InformationWeek
Defining The Business Value Of Technology
|
August 7, 2000 |
 |
Wireless Overcomes Security Woes
Industry groups and companies are addressing the issue with ID use, new standards, and testing
By Nick Wreden
 |
| More on wireless: |
|
|
 Send Us Your Feedback |
eff Misenti, director of Internet application development at Suretrade Inc., and his application development team tried for six months to break into Suretrade's wireless trading system. Happily, they failed.The Suretrade team's testing paved the way to a successful rollout, about six months ago, of Suretrade's wireless trading system to more than 10% of the Lincoln, R.I., brokerage's 550,000 customers. Misenti, who expects that 30% of customers will be on board within the next year, believes that wireless connectivity has the potential to change businesses as radically as the Internet has.
The signs of such change are everywhere. The tremendous growth in wireless technologies has far outstripped projections. Dataquest, for example, reports that 410 million mobile phones will be sold worldwide this year, and the Yankee Group projects 1 billion mobile devices will be in use worldwide by 2003. Vendors are adding wireless capabilities to enterprise resource planning, customer-relationship management, and other applications. And businesses ranging from leading banks to building-products companies are rolling out new applications.
The one issue clouding this bright vision has been security. Made skittish by well-publicized holes in initial microbrowser technology and the ever-present risk of losing cell phones, personal digital assistants, and notebooks, some businesses have shied away from putting company information over the air. Yet security concerns are being addressed not only at Suretrade and other companies, but by wireless-industry groups, which are devising security standards that will be implemented in new devices in the next six to 12 months.
Misenti says wireless security is at least as good as Internet security. Others are even more optimistic. Jason Wright, network-security research analyst at Frost & Sullivan, says upcoming technologies and standards will make wireless security better than wireline security. That's because security is being addressed in the early days of wireless communications. Wired security, however, essentially resulted from a patchwork effort to block holes after they were uncovered.
The Suretrade wireless stock-trading system has three levels of security, which are reinforced by extensive customer education and by systems that catch aberrant trading patterns. The first level is on the device. A trader must enter a user ID and a password, plus a separate password, to execute a trade. The trade is then encrypted with a license-free, 128-bit symmetric block cipher called Blowfish.
The digitized transmission is sent to w-Trade Technologies Inc. servers, which then relay the trade through a virtual private network to pass the encrypted transmission through Suretrade's firewall. Suretrade selected w-Trade for its ability to support any carrier network, a key issue in the United States, where wireless networks may be based on Code Division Multiple Access, Global System for Mobile Communications, or Time Division Multiple Access technologies. Finally, Suretrade's own systems verify the ID and passwords before the trade's execution.
The verification system used for the wireless trades is the same as that used for Internet trades, except that the wireless trades are flagged as such, as an aid to troubleshooting. The reported user problems have been only physical difficulties in entering data and passwords--owing to tiny cell-phone keys or the use of styluses. Passwords can be difficult to enter on cell phones because the same key must sometimes be pressed more than once to enter a single letter, and password-masking makes it difficult to verify the accuracy of the input.
Systems will monitor wireless-trading levels, and if a customer's trading activity spikes unexpectedly, Suretrade calls. The first question it asks is: "Do you still have your device?"
The potential for loss or theft of the handheld devices represents the greatest security weakness. "Airports have big cardboard boxes full of cell phones and PDAs," says John Pescatore, research director for network security at Gartner Group. "Companies underestimate the extent of notebook loss or theft. The problem will be worse with wireless devices, creating authentication and other issues."
But the use of IDs and passwords largely mitigates the risk posed by such losses. Plus, work by the Global Mobile Commerce Forum, the Mobile Wireless Internet Forum, Radicchio, the Wireless Application Protocol Forum, and other industry consortia outlines new security methodologies that address the main issues surrounding wireless security. Among those methods are authentication, or verification of authorized access; nonrepudiation; data integrity; authorization; confidentiality; and privacy. These industry groups include a wide selection of hardware vendors, encryption and software vendors, and financial institutions.
Last fall, 17 wireless devices that MasterCard requested from various manufacturers as part of a mobile commerce study were unable to exchange information securely, says Chris Jarman, senior VP of global mobile commerce at MasterCard International Inc.
"Wireless security solutions should be technology-agnostic. That's because they may have to operate in many different environments, including CDMA, GSM, and TDMA, as well as adapt to cultural, legal, and technological differences that exist from country to country," says Joe Chouinard, VP of new E-commerce channels at Visa International Service Association in Foster City, Calif.
continue on to page 2
Illustration by Richard Borge
Back to This Week's Issue
Send Us Your Feedback
Top of the Page
