Secure Connections

Electronic bill presentment and payment (EBPP) and the future of m-commerce demand the best in security solutions.

I love you. Last month, those three words meant certain death to 40 million people's e-mail service. The "Love Bug" computer virus reportedly had the ability to steal passwords, PINs and other secret codes from your computer, laptop or PDA. Even without the aid of viruses, hackers have made their way into such fortresses as Vermont National Bank and the British Army.

With the number of EBPP users predicted to increase and the potential of wireless e-commerce (m-commerce) looming, what's to stop hackers from victimizing you and your customers?

Complex encryption algorithms, digital signatures and certification, end-to-end solutions, and the formation of industry security standards will help put an end to cyber crime and keep EBPP safe.

Currently, EBPP uses secure socket layer (SSL), with 128-bit RSA encryption. It is the Internet's de facto standard for all business transactions. This solution is accepted worldwide and used by millions of consumers everyday, but encryption experts say the industry may be moving toward higher-bit key lengths as e-commerce continues to grow.

Defined as military-grade security, 1,024-bit encryption is 10 times stronger than today's standard. A handful of e-merchants are beginning to use 128-bit encryption with a 1,024-bit exchange on the back-end for added security.

Jennifer Vancini, Certicom director of strategic marketing, said in the future, 128-bit encryption might be replaced by 1,024-bit for bulk encryption, but adoption will be slow. Vancini said the telling factor would be if financial institutions embrace 1,024-bit encryption. When that happens, she said, Internet security will change.

George Chen, Wells Fargo Bank vice president for Internet-services development, said his company had no immediate plans to modify its security.

"In the early part of online banking, it was only 40-bit encryption, and then we moved that to 128, and when that becomes unreasonable from a customer vantage point, then we will move again," Chen said. "For now we find 128-bit sufficiently secure."

When it comes to the mobile world, however, encryption algorithms and security still are being defined. One method being investigated is elliptic curve encryption (ECE), a form of public key infrastructure (PKI.) Essentially there are four encryption methods: PKI, secrete key, 1-time key and a PKI/secrete-key combination. According to the WAP Forum, most WAP-enabled phones will use some form of PKI. Certicom is working with the forum to investigate ECE technology for better wireless security.

"The underlyi ng mathematics of elliptic curve are very difficult and different from the other types of PKI, so breaking a system is just harder," Vancini said. "I think elliptic curve will dominate in the wireless environment."

Like all PKI, ECE uses a different key for encryption and decryption, and decryption keys cannot be derived from encryption keys. What makes this method so important to providers is its ability to encrypt quickly and use shorter key lengths.

Authentication
To ensure Jane Q. Subscriber is really whom she says she is, software is available that can capture digital signatures and digital certificates (DSDC) for EBPP and other transactional activities. Although the primary use of such software is in contract-related applications, DSDC is fast becoming a substitute for passwords on the Web, said John Yuzdepski, Sprint PCS.com vice president.

"I think we will probably go to some sort of certificate-based authentication," he said. "I think the whole industry is moving towards WAP 2.1 and the ability to pass digital certificates in the wireless Web."

The second part of authentication is the server. Subscribers want to know that the correct party is receiving their information. On the Web SSL provides server authentication. Wireless transportation layer security (WTLS) offers a similar level of security in the mobile world.

The WTLS protocol uses digital certificates to create secure communications between two entities, typically a mobile phone and a WAP server. Data transmitted over a WTLS connection cannot be tampered with or forged without the two parties becoming immediately aware of the tampering.

Once a WTLS "handshake" — the process of authenticating the two parties that want to establish an WTLS connection — is complete and a secure communications pipe has been established, your subscriber's microbrowser and the WAP server are then able to use the session key to send encrypted information back and forth, confidentially.

End-to-End
Using an end-to-end solution means making every transaction secure from your subscriber's fingertips to your collection reps' eyes. Industry analyst Charu Gupta, Renaissance senior manager, said most service providers think they are using end-to-end solutions, but usually they only are securing data point-to-point.

"What is happening is providers are able to establish a secure connection from the subscriber's desk to the corporate firewall. Beyond that almost anybody who has access to the LAN has access to that information, and that's really point-to-point," Gupta said.

According to Gupta, 80% of the security violations that occur on the Internet happen in the corporate LAN. One solution is using a virtual private network (VPN) to secure the server. Yuzdepski agreed that VPNs and better physical security are vital to EBPP's mobile future.

"More and more customers are coming to expect higher degrees of security at the corporate level," he said "Physical security is always a concern. In fact, I have no idea where our server is, but I know it requires passwords and level-2 security clearance."

Extra Charges & Standards
The use of additional security such as a VPN for EBPP and m-commerce security may mean an increase in your bottom line, but industry watchers say passing that cost on to the consumer isn't wise.

"Some providers may try to charge extra for add-on security," Vancini said. "Typically, that doesn't work well. It's like Microsoft deciding to charge me for my spell checker. It should just be there."

Sprint PCS.com's Yuzdepski agreed, saying providers will assume the cost on most security upgrades, but eventually, large institutions like banks and hospitals may end up paying more for added security, like a secure link into Sprint's network.

To help put an end to the add-on security debate, some in the industry are pushing for the widespread adoption of security standards. WAP Forum member 724 Solutions is one of those dedicated to driving security standards for the wireless Web. Enabling financial institutions to offer m-commerce services, 724 Solutions built a secure platform for Harris Bank/Bank of Montreal. The bank was the first in North America to offer mobile banking services. The service called Veev uses 128-bit encryption to secure EBPP, stock trades and banking transactions.

Sue Witteveen, 724 Solutions vice president of e-commerce, said, "Setting security standards is important to getting mobile e-commerce deployed on any kind of scale. Consumers need to know that every time they use their wireless device for a transaction, security is there, whether they are buying a book from Amazon.com or trading stock on E-Trade."

Secure Phones
Another factor in m-commerce success is improved security at the handset. If mobile banking takes off, it's possible wireless phones and other portable devices can be raised to the status of electronic wallet. In places such as Finland and Europe, subscribers already are using their phones to buy everything from vending-machine snacks to opera tickets. In this market, a lost or stolen phone could be a serious concern.

"Many of the security threats associated with lost or stolen devices are directly related to the user's lack of security consciousness," said Ed Fullman, Alltel Information Services senior vice president e-solutions.

Leaving files that contain passwords, or automatically storing passwords and user names on portable devices in response to security queries, makes a stolen device more valuable to a thief. If possible, Fullman suggests providers limit or exclude the use of utilities that automatically save user names and passwords to security proxies.