Banking on security to win the Wap race

As pressure mounts on banks to be at the cutting-edge of technology in provision of services, the issue of security has become...

As pressure mounts on banks to be at the cutting-edge of technology in provision of services, the issue of security has become paramount for potential users and, more particularly, the City

Britain's banks are falling over each other to roll out mobile phone banking services. Soon, most of us will be offered the chance to check our bank balance, pay bills and shuffle money between accounts from our wireless application protocol (Wap) phones.

The pressure for banks not to be left behind in the Wap race is intense. Their share prices depend on being seen up to speed with the latest technology. So those to be slow off the mark risk losing market share and the City's approval.

But as the rush to Wap intensifies, some experts are concerned banks may not have the time, resources or that technical understanding to make mobile phone banking services as secure as they should be.

The recent security breaches in the Internet banking services offered by Barclays Bank and Egg, show it is all too easy to overlook programming errors. These could allow hackers or even members of the public access.

"The UK has some way to go in securing its Web infrastructure, never mind Wap," says Roberto Mendrano, general manager for Internet security solutions at Hewlett-Packard. "When I ask people how they know the security of their Wap systems will work, they tell me their handsets are secure. But I know they are not thinking about infrastructure," he says.

Most Wap users would probably be shocked to learn banks are unfolding Wap services before security standards have been fully addressed. The current generation of Wap technology contains some potentially serious weaknesses that, unless precautions are taken, could leave both banks and customers exposed to hackers and criminals.

One potential weakness lies at the Wap gateway server. This acts as a link between the Wap phone and a bank's Internet servers.

Banks use encryption technology to make sure messages are secure, both when they arrive and leave the Wap gateway.

However, as messages travel through the gateway, they pass through an unencrypted state known as "clear text". At this point, bank account details and other sensitive information is vulnerable to being read. If the gateway is hosted by an Internet service provider (ISP), the bank is reliant on the honesty of the ISP's employees to protect this sensitive data.

"In practice, the only sensible way forward is to bring the gateway onto the bank's premises," says Richard Barber, security group technical adviser at security systems integrator Articon-Integralis. "The banks can afford to security vet their staff. The ISPs have a lot of contractors that are not subject to the same security vetting as permanent staff."

Even then, there is a possibility a hacker could find a way into the gateway and read copies of clear text messages stored on the gateway's system log.

The only way to be certain is making sure the server never stores clear text on its hard disk, says Barber. The difficulty is most banks like to keep records of every stage of the transaction.

Another potential pitfall with current Wap technology is that the customer has no way of knowing he or she is really connecting to the bank.

With some skillful programming, a clever hacker could redirect customers to a spoof Wap site, designed to look similar to the genuine bank's site. The hacker could use the site to intercept passwords and other security codes that provide access to that customer's bank account.

Rather disturbingly, one well-known bank's e-commerce department told MC it had not heard of this potential risk.

Security experts believe British banks could learn something from the Swedes and the Germans. They claim people in these countries are ahead of the UK in Internet and Wap security.

Swedish bank SEB plans to launch a Wap service in November, followed by the rest of Europe. They offer customers the ability to buy and sell shares from mobile phones, up-to-the-minute share prices and access to mobile banking services. These include bill payment and money transfers.

"Security is crucial," says Andres Bonds, head of strategy and competitive intelligence. "We daren't do anything that could damage our reputation. The only asset we have is customer's confidence in the bank," he says. "It is essential we have the best security."

SEB has the usual firewalls, but these are not enough, Bonds claims, to ensure it is hacker-proof. The bank opted for HP's VirtualVault technology. Based on systems designed for the military, VirtualVault ensures the bank's IT systems are never directly connected to the outside world. "You can never reach the central systems. It's what you might call a demilitarised zone," he says.

The bank has now gone one step further than most by giving each customer a security code generator. This credit-card-sized device generates a one-time password every 30 seconds. It is an order of magnitude, safer than relying on a pin number or a customer's own password.

Bonds admits competitors might regard the code generator as overkill. But for every organisation, security has to be a trade-off not only against cost, but also against usability. Code generators may be secure, but they can make the Wap service more difficult and less convenient for customers on the move.

JanetteWinter, headofe-commerceatthe Woolwich, considered issuing customerswith password generators before the bank went live with its Wap service in April. "We think it is totally impractical for the user," she says.

Instead, the Woolwich asks its customers to type in three pieces of personal information, including a password, to make sure they are genuine.

Future versions of Wap technology standards will soon fill many of security holes found in current systems. Phone manufacturers and IT suppliers are developing new phone handsets that will incorporate the advanced security technology of "public key infrastructure" (PKI). This will allow customers to send a "digital certificate" to the bank to prove that they are legitimate.

Similarly the bank can send the customer a digital certificate to prove it is really the bank and not a spoof Wap site created by a hacker.

PKI has another advantage over existing security arrangements. It allows both customers and banks to sign transactions electronically.

Electronic signatures will soon be recognised in law - giving both UK banks and customers the comfort of knowing any transactions they make will be legally binding.

"PKI is future technology," says Henry Manassian, chief executive of security specialist Globalsign.

"An end-to-end PKI-based system gives a complete framework for an operation to be legally covered. It is recognised in law and will make things much easier and more straightforward than a system that uses a password or some other security device," he points out.

Yet there is still some way to go before PKI arrives in a usable form for customers.

The technology will require a new generation of mobile phone handsets equipped with an extra smartcard slot to take the PKI card.

Banks and phone manufacturers will have to agree a system for distributing and storing secure keys needed. And there are question marks over the impact it will have on battery life of phones.

However, for banks, the greatest concern is whether PKI will be simple enough for customers. Winter is sceptical. "Usability is still an issue. I don't think customers find it easy to use Wap. To consider PKI at this point when there are other usability issues does not make sense. But over time, it might be the right way forward," she adds.

In the meantime, security consultants advise customers to check the small print of their bank's Internet service before signing up.

If the bank is prepared to cover any loses caused by hackers or fraud, all well and good. If not, they advise, think twice.

Wap security technologies

  • Wireless transport layer security (WTLS) protocol - A technology standard for encrypting communication between the handset and Wap gateway. It performs integrity checks on the data. Future versions of the protocol will allow the bank to authenticate the user and the user to make sure the bank is genuine

  • Wireless identity module (Wim) - A smartcard that, in future, will contain a customer's confidential encryption keys. The Wim will allow the bank to authenticate whether the customer is who they claim to be. Future generations of Wap phones will contain a Wim slot

  • Wap Microbrowser - In future, the Microbrowser will run scripts that will allow customers to sign data using encryption keys stored in the Wim card.

    What makes a banking system secure?

    There are several components to security in a banking system:

  • Authenticity - Provides security against forgery of data or forgery of identities. It allows a bank's system to know whether it is genuinely talking to the customer or to a hacker impersonating the customer

  • Integrity - Provides protection against changes in messages. It ensures a hacker or a criminal cannot intercept and secretly change instructions sent to the bank by a customer

  • Confidentiality - Ensures communications between banks and customers cannot be disclose to third parties

  • Non-repudiation - Ensures the customer cannot deny being the source of a message sent to the bank and vice versa.

    Source: Dag Stroman, RSA Wireless Development Centre

  • Read more on Wireless networking