M-commerce Security A Moving Target

Multiple platforms and incomplete standards pose challenges to building wireless safeguards.

Its been a struggle, but after scrambling for months to head off what seems like every virus and denial-of-service threat under the sun, youve finally managed to get a grip on your enterprises network security. Intrusion detection is in place. Encryption works. Nothings perfect, but its finally possible to turn your attention from security to something sexy like rolling out that wireless e-commerce application that marketings been screaming for. Right?

Not so fast. As IT managers rush to embrace mobile commerce, many are quickly realizing that wireless technologies such as PDAs (personal digital assistants) and WAP (Wireless Application Protocol) phones present unique and urgent security challenges, particularly as they are increasingly being used by internal employees and external customers to access critical enterprise data and systems. So, even before they squeeze off their first wireless e-commerce transactions, savvy enterprises like Edmunds.com Inc., BarPoint.com Inc., VF Corp. and Patelco Credit Union say theyre dedicating this year to getting a jump on wireless security.

For most, that means integrating wireless safeguards with security processes and technologies that are already in place to protect e-business, steps such as enforcing passwords and selectively defining user access levels.

It also means accounting for the unique security threats posed by wireless devices and access methods. In some cases, e-businesses are restricting not only what users can do but also where they can go with their wireless mobile devices. Some are outsourcing the hosting of wireless applications, largely in order to buy wireless security expertise. Others are delaying the launch of wireless e-commerce transactions until known security holes in WAP and other wireless protocols are fixed.

"Ignoring wireless security now would be a major mistake," said Bob Lonadier, an analyst at Hurwitz Group Inc., in Framingham, Mass. "Its always cheaper in the long run to build security in from the beginning. With the increasing use of wireless applications, security will really be the type of thing you wont get a second chance to do correctly."

Time to wake up

Unfortunately, security experts say, not enough IT managers have heard or heeded the wireless security wake-up call. While companies have been busy implementing wireless access to their e-commerce sites and WLANs (wireless LANs) for enterprise applications, wireless transactions continue to have a much higher rate of failure—up to three times the rate experienced by PC-based transactions, experts say. Many of those failures are due to wireless security vulnerabilities.

As the number of wireless devices and wireless enterprise applications grows, IT managers who havent developed coherent wireless security strategies could soon be inundated. According to International Data Corp., in Framingham, Mass., the number of wireless devices in the United States with two-way access to the Internet is expected to increase to 61.5 million by 2003. And by the middle of this year, IDC forecasts that all cell and Personal Communications Service phones will be Internet-enabled using WAP.

Already, the battle to protect wireless users has begun. Last June, computer security experts intercepted Timofonica, a virus similar to the Love Letter virus designed to attack cell phones with text capabilities. And in September, security experts warned of the Liberty Crack virus, a PalmPilot Trojan horse disguised as a Game Boy emulator that deleted files.

"A lot of people are trying to figure out how to make money on the wireless Web, and it all hinges on being able to secure wireless transactions," said Joe LaMuraglia, director of wireless initiatives for Edmunds.com, an online purveyor of automotive pricing information based in Santa Monica, Calif. "Security is an issue we and our partners cant afford to ignore."

So, whats so unique and scary about security issues posed by m-commerce? For one thing, whereas PC-based applications can be secured using strong authentication and encryption, developers must work with wireless devices limited memory, which makes the use of strong authentication and encryption difficult. A scaled-down form of SSL (Secure Sockets Layer) encryption is the only available option for most wireless developers.

At the same time, wireless developers must be able to support the multiple protocols used by devices such as mobile phones and handhelds. Each has its own built-in security features, some stronger than others.

Wireless developers have a unique authentication challenge. Because wireless devices such as cell phones and PDAs are small and highly mobile, they are easily and frequently stolen. That means user authentication is critical for secure m-commerce. Unfortunately, experts say, many current wireless protocols come up short on authentication.

Approach with caution

Given all those security challenges, many enterprises are approaching m-commerce slowly—and only after laying out highly restrictive security policies and procedures. Take BarPoint.com, for example. In addition to encouraging its customers to install anti-virus software that protects handhelds, the Fort Lauderdale, Fla., provider of online product pricing information insists on encrypting wireless data multiple times and treating encryption keys like crown jewels. BarPoint.coms wireless security strategy centers on three groups working on its wireless offerings: a mobile applications group, an internal development team and a database development team. Each group develops its own layer of encryption, and no one is allowed to share keys with anyone outside a group.

BarPoint.coms concern, according to Chuck Davis, chief technology and chief privacy officer, is that an employee with access to all keys could leave and use them to intercept wireless data and transactions.

To prevent such foul play, Davis has placed the information about each encryption key in its own safe. Only he knows the combinations to the three safes.

"If the security keys were ever compromised at BarPoint, all the fingers would point to me," Davis said. "But thats how important wireless security is to us. This is the only way we can continue to add security [features] to our applications without worrying about compromising security."

Why the Fort Knox-like attitude? Like many IT managers, Davis remains leery of what he sees as generally weak wireless security standards. A perfect example, he said, is WAP. Data traveling over a wireless network using the transport layer security protocol must be decrypted at a carriers WAP gateway and then re-encrypted using WTLS (Wireless Transport Layer Security) encryption for delivery to a WAP device. Those seconds between encryption and re-encryption concern Davis and are a reason his company has yet to enable wireless transactions.

Davis, who hopes to launch m-commerce applications this spring, said BarPoint.com addressed the WAP security gap by hosting an in-house wireless application gateway behind the companys enterprise firewall. The WAP Forum, of which Davis is a member, is also working on this issue. Meanwhile, BarPoint.com will continue offering product pricing, purchasing and other information to more than 255 types of wireless communications devices, something it launched in 1999.

"Were testing an m-commerce application right now, but we dont want to put out a product if we cant absolutely guarantee the security," Davis said.

Sound paranoid? Davis doesnt think so. And neither do security experts. In fact, analysts say enterprises need to make wireless security an imperative if they are to succeed in m-commerce.

"In general, security is not being particularly well-thought-out either for wired or for wireless implementations," said Lonadier of Hurwitz Group. "Taking the extra steps to secure your wireless implementation may seem extreme now, but in the long run, youll be relieved you did."

WLANs, too

Even enterprises that havent started giving outside customers wireless access to their networks are developing wireless security strategies. VF, the $6 billion manufacturer of such apparel as Lee and Wrangler jeans, isnt selling pants online, but it has rolled out a WLAN. Machine operators on VFs manufacturing floor use handheld devices from Symbol Technologies Inc. to access the companys SAP AG enterprise resource planning applications.

To keep the whole thing secure, Mel Cartwright, VFs project leader for radio frequency scanning, in Greensboro, N.C., uses a combination of tried-and-true password management techniques, and he keeps a tight lid on where and by whom wireless devices are used. The companys handhelds never leave the premises. Every operator has his or her own machine and is required to scan in a personal bar code just to get a user ID prompt. The security doesnt stop there. Each user ID associated with a password has to be changed every 30 days, and it must contain a specific number of capital letters and numbers. Then, to get into VFs SAP application, the user must enter a different user ID and password combination.

Users are reminded every 14 days to change passwords before the 30-day deadline. And, as with any password—whether its for wireless devices or not—Cartwright and VFs security managers enforce rules that prohibit users from writing down passwords. VF also conducts routine internal security audits to make sure everythings secure.

The system, of course, is a recipe for forgotten passwords. But, Cartwright said, its worth it. "The No. 1 problem our help desk deals with is forgotten passwords," he said. "But its justifiable because this ensures that proprietary information remains in-house."

Faced with the complex task of tracking rapidly changing wireless standards and providing security for a profusion of wireless devices, some enterprises are opting to hand the problem to a service provider. John Shields, vice president of wireless initiatives at Patelco, for example, recently chose to outsource his companys wireless implementation and security to MShift Inc., in San Jose, Calif. With $1.9 billion in assets, San Francisco-based Patelco is Californias fourth-largest credit union. Patelco launched its wireless banking application in November and recorded more than 1,000 log-ons that month.

While Patelco has internal expertise in HTML and online content delivery, Shields said, it lacked WAP expertise. Shields told his managers he feared that, as wireless devices proliferated, hed eventually have to support multiple protocols. He also worried that as an increasing number of applications were wireless-enabled, Patelco would run into trouble guaranteeing security on all of them. In the end, Shields persuaded his managers to buy rather than build a secure mobile infrastructure.

"WAP protocol is relatively new to us, and there are so many wireless devices you have to keep on top of," Shields said. "Partly because of security concerns, our executives understood why outsourcing was right for us."

MShifts wireless implementation for Patelco uses WTLS, SSL and digital certificates to protect sensitive data. Patelco, on its end, secures every transaction internally with 128-bit encryption behind a corporate firewall. Patelco also controls what its wireless users can and cannot do. For instance, while users can check their balances, they are not allowed to pay loans and can only transfer money between their own accounts.

Experts predict that many enterprises will choose to outsource, at least initially, to get a jump on security. "This is definitely a buy-vs.-build type of proposition," said Lonadier of Hurwitz Group. "The wireless market is fairly new, and IT managers should figure out early on if they have the expertise to secure transactions on their own."

Nor is it a mistake for e-businesses to limit m-commerce bells and whistles until they are sure they can guarantee a level of security that is acceptable to users and business managers. As many organizations learned the hard way during the first phase of e-business, it doesnt matter if the site uses the coolest technology; if its not secure, its a failure.

"It doesnt matter if an application is mobile or not," said Edmunds.coms LaMuraglia. "It has to be secure, no matter what."