FINANCIAL
SECURITY -- Sites Struggle With Wireless
By
RUTRELL YASIN 11/13/2000 - InternetWeek
Copyright 2000 CMP Publications Inc.
As banks and brokerages round out
their online portfolios with new services for wireless users,
they're striving to deliver secure connections that ensure
financial data can't be compromised.
Notably,
the biggest vulnerability isn't the airwaves; rather it's
the translation point between the two wireless protocols
used by service providers and wireless users.
As
a result, financial services firms are asserting more control
over wireless security. In some cases, that means implementing
security software directly at financial Web sites rather
than on a service provider's network.
Chase
Manhattan Bank, gearing up for a rollout of wireless services
early next year, said that it will deploy Tantau Software's
Wireless Internet Platform to secure wireless transactions
at its Web site.
Several
of Chase's wholesale and retail business units will begin
offering services based on Tantau technology that can be
accessed wirelessly during the first quarter of 2001.
The
services include account access, e-mail, Web access and
location-based services such as finding the nearest ATM
machine.
Chase
selected Tantau because it "needed an enterprise solution
behind the firewall rather than a carrier adopted model"
that left the security of transactions in the hands of a
third party, said Ameet Patel, Chase's chief technology
officer.
Meantime,
MShift, an application services provider, this week
will roll out a software platform called MobileShift™
that lets enterprise IT shops design their own Web applications
that secure wireless transactions using the platform's built-in
encryption and digital certificates. MShift can then either
host the enterprise applications, or enterprises can choose
to host their secure financial apps internally, MShift
officials said.
With
MobileShift™ technology, enterprises and service
providers can translate standard Web data for delivery to
any wireless device, including cell phones, pagers and personal
digital assistants (PDAs).
The
MShift approach is already garnering support. JB
Oxford & Co., a provider of online and discount brokerage
services, will use MobileShift™ software as
the basis of its new wireless trading offering it launched
last week. The software enabled the company to develop services
secured by 128-bit encryption and VeriSign digital certificates,
a spokeswoman said. JB Oxford will, however, have its wireless
trading apps hosted by MShift.
The
moves underscore a broader trend toward developing in-house
systems for mobile connectivity, industry observers said.
In an increasing number of cases, companies are choosing
to operate those systems from behind their firewall.
Companies
are leery about handing over the security of transactions
at their Web sites to operators of wireless networks because
of a well-known security weakness in the Wireless Application
Protocol (WAP) standard used by most wireless devices.
Data
being carried over a wireless network using the standard
Transport Layer Security (TLS) protocol must be decrypted
at a carrier's WAP gateway and then re-encrypted using the
Wireless Transport Layer (WTLS) encryption protocol to be
delivered to a WAP device. It's that point between encryption
and re-encryption that concerns some enterprises.
"There's
a millisecond where data is just hanging out there" as it's
being decrypted then re-encrypted, said Vince Sandoval,
executive vice president of IWAPI, a wireless ASP that will
use MShift's application development engine to secure
financial clients' wireless transactions.
To
overcome this problem, many companies want to ensure the
handoff between TLS devices and WTLS devices remains secure.
The
only failsafe solution is to avoid the problem altogether
by avoiding service providers and keeping all transactions
confined to a company's own Web site, experts said. Alternatively,
companies are looking to add another layer of security to
protect data during the handoff, although no such software
exists today.
"Most
e-commerce companies want to develop a bridge behind their
firewalls" to secure the data during handoff, said James
Kobielus, a mobile commerce analyst with The Burton Group.
But Kobielus added that there have been no known reports
of data being stolen. It is still at the "theory level,"
he added.
Chase's
move to integrate Tantau's Wireless Internet platform with
its wired and wireless online transaction infrastructure
will still give it more control over its wireless transactions.
"Tantau
is not just a gateway, it's a mobile application server
that shields access to Web servers," said Chase's Patel.
Tantau
can be configured with or without a gateway for conversion
of mobile data to Internet protocols. It also contains specialized
modules for messaging, content conversion and profile management.
The technology also includes gateways for integration with
back-end applications and data sources.
Once
wireless-enabled, Chase will be able to let users transfer
data to and from any WAP-enabled cellular phone, laptop
computer or PDA. However, the platform will let Chase maintain
control over its customers as opposed to a setup where all
transactions go through a service providers gateway portal,
according to Patel.
Chase
is the first U.S. bank to use the Austin, Texas-based company's
platform. Tantau is used more by banks in Europe, such as
Credit Suisse, where wireless services are more widely deployed
than in the United States.
MShift's
application development tools also let banks as well as
other e-commerce companies take control over their own wireless
security because they can develop their own apps that can
be outsourced or internally hosted, said IWAPI's Sandoval.
MobileShift™
software functions as
a go-between for a customer's Web site and its mobile customers.
It processes data on the fly, manages protocols and delivers
data to multiple mobile devices, all while maintaining security
of the connection.
Security Hole
Still,
the greatest vulnerability for wireless devices lies with
the handheld devices themselves, said Kobielus.
"The
security hole is in your pocket. Because the devices are
portable, they can be lost, stolen or mislaid," he said.
A hacker can easily get at data that is password- or PIN-protected,
he said.
As
a result, there is a need for stronger wireless user authentication
and authorization tools at the device level, similar to
the types of access management tools that currently exist
for Web connections, Kobielus said.
Encryption
is also an important consideration, but all of the major
phone protocols-such as GSM and CDMA-support signals that
scramble transmissions over radio frequencies, he added.
Back to Pressroom
