Wireless Security and M-Commerce
By Jeff Goldman, Thu Mar 08 00:00:00 GMT 2001

As m-commerce becomes an increasingly popular idea, wireless security is racing to catch up.

Lose your phone today, and you can pick up a new one around the corner. But just wait a few months, and a lost phone could empty your bank account, drain your credit cards, and clear your stock portfolio. The adoption of m-commerce carries with it some significant risks.

Those risks were highlighted at the end of last month, when a group of researchers at the University of California at Berkeley released a very well-publicized report announcing that it's disturbingly easy to hack into a wireless network "using only inexpensive off-the-shelf equipment."

For those promoting m-commerce in all its forms, this wasn't good news. Sure, a wireless LAN is different from a wireless phone, but the average consumer isn't aware of the details.

Fear of fraud is the biggest obstacle keeping m-commerce, the impulse-shopper's dream, from leaping into the market. The convenience of m-commerce is undeniable: imagine paying your bills on your Palm Pilot while you wait for the bus, paying for your rental at the video store by punching in a code on your phone, or trading stocks in the checkout line at the supermarket. Convenient, simple, and very attractive.

But Prakash Panjwani, Vice President of Business Development for the California-based Certicom notes that security concerns are universal. "If you ask anybody doing an m-commerce application of any kind, security is the number one issue," he said.

Developing Security

According to Panjwani, what's currently secured in most cases is the link to the device itself. As an example, he notes that Certicom is currently providing secure solutions for the Palm VII using Wireless Transport Layer Security (WTLS), the wireless equivalent of SSL. "In that level of security, you're basically making sure all your data is encrypted," Panjwani said. But that's just the first step.

Some banks and online stock brokers are already offering wireless transactions, but they're taking a significant risk. Paul Healy, Vice President of Wireless Services at VeriSign, compares it to the early days of e-commerce. "They want to be seen to be leading the pack," he said. "Therefore, they're willing to accept the commercial risks of fraud in order to get a product out there. As we saw on the Internet, people do that initially, and then later on they want to improve security."

Unfortunately, the next step isn't easy. It's a matter of juggling a number of different technologies, most of which weren't developed to be secure-or to interoperate-in the first place. One of the risks of using WTLS is the "WAP gap"-the fact that, when data is translated from WTLS to SSL, there's a brief gap in security during the change. The challenge, therefore, is to create a universal end-to-end solution that sidesteps the need for such a conversion.

Stephen Byrne, Product Manager for Ireland's Baltimore Technologies, explains that it's just not possible to please everyone. "A network operator is looking for one type of thing; a bank is looking for something separate," he said. "The bank doesn't want the network operator to control customer access to the bank, whereas the network operator would like to be able to keep as much control over the customers as they possibly can."

Wireless PKI: Batteries and Bandwidth

A number of companies, including Entrust and RSA Security, as well as Certicom, VeriSign and Baltimore, have announced solutions enabling the use of public key infrastructure (PKI) software in a wireless environment. PKI uses digital certificates to facilitate authentication, the logical next step in increased security.

Byrne explains that Baltimore Technologies' Telepathy allows companies to apply their legacy security infrastructure to the wireless world. "We didn't want to bring in a separate wireless standard for security to the one that already existed in the wired world," he said. And the same can be said of Certicom's recently-announced Trustpoint solution

The biggest challenge in implementing a PKI solution for wireless deployment, though, lies in the devices themselves. With limited bandwidth and low power, not to mention a small screen and no keyboard, the average phone or PDA presents a number of unique problems.

Panjwani explains that Certicom's proprietary Elliptic Curve Cryptography (ECC), which reduces key size from RSA's 1024 bits to as few as 56 bits, makes handling certificates a lot easier for low-bandwidth and low-power devices. "We can do a digital signature in a second," he said. "If you use the RSA mechanism to do a signature on a Palm device, for example, it takes almost fifteen seconds. Is the user going to wait fifteen seconds to do a signature? Probably not. And the battery's draining at the same time."

Byrne also notes that the need for increased bandwidth may itself push the industry forward, if only because of the investment that operators have made in 3G licenses. "We're talking billions of pounds in government auctions in a bunch of different European countries," he said. "They have big debts that they need to make back, and in order to do that, they want to try to offer additional services that they hope people are going to pay for. That's why the m-commerce issue really comes to life."

A Better Mousetrap

In the meantime, there aren't any devices available in the US that are capable of supporting digital certificates. But as Healy explains, the rest of the world is already heading in the right direction. "Both Nokia and Ericsson have been supporting server certificates since the middle of last year," he said. "There are different availabilities, and that really depends on the supplier of the technology."

As a result, Healy notes, the US will obviously be the last to implement these solutions. "In the US, it's probably 3-6 months behind in terms of adoption and availability," he said.

According to Panjwani, there's unique potential in the Asian and European markets. "If you look at Europe and Asia, in some countries the wireless penetration far exceeds the Internet penetration in those markets," he said. "What that means is that their wireless device is their primary vehicle to browse the Internet and do transactions."

And every manufacturer has plans to embed certificate technology into their devices in the near future. At the recent 3GSM World Congress in Cannes, both VeriSign and Baltimore announced agreements with Japan's NTT DoCoMo to put their solutions in future models of NTT DoCoMo's enormously popular i-mode phones. If downloading cartoons got them 19 million users, just imagine what trading stocks could do.

Show Me Your Finger

As security fears are eased and m-commerce becomes a powerful force, another security issue will develop, one that's also unique to wireless technology. PDAs and phones are very easy to lose, and even easier to steal. And that's where your finger comes in.

In May of 1999, Motorola announced a partnership with the biometrics company Identix to jointly develop fingerprint scanning devices. Six months later, they presented the first product from the partnership, the DFR 300: a fingerprint reader that's 4.5 millimeters thick and retails for under $20.

It'll be a few years, though, before you can forget your PIN and use your finger instead-and it'll be a while before you'll have any need to. Still, security advances are ongoing, and will be effecting significant changes within the year. In a fast-moving market, the coming months will be exciting to watch.

Jeff Goldman is a freelance writer covering a wide range of topics for a number of online journals. He currently writes regular articles for Internet.com's ISP-Planet. Brought up in Belgium, Jeff spent the last decade in New York, Chicago and London; he now lives in Los Angeles.