Portal Protection

The good news, according to Mike Vergara, RSA Security director of product marketing, is that wireless-Web portal security is on par with that of the fixed Internet.

And the bad news? Internet security today isn't anything to write home about.

“From a (server penetration) perspective, (WAP gateways) have as many weaknesses as anybody else having servers connected to the Internet,” he said.

Recently, security experts discovered a flaw in Verizon Wireless' Web site that potentially exposed the private data of subscribers who used the site to view their wireless phone bills. The privacy hole affected users who logged on to Verizon's Web site and used the “My Account” feature to view or change their cellular-phone billing and account information, and could have exposed names, numbers, addresses, call records and the user's approximate location when the call was made.

But Verizon isn't alone. Many experts say carriers aren't securing their fixed Internet sites effectively, let alone providing adequate protection for wireless-Web sites.

On the other hand, carriers say current wireless Web and portal security is sufficient.

“Can it be used by NASA or the national security agency?” asked John Yuzdepski, Sprint-PCS.com vice president and general manager. “Probably not. But for where we are in the marketplace today, the security models are probably sufficient.”

Most industry insiders agree that what's good enough for wireless portals today won't be good enough for tomorrow's 3G networks.

Portal Pitfalls

According to Yuzdepski, security models are evolving quickly to address more mission-critical and corporate-critical applications, and strong standards are being implemented for wireless-security models. For example, WAP 2.0 includes the wireless transport-layer security (WTLS) standard for improved security, and the J2ME platform enhances the ability to run a security model on next-generation networks, he said.

“From an external perspective, they (the WTLS or TLS) do a decent-enough job … to protect the information as it flows in between the phone or device and the gateway or the server, depending on whether you're wired or wireless,” Vergara said. “There's never been a good hack, attack or penetration of someone sitting on a wire or sitting out there with a scanner picking up that data as it flows through either the air or across the wires.”

However, weaknesses have been found on those servers.

“A lot of times, you'll go to these Web sites, and the lock doesn't appear when you go to sign in until after you're officially logged in,” Vergara said. “Once the lock pops up, no one can read your traffic, but if the server doesn't put the lock up or start securing it before you input information, that's all in the clear, and you can scrape and get that information.”

If hackers want to get subscriber information, they may be able to do so before users log on.

“The design of the Web sites may be inefficient in that case. One of the problems they have is people don't make as many SSL connections or TLS or WTLS from a WAP case because it takes more time and processing power,” he explained. “Historically, (Web-site builders and carriers) only secure while they're sending a credit-card number — until that time, they don't lock it down. As the power of the processing is more widely adopted, and you can do more security, people need to change their mind frame and allow more things to be secured.”

Michael Krasner, Comverse vice president & general manager of voice solutions, said carriers should be more concerned about vulnerability from the data side than the voice side because non-traditional hacking occurs on the data side. Hacking can occur through wireless data, voice or fixed Web access.

3G Protection

According to Vergara, 3G networks' portal security will be important because subscriber transactions will go up in value. Also, 3G always-on connections increase vulnerability.

“I've never gotten a good answer from the wireless carriers about how they're going to protect that, especially if you look at 3G, and you have IP addresses on all these different phones,” he said. “If you have an IP address on your phone, and you have an always-on connection, you're out there to be probed.”

It's similar to having DSL or a cable-modem line at home: If you leave that connection on all the time and don't have a home firewall, then you're at risk. For wireless, Vergara said the carrier would serve as the firewall and secure all the IP addresses internally.

“They may not be able to do that because DSL providers have tried, and that hasn't stopped people from penetrating those different cable-modem or DSL lines,” he added.

According to Yuzdepski, 3G offers an opportunity to improve security.

“People are going to be putting more demands on it (3G network) and moving more mission-critical applications,” he said. “Just by the nature of its architecture, we have an opportunity to put more security models in place.”

Yuzdepski said always-on connections could “possibly” create security problems, but with a high-speed, packet-based network, carriers actually can do more encryption because encryption and security models require bandwidth.

“We are going to a place where the opportunity to install stronger security is better,” he said. “For instance, 128-bit encryption models need a fair amount of processing and bandwidth. So I think the security models in 3G are stronger than 2G.”

Vergara said initially carriers should secure applications.

“Securing the network is a lot harder. And right now, that isn't done on the regular wired Internet,” he said. “Over time, they may decide to secure the entire network, but to do that, you have to secure the entire network everywhere, wired and wireless, which is a much larger-scale problem.”

Securing applications solves the near-term problem and will allow carriers to monetize those applications.

“Solving the application-level security problem enables m-commerce to move forward and people to gain revenue and generate business and ROI,” Vergara said. “In the future, in a world where you may actually have IPv6 in every device, every device is an IP address, and you secure the entire IP network, you don't have to worry about it. Will that ever happen in my lifetime? I don't know, but it's not going to happen anytime in the next five or 10 years.”