As pressure mounts on banks to be at the cutting-edge of technology
in provision of services, the issue of security has become
paramount for potential users and, more particularly, the
City
Britain's banks are falling over each other to roll out mobile
phone banking services. Soon, most of us will be offered the chance
to check our bank balance, pay bills and shuffle money between
accounts from our wireless application protocol (Wap) phones.
The pressure for banks not to be left behind in the Wap race is
intense. Their share prices depend on being seen up to speed with
the latest technology. So those to be slow off the mark risk losing
market share and the City's approval.
But as the rush to Wap intensifies, some experts are concerned
banks may not have the time, resources or that technical
understanding to make mobile phone banking services as secure as
they should be.
The recent security breaches in the Internet banking services
offered by Barclays Bank and Egg, show it is all too easy to
overlook programming errors. These could allow hackers or even
members of the public access.
"The UK has some way to go in securing its Web infrastructure,
never mind Wap," says Roberto Mendrano, general manager for
Internet security solutions at Hewlett-Packard. "When I ask people
how they know the security of their Wap systems will work, they
tell me their handsets are secure. But I know they are not thinking
about infrastructure," he says.
Most Wap users would probably be shocked to learn banks are
unfolding Wap services before security standards have been fully
addressed. The current generation of Wap technology contains some
potentially serious weaknesses that, unless precautions are taken,
could leave both banks and customers exposed to hackers and
criminals.
One potential weakness lies at the Wap gateway server. This acts
as a link between the Wap phone and a bank's Internet servers.
Banks use encryption technology to make sure messages are
secure, both when they arrive and leave the Wap gateway.
However, as messages travel through the gateway, they pass
through an unencrypted state known as "clear text". At this point,
bank account details and other sensitive information is vulnerable
to being read. If the gateway is hosted by an Internet service
provider (ISP), the bank is reliant on the honesty of the ISP's
employees to protect this sensitive data.
"In practice, the only sensible way forward is to bring the
gateway onto the bank's premises," says Richard Barber, security
group technical adviser at security systems integrator
Articon-Integralis. "The banks can afford to security vet their
staff. The ISPs have a lot of contractors that are not subject to
the same security vetting as permanent staff."
Even then, there is a possibility a hacker could find a way into
the gateway and read copies of clear text messages stored on the
gateway's system log.
The only way to be certain is making sure the server never
stores clear text on its hard disk, says Barber. The difficulty is
most banks like to keep records of every stage of the
transaction.
Another potential pitfall with current Wap technology is that
the customer has no way of knowing he or she is really connecting
to the bank.
With some skillful programming, a clever hacker could redirect
customers to a spoof Wap site, designed to look similar to the
genuine bank's site. The hacker could use the site to intercept
passwords and other security codes that provide access to that
customer's bank account.
Rather disturbingly, one well-known bank's e-commerce department
told MC it had not heard of this potential risk.
Security experts believe British banks could learn something
from the Swedes and the Germans. They claim people in these
countries are ahead of the UK in Internet and Wap security.
Swedish bank SEB plans to launch a Wap service in November,
followed by the rest of Europe. They offer customers the ability to
buy and sell shares from mobile phones, up-to-the-minute share
prices and access to mobile banking services. These include bill
payment and money transfers.
"Security is crucial," says Andres Bonds, head of strategy and
competitive intelligence. "We daren't do anything that could damage
our reputation. The only asset we have is customer's confidence in
the bank," he says. "It is essential we have the best
security."
SEB has the usual firewalls, but these are not enough, Bonds
claims, to ensure it is hacker-proof. The bank opted for HP's
VirtualVault technology. Based on systems designed for the
military, VirtualVault ensures the bank's IT systems are never
directly connected to the outside world. "You can never reach the
central systems. It's what you might call a demilitarised zone," he
says.
The bank has now gone one step further than most by giving each
customer a security code generator. This credit-card-sized device
generates a one-time password every 30 seconds. It is an order of
magnitude, safer than relying on a pin number or a customer's own
password.
Bonds admits competitors might regard the code generator as
overkill. But for every organisation, security has to be a
trade-off not only against cost, but also against usability. Code
generators may be secure, but they can make the Wap service more
difficult and less convenient for customers on the move.
JanetteWinter, headofe-commerceatthe Woolwich, considered
issuing customerswith password generators before the bank went live
with its Wap service in April. "We think it is totally impractical
for the user," she says.
Instead, the Woolwich asks its customers to type in three pieces
of personal information, including a password, to make sure they
are genuine.
Future versions of Wap technology standards will soon fill many
of security holes found in current systems. Phone manufacturers and
IT suppliers are developing new phone handsets that will
incorporate the advanced security technology of "public key
infrastructure" (PKI). This will allow customers to send a "digital
certificate" to the bank to prove that they are legitimate.
Similarly the bank can send the customer a digital certificate
to prove it is really the bank and not a spoof Wap site created by
a hacker.
PKI has another advantage over existing security arrangements.
It allows both customers and banks to sign transactions
electronically.
Electronic signatures will soon be recognised in law - giving
both UK banks and customers the comfort of knowing any transactions
they make will be legally binding.
"PKI is future technology," says Henry Manassian, chief
executive of security specialist Globalsign.
"An end-to-end PKI-based system gives a complete framework for
an operation to be legally covered. It is recognised in law and
will make things much easier and more straightforward than a system
that uses a password or some other security device," he points
out.
Yet there is still some way to go before PKI arrives in a usable
form for customers.
The technology will require a new generation of mobile phone
handsets equipped with an extra smartcard slot to take the PKI
card.
Banks and phone manufacturers will have to agree a system for
distributing and storing secure keys needed. And there are question
marks over the impact it will have on battery life of phones.
However, for banks, the greatest concern is whether PKI will be
simple enough for customers. Winter is sceptical. "Usability is
still an issue. I don't think customers find it easy to use Wap. To
consider PKI at this point when there are other usability issues
does not make sense. But over time, it might be the right way
forward," she adds.
In the meantime, security consultants advise customers to check
the small print of their bank's Internet service before signing
up.
If the bank is prepared to cover any loses caused by hackers or
fraud, all well and good. If not, they advise, think twice.
Wap security technologies
- Wireless transport layer security (WTLS) protocol - A
technology standard for encrypting communication between the
handset and Wap gateway. It performs integrity checks on the data.
Future versions of the protocol will allow the bank to authenticate
the user and the user to make sure the bank is genuine
- Wireless identity module (Wim) - A smartcard that, in future,
will contain a customer's confidential encryption keys. The Wim
will allow the bank to authenticate whether the customer is who
they claim to be. Future generations of Wap phones will contain a
Wim slot
- Wap Microbrowser - In future, the Microbrowser will run scripts
that will allow customers to sign data using encryption keys stored
in the Wim card.
What makes a banking system secure?
There are several components to security in a banking
system:
- Authenticity - Provides security against forgery of data or
forgery of identities. It allows a bank's system to know whether it
is genuinely talking to the customer or to a hacker impersonating
the customer
- Integrity - Provides protection against changes in messages. It
ensures a hacker or a criminal cannot intercept and secretly change
instructions sent to the bank by a customer
- Confidentiality - Ensures communications between banks and
customers cannot be disclose to third parties
- Non-repudiation - Ensures the customer cannot deny being the
source of a message sent to the bank and vice versa.
Source: Dag Stroman, RSA Wireless Development Centre