Wireless technology lets users roam - but also opens the door to problems. Here's how to think about balancing the rewards with the risks.
Get tips for safeguarding devices and wireless systems Understand how to assess risks involved with wireless technology Learn what questions to ask about your wireless applications However high their hopes for wireless commerce, organisations will have to get a grip on both wireless security and privacy issues before they can realise those hopes.
It's not that wireless is impossible to secure as it stands today. There are many organisations already doing secured wireless transactions. Nevertheless, many of those organisations found achieving that security a difficult and convoluted slog. Wireless security is tricky to implement, not least because it forces organisations to weave an intricate pattern from the threads of multiple separate and complex technologies.
"Secured access to the wireless device is a question occupying everyone's mind," says IBM communications sector general manager Khalil Barsoum. "To effect a payment or financial transaction, you need to ensure you have sturdy security within your handheld device, between the antennas that talk to each other, and on the network that eventually carries that transaction to your financial institution or to your supplier or customer.
"You also need tight security across the network and between the service providers," Barsoum says, adding that a limitation still exists because the transaction often travels between one service provider and another.
There are also more problems with wireless security than infrastructure-related concerns. Wireless is more exposed when it comes to authentication. Compared to a desk-bound PC, it's simple to steal a wireless phone and even simpler to lose one. If your digital certificate and key are embedded in the phone, whether in a smart card or chip, a thief or finder-by-chance has an opportunity to do mischief.
"Wireless security is a much talked-about area because wireless vendors are driving the hype," Anthony Lim, regional director, Check Point Software Technologies, Asia-Pacific told Singapore Computerworld recently. While Lim does foresee a pervasive wireless future, "the current implementation, and even trials of GPRS and 3G, will require colossal efforts to iron out the bugs and problems, much as the World Wide Web v1.0 did," he says.
As a result of all the complexity, wireless security must always be considered a two-tier issue and there is little point addressing one tier without also addressing the other.
The first tier involves the backbone infrastructure of both telcos and corporate gate providers, where the security concerns are similar to those pertaining to today's Internet security systems. The second tier is the user's handset, where future security will involve securing traffic and authenticating the user.
Some organisations are combining smart cards with the requirement to separately enter a PIN to mitigate threats. Because it is often cumbersome to enter data such as account names and PINs on a cell phone, some vendors are considering installing biometric identification panels on handsets as a possible way to authenticate the user (see "Totally Confident, Totally Confidential", page 32).
Add in the current and projected future growth of mobile commerce - which is putting greater pressure on businesses to secure their wireless channels - and the security situation becomes pressing.
Moves are certainly afoot to make security better. Numbers of consortiums are cooperatively developing security protocols. For instance, within MasterCard's Global Mobile Commerce Forum, more than 200 financial institutions are working towards developing secure mobile payments over a variety of different platforms. At the same time, the WAP Forum is continually improving its security protocols.
Meanwhile, organisations use a variety of security measures, many of them relying on an expansion of current Web technology to wireless devices to allow devices to encrypt data. For example, using encryption technology, EDS employs a "token" system that checks for a unique identifier at each stage of the transaction. Without the token or with a changed token, the transaction cannot proceed, which limits it to the designated user.
Experts say the first step in securing a wireless future is deciding whether to go wireless in the first place. CIOs have to consider whether the benefits employees or customers are going to get outweigh the risks. That means measuring all the risks, including the cost and likelihood of a proprietary process or customer list falling into the wrong hands.
CIOs and other IT experts say you should be able to answer the following three questions. Is the device right for the intended use? Will people use it? Is there a business case? If the answer to all three questions is yes, security considerations should take priority.
Analysts say that crucial to avoiding problems is gaining an understanding of how the technology is likely to change your business. Both CIOs and security experts suggest start out slowly and learn through small-scale pilot projects. It's not that wireless technology in or of itself leaves holes that create support or security hassles, but the way you implement the technology could. "My general advice is: walk before you run," says Frank Gillett, a senior analyst with US-based Forrester Research. "Don't do big projects unless you have the time and the resources to figure it out."
In addition, take time to understand where the technology is at and how it integrates with your current infrastructure.
Before anyone can fully realise the potential of mobile commerce, WAP handsets must be properly integrated into wider security infrastructures. The PKIs that create a system with encryption, digital signatures, digital certificates, and certificate-issuing authorities must be proved to work effectively with WAP protocols. A range of industry players - from security vendors, smart card manufacturers, certification authorities and mobile device manufacturers - must work together to ensure they integrate their solutions to allow secure and trusted transactions via wireless devices. We also need uniform standards that are supported by legislation, as well as guidelines from regulators.
Security is clearly particularly important to transactions that involve financial information. Sonera SmartTrust, a key proponent of PKI in the Internet world, cites research to suggest that just 3 per cent of Visa transactions performed online generate 47 per cent of all disputes.
With payments such a significant part of an m-commerce transaction, consumers are naturally concerned about security and payment options, as well as ease-of-use and simplicity in completing a transaction, says Charles Russell, director of corporate development for m-commerce, Asia Pacific, 724 Solutions. The Toronto-based company is a provider of wireless e-commerce applications.
As a result, financial institutions and network operators already have extensive experience managing sensitive information and thus enjoy high levels of customer trust, he says. Existing electronic payment forms such as credit and debit are being leveraged online, and new electronic payment forms such as micropayments are emerging.
At Your Own Risk.
Whatever the complexity, organisations ignore the need for security at their own and others' peril. A few bouts of bad publicity regarding security breaches may scare off wireless users.
A July 2000 Millward Brown Intelliquest survey of early adopters of mobile Internet transactions found security concerns are likely to deter people from using the technology for sensitive financial and personal activities on the Internet. In fact, on the issue of rating security as important, eight out of every 10 respondents indicated they would be less likely to use Web-enhanced wireless handheld devices for financial transactions if security expectations were not met.
Meanwhile, during a recent survey carried out in the UK on behalf of the Broadband Communications Europe 2000 conference, about 65 per cent of respondents expressed concern about their personal privacy, compared to just 9 per cent who were worried that junk mail might negate the benefits of m-commerce.
For CIOs, addressing such security concerns presents a challenge. Even if there were more places to go where organisations could buy a complete security package, too many pieces of the security armoury lie in the hands of carriers and vendors of wireless devices and thus well beyond the control of the CIO.
In response, CIOs seem to have fallen into either "leading edge" or "bleeding edge" camps when it comes to m-commerce security.
Some "leading-edge" organisations are tackling the issue of m-commerce security by ignoring it. In this corner lies the "let's just go out and do it" camp. These organisations are confident technology will inevitably solve the difficulties in delivering enhanced security as m-commerce applications are implemented. They believe the best - perhaps even only - way to show security holes is to forge ahead with m-commerce. When they have learned about all the holes they can, they plan to turn to the most appropriate technology to address them, based on the actual risk assessment.
In the other corner are the "let's do nothing until we know we're secure" group - those afraid that being on the leading edge results in being on the bleeding edge. These more cautious players are so insistent a strong security infrastructure is an absolute prerequisite for m-commerce, they won't implement their full m-commerce strategies until operators and others put such an infrastructure in place.
Neither strategy has all the answers, while both carry some risks. Meanwhile, some vendors attempt to help clients tread a middle ground, where acceptable risk is a condition. For instance, 724 Solutions adopts a holistic approach to security revolving around risk management; that is, providing clients with the facilities to tailor a security solution that provides an acceptable (or tolerable) degree of risk mitigation while keeping services quick and simple to use.
If a security scare has the potential to deter users, so too do threats to their privacy. In the Internet age we've all learned the hard way just what Scott McNealy meant when he proclaimed: "Privacy is dead. Get over it".
We've all suffered the excesses of intrusive marketers just as we all know how it feels to have our mailboxes inundated with spam and other disreputable and suspect e-mails. We've become almost resigned to the notion that Web services like eBay (http://www.ebay.com) will decide on our behalf whether to sign us up for unsolicited commercial mail while the DoubleClicks (http://www.doubleclick.com) of the world track our movements online with or without our permission.
Well, phone spam is much more intrusive than normal Internet spam because it's harder to mass delete, and phones don't yet come equipped with spam filters. And with location-based services, privacy invaders can potentially do more than track your movements online - they can track your physical location in the real world too.
It's bad enough to think they might use that facility to bombard you with marketing puff whenever you walk near a Pizza Hut or your favourite music store. But how would you feel if you learned data miners were compiling a complete record of your daily movements? Do you really want, say, your health insurance company knowing every place you visit in a day? Or your boss? Pundits say it's coming, sooner or later. Service companies love two things: knowing everything about you, and selling it. But they had better be careful, or the backlash may be extreme.
"Any push' type marketing service risks achieving the opposite of its intended effect, as the recipient may react negatively to the intrusion," writes Chris Hayward in a recent Reuters Business Insight report The Outlook for M-commerce. "Location-based marketing, with its overtones of Big Brother', is particularly likely to be perceived as intrusive."
The mobile Internet poses serious privacy headaches that simply must be resolved if the technology is ever to hope to live up to its promises.
"There's enough technology out now that we are already living in a largely transparent world," says Accenture chief scientist Glover Ferguson. "But I don't think Privacy is dead. Get over it.' is the right answer at all. First of all, our theory is that wherever there is a law for something this wide-scale, there will be a market for putting it back in. So there will be technologies and services that will give you back your privacy, if you want, for a price. That's a whole other industry that we have created.
"But let's talk about social policy. As a civilised society, we have decided there are certain things that are acceptable and certain things that are unacceptable in society. There are cultural laws . . . you don't hit people, you don't kill people. These are things we, as a society, have decided are no-no's and most of us want to toe the line. For those that don't, we've figured out how to punish them. Now here's the deal: we haven't even had that discourse yet on the subject of privacy and the Internet. The only privacy articles that get written are where someone has had their persona stolen or their privacy violated in some hideous way; but what's missing is a frank and open discussion about what we believe we will tolerate and what we won't."
Until we have that discussion, Ferguson says, we can't even decide where to draw the lines and what laws we might or might not want.
Devil and Saint.
Wireless e-commerce was portrayed as both a devil and a saint at a workshop held in Washington late last year by the US Federal Trade Commission (FTC).
"There are huge, looming privacy issues in the wireless space because of the collection and aggregation of new information," said Alan Davidson, staff counsel at the Centre for Democracy and Technology, a Washington-based advocacy group that focuses on privacy. Location-specific information provided over a period of time to users and then kept by wireless services could create "a very detailed and invasive dossier of a person's movements", Davidson claimed.
Such concerns have emerged as a hot-button issue in recent months. Lawrence Ponemon, a partner at New York-based consulting firm PricewaterhouseCoopers, told the workshop that service providers needed to offer users "significant personalisation to have success in the wireless environment". Without localised information, Ponemon said, a wireless device "becomes meaningless" in the hands of a mobile user.
Joel Winston, an associate director at the FTC's Bureau of Consumer Protection, later indicated the commission would like to see companies in the wireless services business take steps towards self-regulation. "We at the FTC are very big fans of self-regulation," Winston said. "It makes our lives easier."
Providers of wireless services are pushing self-regulatory efforts of their own. However, wireless trade groups - such as the Cellular Telecommunications Industry Association - appear to be advocating a more rigorous privacy standard than that deemed acceptable in the wired world. The approach would see end users required to "opt in" by agreeing to let their personal information be collected, rather than opt out by removing a default setting that would let their data be gathered.
Meanwhile, m-commerce application providers, wireless carriers and government regulators are now working to address the privacy issues around commercial use of automatic location identification (ALI ) data.
In European Union countries and elsewhere, data protection laws cover the transmission of information about the location of an individual. In practice, this means that each customer would need to give explicit permission to the operator enabling it to use on its own behalf or pass on data about that customer's location. Australian users have been equally quick to recognise the potential for serious invasions of privacy accompanying location-based services.
"Privacy is an issue especially with location-based services," CSC's Seymour says, "because if the network needs to tell a vendor where you are physically at this moment, it can raise some tricky issues about [whether] I want to be found [or] my whereabouts to be known.
"The only way it will work is permission-based marketing where you say: I am interested in specials on health and travel and, if I'm going to be near a travel agent or a bookstore with books I am interested in, I do want to know if you're running a special'. It will only work in a very specific targeted set of circumstances. You don't want to be spammed with short messages telling you every five minutes that McDonald's is running a special."
However, there are suggestions that for now many users remain oblivious to the dangers.
A recent study by Accenture found a surprisingly small percentage of wireless device users were concerned with privacy issues when using a wireless device to connect to the Internet. In the US and Japan, only 25 per cent of respondents voiced concern about privacy when surfing the wireless Web, while fewer than 13 per cent in each of the European countries had privacy concerns.
"Clearly, privacy is not a major impediment to development of the mobile Internet," says John Beck, associate partner, Accenture's Institute for Strategic Change. "The primary concerns we hear from users have to do with the technological limitations of the devices and services now on the market."
Watching Your Back
This list will help you evaluate the quality of your wireless environment Do you have the skills and financial resources to support wireless applications?
Field tests help gauge your wireless strengths and flaws - before others do it for you.
What device does your company use? Is it compatible with the intended use?
How many people access corporate information through wireless devices? How does your company regulate this access?
Is there a business case for the application that you are wireless enabling?
What are the boundaries of your wireless LAN signal? Have you tested multiple configurations?
Do you know your wireless provider's gateway and fraud policies? What transmission standard does it use?
Where are you most vulnerable to an attack?
Are your wireless applications carrier-neutral?
- Ben Worthen
Totally Confident, Totally Confidential.
Encryption is one method of addressing the wireless security challenge. CSC - intent on "eating its own dog-food" - has given all executives WAP-enabled phones running WAP-enabled Lotus Notes e-mail, calendar and address book. The focus on security here is on system impact and functionality, and the implications of allowing access to corporate data. Manager proposition and partner development, telecommunications Malcolm Seymour says CSC has addressed the concerns using Baltimore Technologies' PKI security and WAP gateways so people can have encrypted sessions from the handset to the WAP gateway. "Even to crack into a GSM call is difficult; but if you add 128-bit encryption, it's pretty much watertight," Seymour says.
Generally, m-commerce users are authenticated using a basic username/password scheme. For many financial services, this scheme is perfectly adequate for those customers prepared to tolerate a degree of risk, but soon security schemes will need to evolve to support stronger mechanisms, such as digital signatures.
Charles Russell, 724 Solutions' director of corporate development for m-commerce, Asia Pacific, says whether an m-commerce solution's underlying infrastructure can deal with security and multiple payment forms will prove key to successfully driving increasing volumes of transactions online.
The recent passing of digital signature legislation in Singapore, the US and Europe is blazing the way for legally binding digital contracts and the Internet equivalent of traditional hand-written signatures, Russell says.
"As the necessity for applications that enable high-value transactions over the mobile Internet increases, any underlying m-commerce platform needs to support public key infrastructure and digital signatures in order to enable strong authentication and non-repudiation - two key elements to taking the risk out of mobile transactions," he says.
With PKI, organisations issue encrypted digital certificates to users to validate their identity. One certificate accompanies each transaction. Using the public and private key and a certificate authority to validate the certificate lets authorised parties decrypt the certificate to authenticate the user with greater assurance than can be achieved through PIN-based authentication. A third party then validates the digital certificate. Numbers of vendors have introduced digital certificates, including Baltimore Technologies, RSA Security, Certicom, Entrust Technologies and VeriSign.
Organisations have a range of choices for implementing the technical components of PKI to support m-commerce. They can build the necessary applications to implement the encryption algorithms into the handset, the network SIM card or a separate smart card that can plug into the handset.
They also face similar choices when it comes to where the private key is held. According to a recent Reuters Business Insight report, The Outlook for M-commerce, this is far from an academic question since it is linked to the crucial issue of who maintains the relationship with the end customer.
"In particular, the registration authority is the body which maintains the relationship of trust implicit in the whole PKI arrangement, and must therefore have a close relationship with the users," the report says. "Clearly an operator, who already enjoys that close relationship (and has probably already performed credit checks and set up financial connections) would be keen to perform the role. However, this is likely to become a key battleground where other players will seek to get in" the report says.
"For authentication and nonrepudiation, PKI, where certificates and keys are bound to the user, is the way to go. Everything is initiated through those keys," explains Paul Mansz, vice president of architecture at 724 Solutions. Several PKI products for wireless are starting to emerge, such as MobileTrust from San Jose-based Certicom Corporation.
Encryption ensures confidentiality by preventing eavesdropping, and WAP devices include their own security protocol, Wireless Transport Layer Security (WTLS). This is equivalent to Secure Sockets Layer (SSL) but uses less resource-intensive encryption algorithms, such as elliptic-curve cryptography (ECC). WTLS is fine except for one thing, says Jeffrey Robinson, manager of corporate development at RSA Security in the US: it is not compatible with SSL, which is the industry standard. So WTLS messages must be converted into SSL before an e-commerce site or corporate network can read them.
However, conversion presents its own security problem since wireless messages travel through the air to the carrier's transmitter before being received and passed to a gateway that funnels them into the conventional wired network for transmission to the destination. Because the WTLS message is converted into SSL at the gateway, there's a brief moment when the message sits unencrypted inside the gateway, creating a security vulnerability.
In contrast to desktop and laptop computers or even PDAs, WAP phones are pretty limited when it comes to security and lack the CPU power and memory necessary for RSA encryption, a key element of SSL.
On the Horizon.
A range of biometric devices, which use unique physical identifiers such as voiceprints, fingerprints or retina images to positively identify the user, is on the drawing board or in production. Biometrics is designed to ensure that even if someone steals your mobile phone, he or she can't use it.
Some forecasters predict that by 2004 biometrics will have reached the price/performance level to allow it to be integrated into PDAs and cell phones.
One US company, Keyware, already offers a system that lets users register their voiceprints for authentication purposes. The voiceprints can be stored on a central server or on a smart card within the wireless device. At least one US bank is testing Keyware's wireless voice recognition system in conjunction with a smart card.
Meanwhile, it seems likely many of the obstacles confronting wireless security will disappear with the widespread adoption of third-generation wireless technology. The third-generation phones will be IP-based and sport more processing power, memory and bandwidth, which will allow SSL security end to end.
By combining third-generation wireless with smart cards and biometrics, organisations should finally get a unified security system that works for both the wireless and wired worlds.
- S Bushell
Choose Your Channel at Will.
Some vendors are working together to deliver comprehensive wireless solutions for the future. Earlier this year, for instance, Ericsson and IBM announced plans to help financial services companies deliver mobile Internet offerings that go beyond today's business-to-consumer services, such as retrieving cheque account information.
The two companies say they will develop and implement technology that enables high-value, high-volume business-to-client services such as wealth management, account aggregation, mobile trading, and credit card and payment alerts. The aim is to give financial institutions a standard, highly-scalable and secure end-to-end infrastructure for implementing robust, high-volume services across multiple financial channels.
The joint offering will combine Ericsson mobile Internet application building blocks such as Ericsson Mobile e-Pay, Safetrader and WAP Gateway with the IBM WebSphere infrastructure family of products, including WebSphere Everyplace Suite, and the IBM eServer family of products. IBM Global Services will provide business innovation consulting and IT integration services.
"Many of the wireless projects under way at banks and financial services firms today are in pilot stage, involving only a few hundred consumers and undertaken on a one-off basis to gain first-mover advantage," says Dr Mark Greene, vice president, strategy and solutions, IBM global financial services sector.
"While many benefits have been realised, financial services companies now are faced with the challenge of delivering higher-value financial services to hundreds of thousands of customers located around the globe," Greene says, adding that the IBM and Ericsson alliance hopes to develop the necessary infrastructure for financial services companies to integrate mobile Internet into their multi-channel strategy.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.