Banking on Security

With beefed-up security solutions such as PKI, carriers can cash in on m-commerce opportunities.

Wireless security solutions must consider the user's mobility, bandwidth and memory limitations, battery life and different network configurations. These factors have not inhibited the growth of low-value m-commerce transactions, which are possible today using WAP-enabled handsets. But the authentication required to buy a CD from a WAP site is a far cry from that required to buy a car, make a large stock trade or transfer funds from one account to another.

The Yankee Group predicts that the number of consumers making banking, brokerage and retail transactions over wireless devices will grow to more than 225 million by 2005 (www.yankeegroup.com). For that to happen, however, the public must have confidence in the carriers and financial institutions handling those transactions.

Nearly three-quarters of U.S. consumers surveyed by the Boston Consulting Group said they were concerned about sending credit-card information via a wireless device (www.bcg.com). And more than one-third of respondents believe that the mobile network is less secure for transmitting data than the fixed-line Internet. (See Figure 1 on page 24.)

But analysts and industry executives agreed that security measures such as public key infrastructure (PKI) will go a long way toward reassuring consumers and businesses.

PKI uses public key cryptography to authenticate the sender of a message and to encrypt and decrypt messages to ensure security. Public key cryptography is based on a pair of keys. One key is private and known only to the user; the other is public and known to the other party in a given exchange.

When sending a document with a recipient's public key, the document is unreadable to anyone except the intended recipient who holds the only private key that can decrypt it.

Another vital component of PKI is the certificate authority (CA), which validates the identity of a user and connects that user to the public key with a digital certificate.

The market for these security products and services — which includes carriers, banks, credit-card companies and large corporations — is expected to explode in the next few years. According to IDC (www.idc.com), the market for PKI products and CA services will accelerate at a compound annual growth rate of 61%, from $281 million in 1999 to $3 billion in 2004.

Guarding the Gate

In an online transaction, both the gateway server and the handset must support the PKI process. Companies such as Vaultus (www.vaultus.com) and 724 Solutions have developed gateway products to ensure wireless transaction security.

724 Solutions introduced its PKI Gateway product in February at Internet World Wireless 2001. The public-key management solution addresses wireless-transaction security issues and is based on open standards (www.724solutions.com).

The PKI Gateway enables organizations such as banks to implement wireless PKI and digital signature capabilities that work with most PKI technologies and CAs on a growing number of wireless devices. The gateway incorporates Certicom's Trustpoint PKI Portal (www.certicom.com), which enables 724 Solutions to offer an open-standards-based wireless PKI solution for the financial services industry.

Paul Hingorani, 724 Solutions' director of m-commerce, said financial institutions can use the new gateway to leverage their existing wireline Internet PKI infrastructure onto multiple wireless Internet channels.

“What you have now is the ability to apply for a credit card, mortgage, insurance, over the wireless channel,” Hingorani said. “Obviously, there's dramatic convenience for the consumer that doesn't have to come into the branch office. As you get into commercial transactions, there are higher-value transactions that require non-repudiation, which PKI technology brings.”

The PKI Gateway is integrated into the application framework solution, which allows the carrier to set policies regarding which transactions require digital signatures and which do not.

Although 724 Solutions initially is focused on financial institutions, wireless carriers are becoming part of the PKI picture.

“With the wireless portals and value-added services that network operators are bringing out, there are a variety of other players in the market that are very interested in delivering rich m-commerce experiences,” Hingorani said. “We will be looking to these opportunities as well.”

Because traditional handset screens still are small, PDAs are the preferred form factor for wireless transactions, he said. The PKI Gateway works with any PKI-enabled device or browser. The gateway supports Research In Motion (www.rim.net) and Palm (www.palm.com) devices in conjunction with Neomar, which developed a PKI-enabled browser for PDAs (www.neomar.com).

Francesca Mabarak, Yankee Group senior wireless technologies analyst, said that although a secure PKI gateway is an important component of a security solution, it doesn't solve the issue of device security.

“A lot of the device manufacturers are starting to look at chip technologies,” she said. “A big hurdle for companies like Packet (Technologies) is getting their chips into the devices. How long will that take? How much silicon will we need? There are some issues, but they're well-positioned with their technology.”

PKI-enabled browsers for handsets are still on the drawing board, Mabarak said.

“The first time somebody picks it up, it will take off like wildfire,” she said. “Because if Nokia decides to buy this chip, and Motorola (and others follow suit), it will become a standard. But it's kind of like Bluetooth — you're damned if you do, damned if you don't. But as more intelligence goes into devices, it only makes sense that the device be secured.”

Prove It!

The registration authority is another important link in the security chain. And Baltimore Technologies, which has been working in the field of PKI solutions for many years, recently launched a new registration system, which enables organizations including carriers to register users and issue wireless digital certificates over the air to mobile devices (www.baltimore.com).

The Baltimore Telepathy Registration System works with standard WAP 1.2 handsets and uses low-bandwidth certificate URLs for simple registration. It also supports the latest WAP Forum security standards for wireless PKI (WPKI), wireless identity module (WIM) and sign text (WAP digital signature standard).

Mabarak said the authentication and non-repudiation provided by such a registration system is central to a PKI system.

Security

“PKI enables you to communicate securely in a trustworthy fashion with someone you might never have met before,” said Stephen Byrne, Baltimore Technologies' Telepathy product manager. “But because you both have certificates from the same CA whom you both trust, you can complete the transaction.”

Or, as Hingorani put it, “Nobody on the Internet knows you're a dog.”

Baltimore Technology's registration system for PKI is based on the company's e-commerce security products, but takes into account the specific requirements of wireless transactions.

“In wireless PKI, because the devices are so much more constrained than a standard desktop PC, one wouldn't necessarily send a certificate to a handset because of storage limitations,” Byrne explained. “You're talking about 10k to 15k of data, which is too much for the phone to store.”

So rather than sending the actual certificate, a certificate request is sent that points to a URL where the certificate is located, thus saving handset storage capacity and network bandwidth.

Byrne said North American carriers have not yet implemented PKI solutions on their networks. However, Baltimore Technologies is marketing its registration system to carriers, banks, brokerages and other businesses interested in extending e-commerce systems into the world of m-commerce.

“Security is not such a concern at the moment for carriers,” he said. “It depends on the type of services offered. Movie tickets are one thing. It's a different issue if you're moving into the realm of buying airline tickets, because there are legal precedents around it — like FAA regulations on identity and authentication. Things like that will be your first use of PKI, certainly, because it ties back to identity.”

Value-added m-commerce services such as these are about a year away, according to Byrne. The convergence of wireless PKI solutions with the introduction of 3G networks will encourage big-ticket m-commerce transactions, he said.

“Network operators have paid huge sums for bandwidth for people to be able to operate their 3G networks,” Byrne said. “And these operators have billions of dollars of debt that they need to recoup somehow.”

Value-added m-commerce services could be one way carriers will pay for 3G networks and spectrum licenses.

“But to provide value-added services, they also have to have security attached to it or people aren't going to trust them or use the services,” he said. “The time frame is probably quicker over here (in Europe). But I would say that in a year, if that, these services will be available.”

Security Standards

As with most new technologies, many products are not interoperable. In the public key infrastructure (PKI) world, several industry groups are working to ensure a private key issued for an m-commerce transaction by bank A in New York will be honored by bank B in Chicago. One of the early PKI groups was Radicchio (www.radicchio.org). Launched in September 1999 by SmartTrust, Gemplus, EDS and Ericsson, Radicchio was created to enable the global market for secure m-commerce through the support of greater standardization and digital-signature legislation.

In February, Radicchio formed a partnership with the mSign Consortium (www.msign.org), bringing Radicchio's total membership to 80 companies worldwide, including carriers, certificate authorities, device manufacturers, systems integrators, software companies, banks, smart-card manufacturers and network infrastructure providers. The PKI Forum (www.pkiforum.com) is another organization dedicated to PKI standards.

“We don't want to invent our own standard,” said Stefan Engel-Flechsig, Radicchio CEO and an executive with VeriSign. “Somebody told me there are more than 25 different standards to fulfill in the PKI area. But we are trying to identify the best practices to install PKI in mobile devices.”

Engel-Flechsig suggested that carriers encourage their handset partners to install WAP 1.2, which will support PKI applications.

Secure m-commerce transactions represent a growing business opportunity for carriers.

“The mobile operator is driving the network,” he said. “They could offer, on top of mobile services, security services. That would be a new business opportunity for mobile operators. They are not very happy in the banking area. The banks say this is their business. But the mobile operator owns the customer.”