Multiple platforms and incomplete standards pose challenges to building wireless safeguards

It's been a struggle, but after scrambling for months to head off what seems like every virus and denial-of-service threat under the sun, you've finally managed to get a grip on your enterprise's network security. Intrusion detection is in place. Encryption works. Nothing's perfect, but it's finally possible to turn your attention from security to something sexy like rolling out that wireless e-commerce application that marketing's been screaming for. Right?

Not so fast. As IT managers rush to embrace mobile commerce, many are quickly realising that wireless technologies such as PDAs (personal digital assistants) and WAP (Wireless Application Protocol) phones present unique and urgent security challenges, particularly as they are increasingly being used by internal employees and external customers to access critical enterprise data and systems. So, even before they squeeze off their first wireless e-commerce transactions, savvy enterprises like Edmunds.com ,Bar Point.com, VF and Patelco Credit Union say they're dedicating this year to getting a jump on wireless security.

For most, that means integrating wireless safeguards with security processes and technologies that are already in place to protect e-business, steps such as enforcing passwords and selectively defining user access levels.

It also means accounting for the unique security threats posed by wireless devices and access methods. In some cases, e-businesses are restricting not only what users can do but also where they can go with their wireless mobile devices. Some are outsourcing the hosting of wireless applications, largely in order to buy wireless security expertise. Others are delaying the launch of wireless e-commerce transactions until known security holes in WAP and other wireless protocols are fixed.

"Ignoring wireless security now would be a major mistake," said Bob Lonadier, an analyst at Hurwitz Group. "It's always cheaper in the long run to build security in from the beginning. With the increasing use of wireless applications, security will really be the type of thing you won't get a second chance to do correctly."

Time to wake up

Unfortunately, security experts say, not enough IT managers have heard or heeded the wireless security wake-up call. While companies have been busy implementing wireless access to their e-commerce sites and WLANs (wireless LANs) for enterprise applications, wireless transactions continue to have a much higher rate of failureâ€"up to three times the rate experienced by PC-based transactions, experts say. Many of those failures are due to wireless security vulnerabilities.

As the number of wireless devices and wireless enterprise applications grows, IT managers who haven't developed coherent wireless security strategies could soon be inundated. According to International Data, the number of wireless devices in the United States with two-way access to the Internet is expected to increase to 61.5 million by 2003. And by the middle of this year, IDC forecasts that all cell and Personal Communications Service phones will be Internet-enabled using WAP.

Already, the battle to protect wireless users has begun. Last June, computer security experts intercepted Timo fonica, a virus similar to the Love Letter virus designed to attack cell phones with text capabilities. And in September, security experts warned of the Liberty Crack virus, a PalmPilot Trojan horse disguised as a Game Boy emulator that deleted files.

"A lot of people are trying to figure out how to make money on the wireless Web, and it all hinges on being able to secure wireless transactions," said Joe LaMuraglia, director of wireless initiatives for Edmunds.com, an online purveyor of automotive pricing information. "Security is an issue we and our partners can't afford to ignore."

So, what's so unique and scary about security issues posed by m-commerce? For one thing, whereas PC-based applications can be secured using strong authentication and encryption, developers must work with wireless devices' limited memory, which makes the use of strong authentication and encryption difficult. A scaled-down form of SSL (Secure Sockets Layer) encryption is the only available option for most wireless developers.

At the same time, wireless developers must be able to support the multiple protocols used by devices such as mobile phones and handhelds. Each has its own built-in security features, some stronger than others.

Wireless developers have a unique authentication challenge. Because wireless devices such as cell phones and PDAs are small and highly mobile, they are easily and frequently stolen. That means user authentication is critical for secure m-commerce. Unfortunately, experts say, many current wireless protocols come up short on authentication.

Approach with caution

Given all those security challenges, many enterprises are approaching m-commerce slowlyâ€"and only after laying out highly restrictive security policies and procedures. Take BarPoint.com, for example. In addition to encouraging its customers to install anti-virus software that protects handhelds, the provider of online product pricing information insists on encrypting wireless data multiple times and treating encryption keys like crown jewels. BarPoint.com's wireless security strategy centers on three groups working on its wireless offerings: a mobile applications group, an internal development team and a database development team. Each group develops its own layer of encryption, and no one is allowed to share keys with anyone outside a group.

BarPoint.com's concern, according to Chuck Davis, chief technology and chief privacy officer, is that an employee with access to all keys could leave and use them to intercept wireless data and transactions.

To prevent such foul play, Davis has placed the information about each encryption key in its own safe. Only he knows the combinations to the three safes.

"If the security keys were ever compromised at BarPoint, all the fingers would point to me," Davis said. "But that's how important wireless security is to us. This is the only way we can continue to add security [features] to our applications without worrying about compromising security."

Why the Fort Knox-like attitude? Like many IT managers, Davis remains leery of what he sees as generally weak wireless security standards. A perfect example, he said, is WAP. Data traveling over a wireless network using the transport layer security protocol must be decrypted at a carrier's WAP gateway and then re-encrypted using WTLS (Wireless Transport Layer Security) encryption for delivery to a WAP device. Those seconds between encryption and re-encryption concern Davis and are a reason his company has yet to enable wireless transactions.

Davis, who hopes to launch m-commerce applications this spring, said BarPoint.com addressed the WAP security gap by hosting an in-house wireless application gateway behind the company's enterprise firewall. The WAP Forum, of which Davis is a member, is also working on this issue.

Meanwhile, BarPoint.com will continue offering product pricing, purchasing and other information to more than 255 types of wireless communications devices, something it launched in 1999.

"We're testing an m-commerce application right now, but we don't want to put out a product if we can't absolutely guarantee the security," Davis said.

Sound paranoid? Davis doesn't think so. And neither do security experts. In fact, analysts say enterprises need to make wireless security an imperative if they are to succeed in m-commerce.

"In general, security is not being particularly well-thought-out either for wired or for wireless implementations," said Lonadier of Hurwitz Group. "Taking the extra steps to secure your wireless implementation may seem extreme now, but in the long run, you'll be relieved you did."

WLANs, too

Even enterprises that haven't started giving outside customers wireless access to their networks are developing wireless security strategies. VF, the US$6 billion manufacturer of such apparel as Lee and Wrangler jeans, isn't selling pants online, but it has rolled out a WLAN. Machine operators on VF's manufacturing floor use handheld devices from Symbol Technologies to access the company's SAP AG enterprise resource planning applications.

To keep the whole thing secure, Mel Cartwright, VF's project leader for radio frequency scanning, uses a combination of tried-and-true password management techniques, and he keeps a tight lid on where and by whom wireless devices are used. The company's handhelds never leave the premises. Every operator has his or her own machine and is required to scan in a personal bar code just to get a user ID prompt. The security doesn't stop there. Each user ID associated with a password has to be changed every 30 days, and it must contain a specific number of capital letters and numbers. Then, to get into VF's SAP application, the user must enter a different user ID and password combination.

Users are reminded every 14 days to change passwords before the 30-day deadline. And, as with any passwordâ€"whether it's for wireless devices or notâ€"Cartwright and VF's security managers enforce rules that prohibit users from writing down passwords. VF also conducts routine internal security audits to make sure everything's secure.

The system, of course, is a recipe for forgotten passwords. But, Cartwright said, it's worth it. "The No. 1 problem our help desk deals with is forgotten passwords," he said. "But it's justifiable because this ensures that proprietary information remains in-house."

Faced with the complex task of tracking rapidly changing wireless standards and providing security for a profusion of wireless devices, some enterprises are opting to hand the problem to a service provider. John Shields, vice president of wireless initiatives at Patelco, for example, recently chose to outsource his company's wireless implementation and security to MShift. With $1.9 billion in assets, San Francisco-based Patelco is California's fourth-largest credit union. Patelco launched its wireless banking application in November and recorded more than 1,000 log-ons that month.

While Patelco has internal expertise in HTML and online content delivery, Shields said, it lacked WAP expertise. Shields told his managers he feared that, as wireless devices proliferated, he'd eventually have to support multiple protocols. He also worried that as an increasing number of applications were wireless-enabled, Patelco would run into trouble guaranteeing security on all of them. In the end, Shields persuaded his managers to buy rather than build a secure mobile infrastructure.

"WAP protocol is relatively new to us, and there are so many wireless devices you have to keep on top of," Shields said. "Partly because of security concerns, our executives understood why outsourcing was right for us."

MShift's wireless implementation for Patelco uses WTLS, SSL and digital certificates to protect sensitive data. Patelco, on its end, secures every transaction internally with 128-bit encryption behind a corporate firewall. Patelco also controls what its wireless users can and cannot do. For instance, while users can check their balances, they are not allowed to pay loans and can only transfer money between their own accounts.

Experts predict that many enterprises will choose to outsource, at least initially, to get a jump on security. "This is definitely a buy-vs.-build type of proposition," said Lonadier of Hurwitz Group. "The wireless market is fairly new, and IT managers should figure out early on if they have the expertise to secure transactions on their own."

Nor is it a mistake for e-businesses to limit m-commerce bells and whistles until they are sure they can guarantee a level of security that is acceptable to users and business managers. As many organizations learned the hard way during the first phase of e-business, it doesn't matter if the site uses the coolest technology; if it's not secure, it's a failure.

"It doesn't matter if an application is mobile or not," said Edmunds.com's LaMuraglia. "It has to be secure, no matter what."

Holding the line on wireless security

Hackers have plenty of motivation for hacking into your wireless network. In fact, by dialing in to your wireless network, hackers can intercept backbone activity on your traditional Internet network of servers and desktops. Thwart wireless security intrusions with the following tactics:

• Change security codes on the network. Default codes are open to any third party who knows the code.
• Isolate the access points and path through which wireless users gain access to your network. This will reduce the amount of backbone activity they can see, and it reduces overall traffic via the network hub.
• Provide central IT support to departmental wireless networks. If departments have full IT support, they will be less likely to build their own, insecure wireless networks.
• Implement MAC (media access control) address tracking to control network security. MAC allows you to know who is traveling on your network. In addition, MAC can remotely disable wireless devices if they are stolen.
• Monitor access logs. Access logs point to source addresses and make it easier to identify attempts to penetrate network log-in security.

  Where wireless leaks

  Wireless transactions coming from outside the corporate firewall fail up to three times as often as Internet-based transactions, according to Hurwitz Group. A big part of the problem is that, since radio signals travel through the open atmosphere, they can be intercepted by individuals who are constantly on the move and difficult to track. Here are some examples of security breaches associated with wireless networks:

  LI> Interception of law enforcement data on specialised mobile radio, private radio or Cellular Digital Packet Data networks
  • Interception of credit card authorisations over wireless networks
  • Stealing of cellular air time
  • Interception of e-mail messages on wireless Internet connections
  • Physical breach of security at unmanned base stations or other communications centers

    The push is on for wireless security

    Although wireless protocols such as WAP may not be as secure as most IT managers would like, vendors are rapidly closing holes. But how do you know when a wireless platform is finally safe for mission-critical applications?

    One way is to get actively involved with the growing number of industry groups, standards committees and vendor alliances vying to set standards for securing wireless transactions. These groups include the WAP Forum, Radicchio, the Bluetooth Special Interest Group and the PKI Forum.

    "We support many wireless devices, and we want to make sure our voice is heard on issues that will affect our wireless implementation," said Chuck Davis, chief technology and chief privacy officer at BarPoint.com. "Because these organisations are developing legislation and standards, we thought it was important for us to participate."

    BarPoint.com is actively involved in the WAP Forum. While the forum does not concentrate solely on wireless services security, it sets the framework for how security features such as PKI (public-key infrastructure) are implemented into WAP (Wireless Application Protocol).

    Davis said his involvement in the WAP Forum allows him to promote the wireless issues he's concerned about.

    For example, he's interested in the organisation's work to close the security hole created when the WAP gateway translates data from the Wireless Transport Layer Security protocol into a secure IP such as SSL (Secure Sockets Layer).

    The WAP Forum has more than 200 members, mostly vendors, including such wireless leaders as Ericsson, Nokia and Qualcomm.

    As wireless heats up, Davis said, BarPoint.com will join other forums, including the PKI Forum. That organisation hopes to accelerate the adoption and use of PKI and PKI-based services for both wired and wireless devices. The PKI Forum is composed of almost 100 companies, most of them software developers.

    For IT managers focused on wireless security, there are lobbying organisations such as Radicchio, which works to persuade international organisations and government bodies to take into account mobile security when drafting legislation. Radicchio has some 50 members, including wireless operators, certification authorities, systems integrators, handset manufacturers and software companies.

    Enterprises interested in Bluetooth may choose to follow the Bluetooth Special Interest Group. Comprising telecommunications, computing and networking companies such as IBM, Intel, Microsoft and 3Com , the group is working on security issues attached to the de facto standard.

    Even if IT managers don't actively participate in these organisations, they'll do well to follow them closely "Eventually, a standard will be set," Davis said. "With so many people using our wireless service, we want to be prepared."

    IT managers can learn more about the groups at the following Web sites: www.bluetooth.com, www.radicchio.org, www.wapforum.org and www.pkiforum.org.
    

    Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
    ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.