Is mobile Internet really the Achilles' heel of e-business, or does
it have the power to reinforce e-business security?Alison Classe
reports
Analysts and the press have propagated the view that m-commerce
is an inferior life form when it comes to security. The general
consensus is that mobile technologies do not yet provide secure
communications and that current security levels are inadequate for
general access into corporate IT systems.
But is m-business really less secure? In certain respects it
must be. Obviously, a mobile device is easy to steal and tampering
with mobile phones is, by IT standards, a fairly mature discipline.
Mobile networks, too, are susceptible to eavesdropping, as Robert
McCarthy, security specialist with wireless application testing
specialist Encerca (formerly AnywhereYouGo.com), points out. "The
signal from the phone can, at least in theory, be picked up by
anyone in range." This, he argues, is a vulnerability even if the
signal is encrypted.
In terms of encryption itself, the much-discussed 'WAP gap'
(wireless application protocol gap) constitutes a special challenge
to m-commerce. Because of the limitations of processing power on
mobile devices, a less powerful form of encryption than the one
used on the Internet has been designed for mobile use. In the
context of m-commerce, that means that at the point where
m-commerce traffic comes on to the Internet proper, it gets
decrypted and then re-encrypted, leading to a 'gap' or moment of
vulnerability.
However, some claim that m-commerce has the potential to be
safer than other e-commerce models. A mobile phone can act as a
private possession in a way that a PC often can't. PCs sit on
desktops where anyone can use them, whereas pocketable devices are
more likely to be treated as personal.
Patrick O'Callaghan, vice-president, sales and marketing with
Network365, says:
"M-commerce is inherently more secure. If merchants take an
order from a mobile device, they're able to identify the individual
from their MSISDN [Mobile Subscriber ISDN number], the
international format GSM number that's a unique identifier
worldwide. And we always couple that with a secret PIN number,
which guards against unauthorised use of the device."
Mature advantage
Many of the differences between m-commerce and other forms of
e-commerce relate to the relative maturities of the technology and
could even up over time, but others, such as 'form factor', are
more permanent. Peter Houppermans, an IT security consultant with
PA Consulting Group, points out that entering into a contractual
agreement via a mobile phone is always likely to be impractical
because the 'small print' is going to disappear to the bottom of
several screenfuls of data.
Some of the security-related objections to m-commerce are being
overcome. The 'WAP gap' problem may not be such a bugbear as it's
been portrayed. The WAP Forum (www.wapforum.org) has come up with a
solution to be included in the imminent WAP Version 1.3. This, the
Forum says, will provide end-to-end security based on the use of a
client-side proxy server. In the meantime, there are ways to secure
the data in the gap.
A bit of lateral thinking has provided ways to reduce the
sensitivity of data transmitted over mobile networks. The
'electronic wallet' idea is one example. Payment methods such as
credit card details are supplied once and securely stored on a
server, which might be the responsibility of a merchant, financial
institution or a third-party service provider. Then, rather than
each transaction involving the transmission of payment data, the
transaction is simply linked to the wallet.
Another approach is to charge the costs of transactions to the
subscriber's phone bill. Jason Bray is the general manager for
Europe for eCharge, a player in this area. ECharge is currently
focused on wired Internet but is looking at mobile, too. Bray
argues that this is a particularly secure way of doing business,
and a cost-effective one because it avoids both the cost to the
user of additional hardware (such as smart card readers) and the
cost to the merchant of credit-card transactions.
"At the simplest level, we can identify the customer based on
their phone number, but that can be enhanced by reference to
information that the 'billing partner' - the phone company - has
stored about your phone usage. You can be asked about your four
most recent calls, the last time you phoned your mum, and so on, in
order to confirm that you are who you say you are." This model
could be particularly appropriate for small transactions, such as
buying cinema tickets or paying for MP3 downloads, that may
characterise m-commerce.
Meanwhile, there are moves afoot to enhance the security
capabilities of the handheld devices themselves. One is the WAP
Identity Module (WIM), an enhancement designed to provide security
functions and to handle user identification and authentication.
Sensitive data such as digital keys can be handled inside the
tamper-proof WIM - often thought of as a separate smart card, but
can be added to the SIM according to the specification.
Some approaches involve the use of a second smart card in
addition to the SIM. The WIM could either be such a card or could
be implemented on the SIM itself. Some people believe that two-card
approaches to secure payments will work best if they take advantage
of existing payment mechanisms such as credit cards. While these
facilities could be built into the phone, an extra level of
security is added by keeping card and phone separate and slotting
the card in when it's needed.
Biometrics is another possible approach to authenticating the
handset user. For example, their fingerprints or voice could be
compared with a stored 'print'. Houppermans says: "If biometrics
can be made reliable it could become very useful. However, there
are always going to be drawbacks - the voice of someone with the
flu may be unrecognisable - so I think it's best regarded as an
addition to user name and password, rather than a replacement."
Sensible Implementation
Security depends just as much on sensible application design as
on clever technology. Encerca's McCarthy points out that banks are
currently using techniques that lay them open to 'spoofing' - a
form of attack where a user impersonates another by copying their
security details.
"When banks need to give someone instructions for accessing a
secure site, some do it by sending an SMS [short message service]
message. But SMS messaging is not secure - at the most basic,
someone can just read the message when they borrow your phone - and
the instructions can then easily be used to program other
phones."
Ed Wood, m-commerce manager of nCipher, urges businesses to
think about the entire picture, not get fixated on one aspect.
"It's obviously mad to spend a lot of money on cryptography and
then post out a critical bit of security information in an
envelope. It's important that architects address the end-to-end
picture. They should also think about the cost of security being
compromised.
"If the most someone stands to gain is £5 worth of service, it
may not be worth spending hundreds of thousands to secure it," says
Wood. "However, the costs in terms of loss of consumer confidence
also need to be included in calculations of this kind," he says. It
should also be remembered that the risk of financial loss isn't the
only reason for security provisions. Privacy of personal
information is another area where companies have responsibilities
to their customers and staff - responsibilities about which mobile
users may feel particularly sensitive, in as much as a mobile
device is often felt to be part of one's 'personal space' in a way
that a desktop device is not.
Future Development
Are current security concerns likely to be an insurmountable
barrier to the growth of m-commerce? According to Houppermans: "I
wouldn't put high-value transactions through a mobile device at the
moment, mainly because of the difficulty of keeping track of the
device. They are intrinsically easy to steal and there's always
going to be some bright spark who stores their password in the
phone's data bank."
In the longer run, however, the problems will be overcome
because of the incentives to do so. "We're getting more and more
mobile and that's not a trend that's going to be reversed," says
Houppermans.
Despite security concerns, many analysts agree with Houppermans
and are predicting massive volumes of m-business. For example,
Gartner Group has suggested that the worldwide value of
mobile-device-initiated consumer transactions could be as much as
$1.8trillion by 2005.
However, it's possible that a lot of these will be low-value,
low-risk transactions.
The future success of m-commerce is likely to be conditional on
the emergence of a standard approach to security. MeT, the Mobile
Electronic Transactions initiative launched last year by Ericsson,
Motorola and Nokia {www.mobiletransaction.org) is focusing on this
area now.
With the market still in its infancy, various payment methods
are competing for supremacy:
Mobile PKI
Finnish online broker eQ Online {www.eqonline.fi/corporation}
has built what it claims is the "the world's first, and to date
only, highly secure wireless brokerage service", supporting share
dealing via mobile phones.
The solution has been built with the co-operation of a group of
technology companies including Sonera SmartTrust and nCipher. It
has allowed eQ Online to extend the reach of an existing wired
Internet online dealing system. After an initial launch in Finland
early last year, the mobile service is destined for a pan-European
audience. The company says the service can be used on any GSM
network ideally, but not necessarily, with WAP handsets.
The system uses strong 1024-bit encryption and digital
certification technology implemented by Sonera on SIM cards.
nCipher has provided both secure key storage and acceleration
technology. The latter helps to overcome one of the major obstacles
to secure m-commerce by offloading security processing from the
server to a specialist hardware module (nFast), reducing delays in
handling client requests.
Of course, this problem is not confined to m-commerce. In fact,
eQ Online has been using the nCipher technology since
encryption-related bottlenecks were discovered during the
pre-launch testing of the company's original online dealing
system.
Electronic Wallets
Esat Digifone's m-commerce facility is a component of digifone
online, launched last year as 'Ireland's first seamless fixed and
mobile ISP and portal'. With one in two Irish people using mobile
phones, the initiative was partly designed to entice new users on
to the Internet for the first time via the mobile route.
Esat Digifone, Ireland's second GSM operator, unveiled its
m-commerce mall, dot digifone on-line, in time for romantic Irish
men and women to buy their Valentine's Day 2000 chocolates and
flowers. The service incorporates Network365's mZone mobile
commerce server. This provides a Mobile Wallet facility that allows
credit card details and shipping instructions to be stored once and
then retrieved whenever a transaction is made.
Several months after its launch, the security was enhanced with
the addition of a capability for the encryption of data streams
passing from the mobile handset to the server.
Compounding performance problems is always a hazard of enhancing
mobile security, but the use of e-wallets can have the opposite
effect by reducing the amount of data that has to be
transmitted.
Credit Card Phones
Last summer France Telecom launched 'Paiement CB Sur Mobile'
(Carte Bleue payment by mobile), a service allowing mobile
customers to make credit card payments from special Motorola or
Sagem phones. These are models equipped with a slot into which the
CB credit card is temporarily inserted at the time of the
transaction.
This approach enhances security because the bank card can be
kept separate from the phone. A PIN number is also needed to
transact a payment, so there are effectively two 'somethings you
have' plus one 'something you know' securing the payment. The PIN
number itself doesn't pass across the network.
Believed to be the first of its kind, the service follows on
from an earlier trial involving France Telecom and CB, known as
ItiAchat. The live service allows users to pay for m-commerce
transactions and utility bills and to add credit to their mobile
phone account.