Wireless Goal: Don't Get Whacked

Companies have been concerned for years that they might get hacked. Now, they're also worried about getting whacked.

Whacking is wireless hacking, usually done by a person who's in the right place at the right time with the right kind of radio transceiver. By whacking, an intruder can tap into private communications going across almost any wireless network.

"The bottom line is that all this stuff passes through air," says Chris Christiansen, an analyst with International Data Corp. "You don't have to find the wire or the network, because the network lives in space."

But securing a wireless network is not very different from protecting a wired one. Managers of wireless networks-like their wired counterparts-must be concerned with authentication to prove users are who they claim to be, integrity to ensure the data can't be altered, and security to make certain data can't be intercepted.

To some, however, wireless seems less secure. "We haven't done any of the wireless transactions that introduce a degree of risk," says Tom Cable, chief technology officer of NetBank Inc., an Alpharetta, Ga., Internet bank that has 200,000 accounts and $2 billion in assets. "Wireless is certainly perceived as much less secure."

To lower the risk to customers' accounts from stolen wireless devices or whacked systems, NetBank limits wireless access to account balances and features such as ATM location information. When NetBank began to offer data on balance and transaction history to Internet-enabled cell phones, it let only existing NetBank members set up a wireless account (new customers now can get the service). After logging on to their bank accounts via a land-line connection, users click on an icon that links them to pages run by Air2Web Inc., a wireless application service provider. When one of the bank's 5,000 wireless users types in his or her cell-phone number, the carrier is automatically detected. Users simply select the cell phone they use from pictures of various models. Once the transaction is completed, a message is simultaneously sent to the user's cell phone and his or her PC authorizing the wireless account.

Because wireless is perceived as less secure, NetBank offers customers only low-risk wireless capabilities, such as checking balances and locating ATMs, chief technology officer Cable says. Northeast Utilities Inc., the largest electric and natural gas provider in New England, uses Nextel Wireless Application Protocol phones to send and receive reports from field inspectors as they handle environmental and facilities reporting, street-light maintenance, and gas-meter dispatch.Andy Kasznay, a software engineer at the Berlin, Conn., utility, says a worst-case scenario would involve a whacker who issues a false alarm about a gas leak or fuel spill, or prevents a real catastrophe from being reported. "If someone illegitimately sent out a gas-leak report because they hacked into our system," he says, "it could result in us missing a real one."But experts say existing technologies make such occurrences unlikely. It's possible to break 128-bit encryption combined with digital certificates with enough computational power and time, but doing so is generally beyond the means of most whackers.Still, most wireless devices have small processors and narrow bandwidth, so solid security systems have been slow in coming. And there have been snags during development. WAP, for instance, has been touted for its security, but after its debut last year, a much-chronicled hole was discovered. Using WAP to communicate with a device, Wireless Transportation Layer Security handles wireless data encryption to secure data traveling from a wireless handset to the WAP gateway, while Secure Sockets Layer handles the Web-based encrypted data from the gateway to the enterprise server. This process requires a conversion from WTLS into SSL. The WAP gateway, the point where the data is transformed, was highlighted soon after its introduction as a point of potential incursion via a rogue employee inside a telecom company. The possibility of such an incursion called into question the wisdom of wireless strategies, even though such data is exposed for only a nanosecond. No one is known to have ever penetrated this vulnerability, but WAP 1.2 was quickly introduced to seal that nanosecond gap in the WAP server.Northeast Utilities, which uses WAP phones, took the extra step of segmenting from Northeast's central network all systems accessed wirelessly. "Wireless isn't rocket science, and the security threats are by no means insurmountable," Kasznay says. "But you must fully understand the paths the data flows along and take appropriate measures."Another method of guarding against intruders is to deny wireless users access to a company database altogether and provide data to them via a third party that manages and protects only the data wireless users are allowed to access.DotsConnect Inc., a supplier of Internet-based software designed to help financial institutions take care of credit scoring, card applications, and the provision of balance and card information online, recently added wireless access to its services. It uses Air2Web to reduce costs and prevent direct access to DotsConnect's database. A cell-phone subscriber calls Air2Web with a request for an account balance, which triggers a message from Air2Web to the DotsConnect server for the information. DotsConnect's infrastructure gathers the data and places it in an XML document that's relayed to Air2Web in real time and then served to the customer. "Instead of letting you into our database directly, we only give out a few facts at a time to one authorized subscriber," says Olin Wise, DotsConnect's chief operating officer.But some say security concerns about wireless networks are overblown. "Wireless insecurity is more of a fear than a reality," says Warren Hill, strategic business director at Edify Corp., a provider of customer-interaction software. A year of education is required before the business world truly accepts wireless, Hill says. Meanwhile, it seems companies will rely on proven technologies and practices to thwart the unwanted whacker.