Millions of PDF files are shared each day. Some are by private individuals, but many are by businesses and other organizations. This audience split has created a world where mainstream PDF applications are trying to appeal to two audiences – attempting to retain the convenience private individuals are used to while stopping enterprise PDFs from being tampered with.
Somewhat unsurprisingly, they don’t tend to do a good job with it. Though applications like Adobe Acrobat claim to protect PDF files from editing, in general, they lean towards the former audience. As a result, the controls available to prevent PDF editing in applications such as Adobe Acrobat are poorly implemented and easily bypassed.
Before we dive into what many applications do wrong, let’s talk a bit about why stopping the editing of PDF files may be more complicated than you think.
The challenges of PDF protection
When it comes to PDF protection, a common misconception is that disabling direct editing is enough to prevent the document from being changed and tampered with. The reality, though, is that disabling direct editing in an application is just one avenue of attack.
To prevent the editing of a PDF file, you must stop both editing in the application, and the extraction of the data. Locking your PDF file is no good if the user can just copy and paste the information to another file.
It’s not just copying and pasting that must be prevented, either. If you don’t stop printing, users can print your document to a new PDF file, bypassing any protections you put in place. Screenshots are another avenue for copying. Though you may think editing a screenshot or printed document would be incredibly time-consuming, here’s how it works in reality:
- The user opens your PDF and takes a screenshot of the page(s) they want to modify.
- They upload it to a free online tool that converts images to a PDF file.
- They open their new PDF document in Acrobat or Foxit and use OCR character recognition to edit it like a normal PDF.
- They provide you or another party with the modified file, leaving you none the wiser.
Using software that doesn’t prevent these kinds of attacks is problematic. It could lead to the modification of contracts and other sensitive documents without your knowledge. It may even be used in a sophisticated cyberattack on your business.
Increasingly, attackers are using a technique called spearphishing, a personalised phishing attack that looks to imitate employees and management. One method an attacker can use to do so is the modification of an intercepted document. They could grab one of your invoices, modify it, and send it to the client with their payment information in place of yours. These types of attacks are becoming more and more common.
Why Adobe PDF Security doesn’t cut it
Adobe PDF security is unable to stop the attacks above from happening. There are dozens of problems with its protection, but the most critical is this: having the open password makes it trivial to remove any permissions.
Let’s explain. When you encrypt a PDF file, you have the option to apply two passwords: the one users require to open the document and the one that controls the file’s editing and printing restrictions. Naturally, the user you’re sending the document to needs to know the open password or they can’t read the content. But due to inherent flaws in the Adobe Security Handler, once they’ve opened the file they can upload it to freely available tools to remove the editing restrictions.
However, malicious parties have avenues for attack even if they don’t have the open password. If the open password isn’t highly secure, they can usually crack it with a third-party tool. If it is secure, they can likely still discover it via tools developed by Russian firm Elcomsoft.
This is just one way Adobe PDF security falls short – they also fail to properly protect against printing from the browser and screenshotting. So the question is this: what should you be using instead?
PDF DRM solutions
Though they’re admittedly pricier than a standard Adobe Acrobat subscription, PDF DRM solutions are your best bet to truly protect your files from editing. After all, they’re purpose-built to keep your documents safe and un-editable.
PDF DRM solutions tend to remove the need for passwords entirely. When you encrypt your file, it’s converted into a new format that can only be opened in a secure viewer application by someone with a license to do so. The license is activated by the recipient ahead of time and can only be activated by them, ensuring attackers aren’t able to intercept the document.
Further, this new format cannot be edited by anyone – the secure viewer application doesn’t allow it. As well as this natural protection against direct editing, PDF DRM solutions include a variety of anti-printing, screenshotting, copy/pasting, and device locking controls that can’t be removed and eliminate other methods of editing.
While purchasing such a solution is another cost, it’s nearly always worth it. The damage a single attacker can do will easily outstrip any license fees you pay. To ensure the image of your business remains untainted, a PDF DRM tool is your best bet.