This holiday season heralded the beginning of the e-commerce revolution, and wireless operators have the opportunity to cash in on it with the growing proliferation of Internet-enabled wireless phones and handheld computers.
Optimism among the analyst community is rampant. Most recently, Strategy Analytics predicted the mobile e-commerce industry will expand rapidly in the next five years, at which time it said 14 billion transactions will be conducted using wireless devices each year with a total market of $200 billion.
Driving this growth are the increasing popularity of the Wireless Application Protocol as an application environment, microbrowser-enabled Internet-ready phones, and easy-to-manage user interfaces, as well as the potential reward to merchants.
Before this lucrative future can be realized, however, the wireless industry has several steps to take to make sure wireless e-commerce applications are secure.
“Perhaps the major reason someone will not purchase items over the Web is security concerns,” said Alan Reiter, president of Wireless Internet and Mobile Computing. “That concern is likely to be greater in a wireless environment even though wireless may be more secure than landline because it’s a digital signal. But it can be hacked.”
There are two issues to any wireless e-commerce security discussion-the security of the actual transmission and the trust that the transaction is being made with the intended party.
Encryption technology is meant to settle the matter of secure transmissions. Wireless encryption technology exists and is being used today. But despite carrier claims, cryptology experts and analysts say they are far from secure.
“The problem with (wireless) e-commerce is that one may be able to eavesdrop on keypad entries, so if you enter a credit-card number, a criminal with special equipment can read it,” said Larry Swasey, vice president of communications research at Allied Business Intelligence.
The current problem, he said, is that the industry’s security concerns traditionally have revolved around cloning issues. Technologies like auto number identification and RF fingerprinting were created to prevent cloning, but not to prevent listening in on keypad entries.
“Years ago, keypad entries were just the phone numbers you were dialing to. Nobody cared,” Swasey said. “Now, there’s a lot more information at stake.”
Security measures in place today are sufficient for the rather basic transactions conducted at this time. While submitting a credit-card number wirelessly may always remain a concern, the fact that people give their credit-card information to perfect strangers on a daily basis keeps it from becoming a significant one.
“The problem is not only credit-card security, but account-number security as well, such as for banking and trading,” Swasey commented.
“The higher the transaction and more people engaged in it, the more need the wireless industry will have for sophisticated security,” Reiter said. “It’s crucial. Not only must wireless services be secure in fact, but consumers must be convinced of that as well.”
But critics abound. Bruce Schneier, chief technology officer of cryptography specialists Counterpane Internet Security Inc., is one.
Schneier was part of a team of cryptologists that broke the Cellular Message Encryption Algorithm, designed by the Telecommunications Industry Association and used in today’s digital cellular and personal communications services networks.
Since March of 1997, when the flaw was detected, he said nothing has been done to fix it.
“They don’t care,” Schneier said. “Basically every algorithm has been broken and they write press releases saying that they’re working on it.”
Encryption companies developing security software for the wireless industry include Certicom and Entrust Technologies Inc. Certicom created a technology called elliptical curve cryptography, used by BellSouth Wireless Data L.P., Motorola Inc., Qualcomm Inc. and others.
Prakash Panjwani, director of wireless for Certicom, said the CMEA crack involved encryption technology on the transmission layer. Certicom focuses on application-layer cryptography.
“CMEA was a transport-level encryption,” he said. “I’m not going to rely on that type anyway. I’m going to establish a WTLS (Wireless Transport Layer Security) session.”
WTLS is the WAP initiative’s encryption method that sets up a purported secure connection between the handset and the application server. Transmission-layer encryption encodes the connection between the handset and the base station.
“I would not be concerned about it almost at all,” Panjwani said. “It’s a strong encryption method.”
Third-generation networks are expected to feature an entirely new algorithm, previously open to public scrutiny, which CMEA wasn’t.
But even if the strongest encryption method were created that was impossible to scan, another level of security is necessary to truly protect the next-generation of wireless e-commerce transactions-authentication.
Digital certification
While it is important to protect transmissions from third-party scanning, the vast number of wireless phone calls make it rather difficult for a hacker to find a call transmitting sensitive material of any value. Another way to gain that information is to intercept a phone call and purport to be the intended receiver of sensitive information.
Codes called digital certificates act like a signature that authenticates the identity of the sender and receiver to avoid sending information to impostors.
For instance, when a user logs on to a brokerage’s Web site, the digital certification process assures the brokerage that the caller is indeed a customer, while assuring the caller that the data being sent is indeed going to the brokerage. Any transaction done using a digital certificate is considered as legal as signing paperwork.
Digital certificates are issued by a third party, called a Certificate Authority. Entrust is one such authority, as is Diversinet.
Digital certificates also protect e-commerce firms. Should a user make a bad decision on a stock trade, he or she might try to blame it on a faulty transmission or a hacker. The digital certificate, like a signature, renders the user responsible for whatever transaction was made under it.
“It’s not just about security. It’s about liability,” Reiter said. “It’s more than just 12-year-olds having fun. We’re talking about millions of dollars in financial transactions.”
Digital certificates are known as a public key. Working in tandem with the certificate is a private key, stored on the actual device and unknown to even the service provider. While it may be possible to intercept the digital certificate, the authentication process will not accept it unless it recognizes the private key underneath. In theory, a hacker would have to intercept your digital certificate, then somehow find and steal your device in order to make illegal e-commerce transactions.
Although digital certificates are commonplace on the Internet, they are not optimized for wireless transmission. Authentication can take quite a while and eat up bandwidth, both of which are unacceptable in a wireless environment. Therefore, initiatives are under way to create more simple, wireless-friendly digital certificates.
“Creating a smaller certificate is needed for wireless devices,” said Neil Davies, market development manager of financial transactions at BellSouth Wireless Data. “It really comes down to grading that level of trust and adopting an appropriate technology.”
In the meantime, users of more sensitive wireless e-commerce transactions must self-authenticate, entering a series of passwords and checkpoints to engage in trading stock, such as with Fidelity Investments on BSWD’s network.
“The level of security in place is sufficient,” Davies said. “A digital certificate creates more of an elegant solution for more sophisticate
d services.”
“You have the parts,” Reiter said. “It’s creating the end-to-end solutions that are still in the early days. Wireless e-commerce is just beginning.”
Interoperability issues
While the industry works to create a wireless-friendly digital certificate, expected this year, it simultaneously must grapple with the emerging interoperability problem. As yet, there is no standardization among certificate authorities.
“Compatibility issues have to be resolved in order for e-commerce to survive,” Reiter said.
Here’s the problem: If a phone is programmed to read the digital certificate from one certification authority, like Diversinet, it may not be able to read certificates from another. That would prevent users from accessing all Internet sites in a secure manner.
Three organizations have been formed to create a standards process. Most focused on the wireless space is Radicchio, founded by Sonera SmartTrust, Gemplus and Electronic Data Systems, and recently joined by Certicom, L.M. Ericsson and Geoworks.
Another group, the PKI Forum, was created in December by Baltimore Technologies, Entrust Technologies, IBM Corp., Microsoft Corp. and RSA Security. While the group cites the lack of interoperability as a problem, it does not seem particularly focused on wireless e-commerce. E-sign is the third organization.
BSWD’s Davies said the bulk of standardization work today has focused on WTLS. “WTLS is used to establish encryption between the device and the application server,” Davies said. “Atop that is the certificate for client authentication.”
Last month, Entrust introduced its first digital certificate based on the technology on Nokia’s WAP server. Verisign is another company working on solutions. It also introduced a WAP server digital certificate service for Motorola Inc., Nokia and Phone.com Inc. WAP servers.
However, to ensure all devices can be authenticated by all certificates, server companies today must adopt all certificates, a costly process.
“There are interoperability issues.” Davies said. “If WTLS is adopted as an open standard for wireless certificates, these interoperability issues are greatly removed.”
However, critics like Schneier continue to challenge the security chain of digital certificates. He claims the private key is not nearly as private as advertised, that certificate authorities don’t always authenticate properly and the entire process is moot if encryption is not secure.
“Everything is vulnerable to eavesdropping and alteration,” he said. “There is no security, only the illusion of it … Either redesign the system or pretend there is no problem.”
When asked if he would conduct wireless e-commerce transactions, given his knowledge of the security technologies behind it, he said he’d be willing to enter credit-card information, but wouldn’t go near banking or stock trading transactions.
“The smart thing to do is mitigate the risk,” he said.
Reiter remains cautiously optimistic on wireless e-commerce, but is waiting for the end-to-end security solutions to fall in place, which he expects this year.
“If the wireless industry doesn’t implement end-to-end security and convince consumers of that, there will be no e-commerce business.”
