The weakest link

Is mobile Internet really the Achilles' heel of e-business, or does it have the power to reinforce e-business security?Alison...

Is mobile Internet really the Achilles' heel of e-business, or does it have the power to reinforce e-business security?Alison Classe reports

Analysts and the press have propagated the view that m-commerce is an inferior life form when it comes to security. The general consensus is that mobile technologies do not yet provide secure communications and that current security levels are inadequate for general access into corporate IT systems.

But is m-business really less secure? In certain respects it must be. Obviously, a mobile device is easy to steal and tampering with mobile phones is, by IT standards, a fairly mature discipline. Mobile networks, too, are susceptible to eavesdropping, as Robert McCarthy, security specialist with wireless application testing specialist Encerca (formerly, points out. "The signal from the phone can, at least in theory, be picked up by anyone in range." This, he argues, is a vulnerability even if the signal is encrypted.

In terms of encryption itself, the much-discussed 'WAP gap' (wireless application protocol gap) constitutes a special challenge to m-commerce. Because of the limitations of processing power on mobile devices, a less powerful form of encryption than the one used on the Internet has been designed for mobile use. In the context of m-commerce, that means that at the point where m-commerce traffic comes on to the Internet proper, it gets decrypted and then re-encrypted, leading to a 'gap' or moment of vulnerability.

However, some claim that m-commerce has the potential to be safer than other e-commerce models. A mobile phone can act as a private possession in a way that a PC often can't. PCs sit on desktops where anyone can use them, whereas pocketable devices are more likely to be treated as personal.

Patrick O'Callaghan, vice-president, sales and marketing with Network365, says:

"M-commerce is inherently more secure. If merchants take an order from a mobile device, they're able to identify the individual from their MSISDN [Mobile Subscriber ISDN number], the international format GSM number that's a unique identifier worldwide. And we always couple that with a secret PIN number, which guards against unauthorised use of the device."

Mature advantage

Many of the differences between m-commerce and other forms of e-commerce relate to the relative maturities of the technology and could even up over time, but others, such as 'form factor', are more permanent. Peter Houppermans, an IT security consultant with PA Consulting Group, points out that entering into a contractual agreement via a mobile phone is always likely to be impractical because the 'small print' is going to disappear to the bottom of several screenfuls of data.

Some of the security-related objections to m-commerce are being overcome. The 'WAP gap' problem may not be such a bugbear as it's been portrayed. The WAP Forum ( has come up with a solution to be included in the imminent WAP Version 1.3. This, the Forum says, will provide end-to-end security based on the use of a client-side proxy server. In the meantime, there are ways to secure the data in the gap.

A bit of lateral thinking has provided ways to reduce the sensitivity of data transmitted over mobile networks. The 'electronic wallet' idea is one example. Payment methods such as credit card details are supplied once and securely stored on a server, which might be the responsibility of a merchant, financial institution or a third-party service provider. Then, rather than each transaction involving the transmission of payment data, the transaction is simply linked to the wallet.

Another approach is to charge the costs of transactions to the subscriber's phone bill. Jason Bray is the general manager for Europe for eCharge, a player in this area. ECharge is currently focused on wired Internet but is looking at mobile, too. Bray argues that this is a particularly secure way of doing business, and a cost-effective one because it avoids both the cost to the user of additional hardware (such as smart card readers) and the cost to the merchant of credit-card transactions.

"At the simplest level, we can identify the customer based on their phone number, but that can be enhanced by reference to information that the 'billing partner' - the phone company - has stored about your phone usage. You can be asked about your four most recent calls, the last time you phoned your mum, and so on, in order to confirm that you are who you say you are." This model could be particularly appropriate for small transactions, such as buying cinema tickets or paying for MP3 downloads, that may characterise m-commerce.

Meanwhile, there are moves afoot to enhance the security capabilities of the handheld devices themselves. One is the WAP Identity Module (WIM), an enhancement designed to provide security functions and to handle user identification and authentication. Sensitive data such as digital keys can be handled inside the tamper-proof WIM - often thought of as a separate smart card, but can be added to the SIM according to the specification.

Some approaches involve the use of a second smart card in addition to the SIM. The WIM could either be such a card or could be implemented on the SIM itself. Some people believe that two-card approaches to secure payments will work best if they take advantage of existing payment mechanisms such as credit cards. While these facilities could be built into the phone, an extra level of security is added by keeping card and phone separate and slotting the card in when it's needed.

Biometrics is another possible approach to authenticating the handset user. For example, their fingerprints or voice could be compared with a stored 'print'. Houppermans says: "If biometrics can be made reliable it could become very useful. However, there are always going to be drawbacks - the voice of someone with the flu may be unrecognisable - so I think it's best regarded as an addition to user name and password, rather than a replacement."

Sensible Implementation

Security depends just as much on sensible application design as on clever technology. Encerca's McCarthy points out that banks are currently using techniques that lay them open to 'spoofing' - a form of attack where a user impersonates another by copying their security details.

"When banks need to give someone instructions for accessing a secure site, some do it by sending an SMS [short message service] message. But SMS messaging is not secure - at the most basic, someone can just read the message when they borrow your phone - and the instructions can then easily be used to program other phones."

Ed Wood, m-commerce manager of nCipher, urges businesses to think about the entire picture, not get fixated on one aspect. "It's obviously mad to spend a lot of money on cryptography and then post out a critical bit of security information in an envelope. It's important that architects address the end-to-end picture. They should also think about the cost of security being compromised.

"If the most someone stands to gain is £5 worth of service, it may not be worth spending hundreds of thousands to secure it," says Wood. "However, the costs in terms of loss of consumer confidence also need to be included in calculations of this kind," he says. It should also be remembered that the risk of financial loss isn't the only reason for security provisions. Privacy of personal information is another area where companies have responsibilities to their customers and staff - responsibilities about which mobile users may feel particularly sensitive, in as much as a mobile device is often felt to be part of one's 'personal space' in a way that a desktop device is not.

Future Development

Are current security concerns likely to be an insurmountable barrier to the growth of m-commerce? According to Houppermans: "I wouldn't put high-value transactions through a mobile device at the moment, mainly because of the difficulty of keeping track of the device. They are intrinsically easy to steal and there's always going to be some bright spark who stores their password in the phone's data bank."

In the longer run, however, the problems will be overcome because of the incentives to do so. "We're getting more and more mobile and that's not a trend that's going to be reversed," says Houppermans.

Despite security concerns, many analysts agree with Houppermans and are predicting massive volumes of m-business. For example, Gartner Group has suggested that the worldwide value of mobile-device-initiated consumer transactions could be as much as $1.8trillion by 2005.

However, it's possible that a lot of these will be low-value, low-risk transactions.

The future success of m-commerce is likely to be conditional on the emergence of a standard approach to security. MeT, the Mobile Electronic Transactions initiative launched last year by Ericsson, Motorola and Nokia { is focusing on this area now.

With the market still in its infancy, various payment methods are competing for supremacy:

Mobile PKI

Finnish online broker eQ Online {} has built what it claims is the "the world's first, and to date only, highly secure wireless brokerage service", supporting share dealing via mobile phones.

The solution has been built with the co-operation of a group of technology companies including Sonera SmartTrust and nCipher. It has allowed eQ Online to extend the reach of an existing wired Internet online dealing system. After an initial launch in Finland early last year, the mobile service is destined for a pan-European audience. The company says the service can be used on any GSM network ideally, but not necessarily, with WAP handsets.

The system uses strong 1024-bit encryption and digital certification technology implemented by Sonera on SIM cards. nCipher has provided both secure key storage and acceleration technology. The latter helps to overcome one of the major obstacles to secure m-commerce by offloading security processing from the server to a specialist hardware module (nFast), reducing delays in handling client requests.

Of course, this problem is not confined to m-commerce. In fact, eQ Online has been using the nCipher technology since encryption-related bottlenecks were discovered during the pre-launch testing of the company's original online dealing system.

Electronic Wallets

Esat Digifone's m-commerce facility is a component of digifone online, launched last year as 'Ireland's first seamless fixed and mobile ISP and portal'. With one in two Irish people using mobile phones, the initiative was partly designed to entice new users on to the Internet for the first time via the mobile route.

Esat Digifone, Ireland's second GSM operator, unveiled its m-commerce mall, dot digifone on-line, in time for romantic Irish men and women to buy their Valentine's Day 2000 chocolates and flowers. The service incorporates Network365's mZone mobile commerce server. This provides a Mobile Wallet facility that allows credit card details and shipping instructions to be stored once and then retrieved whenever a transaction is made.

Several months after its launch, the security was enhanced with the addition of a capability for the encryption of data streams passing from the mobile handset to the server.

Compounding performance problems is always a hazard of enhancing mobile security, but the use of e-wallets can have the opposite effect by reducing the amount of data that has to be transmitted.

Credit Card Phones

Last summer France Telecom launched 'Paiement CB Sur Mobile' (Carte Bleue payment by mobile), a service allowing mobile customers to make credit card payments from special Motorola or Sagem phones. These are models equipped with a slot into which the CB credit card is temporarily inserted at the time of the transaction.

This approach enhances security because the bank card can be kept separate from the phone. A PIN number is also needed to transact a payment, so there are effectively two 'somethings you have' plus one 'something you know' securing the payment. The PIN number itself doesn't pass across the network.

Believed to be the first of its kind, the service follows on from an earlier trial involving France Telecom and CB, known as ItiAchat. The live service allows users to pay for m-commerce transactions and utility bills and to add credit to their mobile phone account.

Read more on Antivirus, firewall and IDS products