Secure This
By Carlo Longino, Thu Jun 07 00:00:00 GMT 2001

Transaction security isn't the sexiest topic related to the mobile Internet, but one of the most important.

Wireless security is a certain barrier in mobile commerce. Many common-sense mobile services such as banking and shopping are held back not only by bandwidth constraints, but also because carriers and vendors can't guarantee consumers that their credit-card numbers and PINs are safe.

Traditional Internet-based security methods, like so many other things, don't translate to the Net's wireless cousin, and most connections from a Web server to a mobile client aren't designed with end-to-end security in mind.

In a desktop environment, data is encoded server-side and decoded by the client, usually using the industry standard secure sockets layer (SSL) method. SSL, however, is designed for somewhat fast network speeds and quite a bit of client-side decryption (ie processing), making it a non-starter in the mobile world.

But typical WAP carrier gateways can receive SSL-encrypted data, decrypt it and then re-encrypt it in the mobile-friendly wireless transport layer security (WTLS), which can then be decrypted by the handset's browser. This provides a modicum of security, but the brief instant the data is decrypted on the gateway provides a vulnerability that is too great for most financial institutions to take a chance on.

Most everyone agrees the ideal solutions are public key infrastructures (PKIs), a system that enables secure transactions by utilizing a pair of keys generated from the same cryptographic algorithm. But most PKIs are based on the RSA algorithm, which is heavily taxing on mobile CPUs, and neither mobile networks or handsets are equipped with the necessary software.

Dialin' in

A simple way to ensure secure transaction for a bank or other service is to host a WAP gateway behind a secure enterprise firewall. WAP gateways suited for corporate deployment are readily available and allow companies to offer dial-up WAP access through modems behind their firewall, bypassing the vulnerabilities of the carrier's network.

But the significant financial and technical overhead required provides yet another stumbling block. A bank, for instance, must install and support a modem bank for dial-up PC banking, something many of them did away with as the Internet gained in popularity. But more importantly, devices must point to the right gateway - something many users will not want to deal with.

Although there are products such as Nokia's Activ solution, which through smart SMS pushes set-up information to a user's phone, there is still a measure of handset-level work that must be done. Users must also manually switch from their carrier's gateway to the enterprise's, and unless their phone is one of a handful that can accept multiple WAP gateway profiles, it's no small task.

This solution is already in use by several banks in Europe, including the region's biggest, Carlo Longino is a freelance writer based in Austin, Texas. His previous experience includes work for The Wall Street Journal, Dow Jones Newswires, and Hoover's Online. He doesn't hold much hope for m-commerce as long as his mobile carrier can't even get voice calls right.