Creating a secure mobile environment
No one would deny that e-commerce is revolutionising the way we work, shop and do business. But the transformation to a digital economy will not be complete until we can conduct truly mobile e-commerce.
Although still a relatively new capability, m-commerce has the potential to create a whole new service sector, new business models and avenues for customer service.
However, m-commerce is still embryonic and will not reach full viability for another three years. Before its potential can be unlocked there are some fundamental security issues that must be resolved. E-business security issues in the banking and utilities sectors have damaged consumers' confidence in making transactions over the Internet.
If
reputable companies aren't able to provide
their customers with a secure infrastructure
for e-business over a solid, wired infrastructure,
how much more vulnerable must a radio-based
service be? |
If reputable companies aren't able to provide their customers with a secure infrastructure for e-business over a solid, wired infrastructure, how much more vulnerable must a radio-based service be? Industry must allay consumers' and businesses' fears so that trusted, mutual relationships can be forged.
In Europe and many parts of Asia, the WAP (Wireless Application Protocol) standard provides the basis for mobile information services.
WAP handsets communicate over a wireless network with WAP servers that act as points of entry to the wired Internet. The WAP server relays information between sites offering m-commerce services and the handset owners.
Using a WAP-enabled mobile phone, people can bank, shop and send e-mails, so clearly m-commerce can be viewed as the natural progression of e-commerce.
Security issues arise whenever two computers communicate over a distance, and many security approaches will translate directly to m-commerce from e-commerce without alteration. However, the nature of handsets necessitates security measures that are unique to m-commerce.To a certain extent, WAP handsets act like desktop thin-clients. The handset acts as a data presentation and input device, or 'mini browser, but almost all processing is carried out by a remote computer.
This is because handsets are limited in both the amount of data they can store, and in the capability of their processor. These limitations are necessary to control the cost, battery life, size and weight of mobile phones - clearly vital aspects if m-commerce is to succeed.
The
difficulty of directly implementing security
measures on the WAP device could potentially
tempt some m-commerce providers to ignore
the problem |
The simplicity of WAP handsets closely mirrors the philosophy of the World Wide Web at large, where virtually all data processing is done by servers, and only a simple browser is needed to access the vast majority of sites and services.
Mobile handsets differ from desktop thin clients in two important respects, however. Firstly, the presentation and data entry possibilities are limited. Screens are small and keyboards are cramped.
Secondly, the wireless networks currently provide very low bandwidth. Wireless data transfer rates are currently five times lower than rates with an ordinary telephone modem, and at least ten times slower than a typical office network obtains to the internet.
Even with the emergent wireless technologies that offer much higher bandwidths than these, the cost of bandwidth is likely to remain an issue.
These characteristics will influence the kinds of security that are appropriate for protecting m-commerce customers. The difficulty of directly implementing security measures on the WAP device could potentially tempt some m-commerce providers to ignore the problem.
This would be disastrous, and unnecessary - with the right approach, WAP handsets can be properly integrated into wider security infrastructures, protecting both m-commerce customers and vendors.
After all, they do come with one major advantage over the average desktop PC - they have a smartcard and reader built in, offering the perfect place to store encryption keys.
Security should be viewed as a procedure and policy rather than a specific technology. There are four security requirements of any messaging infrastructure.These are: Confidentiality - knowing that communications are private and confidential. Authentication - knowing that communicating parties are who they claim to be. Integrity - knowing that the information being communicated has not been accidentally corrupted or intentionally modified. Non-repudiation - knowing that transactions cannot be denied or disowned by one of the parties involved at a later date.
Only when all four requirements have been met does real messaging security exist.
In general, security can be enforced by establishing a Public Key Infrastructure (PKI). A PKI creates a system of encryption, digital signatures, digital certificates and certificate-issuing authorities with which to enforce the four aspects of security. PKIs can be made to encompass mobile devices, although the current limitations of mobile devices will mean that pre-existing PKIs may need to be adapted to work via WAP protocols.
...the
current limitations of mobile devices will
mean that pre-existing PKIs may need to be
adapted to work via WAP protocols. |
WAP provides the most basic building block needed for a handset to participate in a PKI - a means to establish an authenticated and encrypted connection between the handset and the WAP server, called WTLS (Wireless Transport Layer Security). Security providers are already building on WTLS to create the security procedures and mechanisms that will actually protect consumers and their data.
For example, Baltimore Technologies' Telepathy portfolio for m-commerce includes a PKI Registration System that manages the enrolment in a trust infrastructure at a server on behalf of mobile devices that cannot store and manage certificates remotely. The handset need only authenticate itself to the Baltimore server, using WTLS or a digital signature, to participate in an existing PKI scheme.
In addition the Telepathy Validation System acts as the handset's proxy when authenticating the customer to all other services. With the implementation of the latest WAP standards, the capability to perform digital signatures in the actual handsets will take this a step further allowing full end-to-end security - transactions can be signed on the handset and verified at the application which is their ultimate destination
The same principle of using server side services will be more fully explored as m-commerce develops, as it can overcome many of the problems currently associated with WAP handsets, namely lack of processing power and limited bandwidth.
Many people currently keep personal information in their head or in their pocket, adding details such as address, date of birth, and credit card numbers as and when they are needed. This makes the desktop browser a primary part of the security infrastructure, as it must be able to encrypt and deliver this data.
However, given a handset has only eight keys for entering the alphabet, people may prefer to store personal information elsewhere.
A data repository service could hold a variety of personal data on behalf of the handset owner, making that data available to third-party m-commerce sites only on receipt of a referral request from the owner. Clearly the referral request must be signed and encrypted, and the customer will want to establish a trustworthy connection with the repository provider, but the bulk of the secure transaction will occur between servers.
The data will be communicated from the repository to the m-commerce site using encryption and certificates, and it is probable that people will expect the repository provider to verify the trustworthiness of the m-commerce site on their behalf, by checking the validity of certificates, before releasing personal data. Fledgling examples of this kind of online service are only now arising - such as Microsoft Passport - and they are certain to play an increasingly important role in m-commerce.
While the role of the handset in a PKI may be limited to transferring short requests, these requests will unlock highly valuable back-end systems. This, coupled with the fact that handsets are more easily lost or stolen than PCs - makes it doubly important that the handset does not become the weak link in the PKI.Ideally the handset should verify the identity of the user using a biometric measure, such as a fingerprint scan, or voice recognition, although this may be some years away. In the interim, passwords and PIN numbers must be used, and these obviously need to be adequately managed.
While m-commerce presents many challenges to those implementing security, none are insurmountable.
Co-operation among certification authorities, mobile operators, systems integrators and device manufacturers is needed to ensure that mobile security is implemented properly, and that different implementations will be able to interact.
Uniform standards need to be established and adhered to. Governments and regulators must create legislation, guidelines and practices that allow m-commerce to flourish.
Security can unlock the potential of m-commerce. It is an enabling rather than restrictive force that builds trusted relationships between consumers, businesses and partners on the move.
John Palfreyman is the Asia Pacific managing director of global e-security solutions provider Baltimore Technologies.
Read more about Mobile Security, or tell us if you think mobile security is good enough for you.