Subscription fraud is as old as the wireless industry itself, and responsible for the creation of numerous companies and products that exist solely to develop new ways to combat this revenue-stealing problem.
While carriers continue to battle fraudsters on the voice front, a new problem could be looming as the mobile Internet and mobile commerce gain in popularity. Will beefing up mobile-phone capabilities make them more attractive to those wanting to use them without paying?
Not necessarily, according to Dan Wilinsky, spokesman for Sprint PCS, which is generally considered a leading U.S. carrier in the wireless Internet space.
“We haven’t seen a correlation,” Wilinsky said. “I would think that the intent of the people who want to do this is voice first. This (wireless phone fraud) is mostly like long distance-you are getting people who are using the phones for calls overseas and such.”
Wireless security in the new millennium will present more challenges for content providers, carriers and security software developers, however. Internet security architectures developed in the past five years cannot easily be transferred to a wireless environment, according to “The Changing Role of Wireless Security,” a report issued by The Yankee Group in Boston.
Carriers must consider wireless security solutions that take into account the limited bandwidth, memory resources and battery life of a mobile handset. Wireless Internet applications only can be successful if all players are confident that the transaction cannot be fraudulently generated or altered, that the transaction is legally binding and the confidentiality of private information is adequately protected, The Yankee Group said.
“There is a lot of opportunity and complication happening in m-commerce. It’s the ultimate faceless transaction,” said Kate Strong, product marketing manager for Lightbridge Inc.
“The only thing you can do to protect yourself is to screen information,” Strong said.
Those taking the biggest risks when it comes to fraudulent transactions over the Web are the merchants themselves. If an item is purchased over the wireless Internet using a stolen credit card, the credit-card company will charge the cost of the items back to the merchant. The carrier is exempt from financial responsibility, but can still be active in assuring customer confidence in conducting such transactions.
“This is a slimmed-down version of their Internet service,” said Sprint’s Wilinsky. “We’re sensitive to it, but it’s really their issue. By the same token, our brand is associated with it.”
Strong said the telecommunication carrier is going to be in the middle of m-commerce, and they really need to understand the upfront processes to best serve their customers.
Opportunities and partnerships also exist for carriers because they are providing another conduit, or distribution channel, from the customer to the merchant.
Whereas mobile-phone content providers must assure transaction security, the carrier’s main responsibility will continue to be securing a customer’s wireless account information, or preventing subscription fraud.
The Cellular Telecommunications and Internet Association said subscription fraud has tripled since 1997 because criminals favor subscription fraud over cloning, and carriers are vying to reach a broader, riskier market. The misconception that digital services eliminate fraud also has helped perpetuate subscription fraud. Consumers have become more complacent, said CTIA.
Strong said the big play for the carrier will continue to be the prevention of subscription fraud, and putting the proper tools and technologies in place to fight it.
The Weak link
There is a very real threat to mobile Web security and it lies at the point where information from the Internet is transferred to the wireless phone and vice versa.
In a wired environment, confidentiality, authentication and non-repudiation are ensured through use of an Secure Sockets Layer protocol, digital certificates and user name/password verification. In a wireless environment, SSL is translated to wireless transparent LAN service-the wireless version of the industry standard TLS, which is an adaptation of SSL, according to The Yankee Group report.
The translation between SSL and WTLS, which takes only milliseconds, occurs at the WAP gateway. Albeit brief, for those few moments the information being transferred from the wireless device to the server is totally unencrypted. At this point, sensitive information can be lifted and used, among other things, to commit credit-card fraud and steal passwords to bank, e-mail and other accounts.
“It is clearly one of the sophisticated places to break in,” said Peter Bianco, founder of security software company BioNetrix.
Bianco said the need to close that “WAP Gap” will increase as demand for the ability to conduct high-value, wireless transactions grows. He said pass words don’t scale very well on a mobile device and the footprints on the devices themselves are small.
“You can’t do a lot of processing on the device. You have to create compact implementations on the client-side,” said Bianco.
Other technologies are coming soon that will make wireless Internet transactions more safe. Sun Microsystems Inc.’s Java 2 Micro Edition will create a new platform for downloading Internet information on to a mobile device, and the WAP Forum plans to introduce upgraded versions of WAP.
“So basically if you go to Phone.com, they will say that until WAP 2.0, the security hole will continue to exist,” said Keith Bigelow, director of product management for Open Source software and services firm Lutris Technologies Inc.
Until there is an all-encompassing solution however, The Yankee Group said WAP gateway providers such as Phone.com, Nokia Corp. and L.M. Ericsson must rely on a relationship of trust between the carrier and the customer to ensure secure transactions and sidestep fraud.
