they don't have graphics or formatting)

They want our files to be impossible to edit in notepad. 1. Is that possible?
And the next question (which I already know the answer to) 2. is it pointless?

I have to raise the request to "fix" the system and I'm struggling to know how to word it.

bonzodog2

Could you put the data into the PDF as a JPEG image of the text?

Morpork

What's being used to create the .pdf? I think the problem lies there. Even if you create a simple .txt file in notepad and convert it to a .pdf then re-open it with notepad, you'll see the garbage characters.

spaceHopper

http://www.adobe.com/products/acrobat/protect-pdf-security-encryption.html

tenifan

Bonzodog, the system is automated. Plus there's a lot of data.

Morpork, some IT wizardry! Not entirely sure.
The garbage characters seem to be exactly what our internal audit wants to see when opening the file in notepad. The don't want to be able to see clear, readable text in notepad.. as far as they're concerned, the file should only appear correct in a pdf reader or when printed out, and it should be impossible for the recipient to edit the file.

tenifan

spaceHopper wrote: »

www adobe com products acrobat protect-pdf-security-encryption.html

Hmm, this looks like the solution.. to take the pdf's the system produces, and run them through this before sending to the licensee. Certainly cheaper than trying to "fix" the system (even though the system isn't broken)

UDP

If someone is going to commit fraud then they are going to commit fraud. I don't see why a control needs to be in place by a provider of information to stop the person altering it to commit fraud. There are tons of ways to do this. Maybe watermarking and sending the pdf with its contents as an image would make it most difficult - but there are still ways to get around that.

28064212

If the licensees can see the data in Adobe, it's absolutely trivial to alter, regardless of what it looks like in Notepad. They can just copy the data as an image, edit the numbers, and create a new PDF using the image. Or they could just reproduce the table in their own PDF creation software, and insert their own figures.

Do you have some sort of responsibility to the bank here? I'm struggling to see how this is in any way an issue for you. If I take an e-statement from an AIB savings account, modify it to look like I have more money than I actually have, and get a loan from BOI on the basis of the falsified information, AIB have no liability. It's an issue between BOI and me.

RainyDay

tenifan wrote: »

I think internal audit do not understand what they are talking about!

Internal audit are bozos.

It doesn't matter what kind of encryption or watermark you put on the file.

The recipient can do an old-fashioned cut-and-paste (with real scissors and a Pritt stick) and produce any figures they like on your letterhead.

The only solution is for you to provide a way for somebody to verify the figures you produce. This could be a simple as a phone call to you, or as complicated as an online service.

tenifan

28064212 wrote: »

If the licensees can see the data in Adobe, it's absolutely trivial to alter, regardless of what it looks like in Notepad. They can just copy the data as an image, edit the numbers, and create a new PDF using the image. Or they could just reproduce the table in their own PDF creation software, and insert their own figures.

Do you have some sort of responsibility to the bank here?

Absolutely none!

RainyDay wrote: »

Internal audit are bozos.

Yup.

RainyDay wrote: »

The recipient can do an old-fashioned cut-and-paste (with real scissors and a Pritt stick) and produce any figures they like on your letterhead.

I've seen it been done, where a junior branch staff photocopied the top half of his statement on the bottom of someone elses, and stamped it with the bank's stamp.

I think I'll try to convince the internal auditor she's wrong.. wish me luck.

PrzemoF

I think that you're looking for some sort of electronic "stamp" that guarantees that the pdf has not been modified? Google for "digitally signing pdfs" - there are a few solutions.

By the way, gimp is really good to modify pdfs (import to high resolution -> make changes -> export) and there is no way of protecting against it.