Approach with caution
Given all those security challenges, many enterprises are approaching m-commerce slowlyâ€"and only after laying out highly restrictive security policies and procedures. Take BarPoint.com, for example. In addition to encouraging its customers to install anti-virus software that protects handhelds, the provider of online product pricing information insists on encrypting wireless data multiple times and treating encryption keys like crown jewels. BarPoint.com's wireless security strategy centers on three groups working on its wireless offerings: a mobile applications group, an internal development team and a database development team. Each group develops its own layer of encryption, and no one is allowed to share keys with anyone outside a group.
BarPoint.com's concern, according to Chuck Davis, chief technology and chief privacy officer, is that an employee with access to all keys could leave and use them to intercept wireless data and transactions.
To prevent such foul play, Davis has placed the information about each encryption key in its own safe. Only he knows the combinations to the three safes.
"If the security keys were ever compromised at BarPoint, all the fingers would point to me," Davis said. "But that's how important wireless security is to us. This is the only way we can continue to add security [features] to our applications without worrying about compromising security."
Why the Fort Knox-like attitude? Like many IT managers, Davis remains leery of what he sees as generally weak wireless security standards. A perfect example, he said, is WAP. Data traveling over a wireless network using the transport layer security protocol must be decrypted at a carrier's WAP gateway and then re-encrypted using WTLS (Wireless Transport Layer Security) encryption for delivery to a WAP device. Those seconds between encryption and re-encryption concern Davis and are a reason his company has yet to enable wireless transactions.
Davis, who hopes to launch m-commerce applications this spring, said BarPoint.com addressed the WAP security gap by hosting an in-house wireless application gateway behind the company's enterprise firewall. The WAP Forum, of which Davis is a member, is also working on this issue.
Meanwhile, BarPoint.com will continue offering product pricing, purchasing and other information to more than 255 types of wireless communications devices, something it launched in 1999.
"We're testing an m-commerce application right now, but we don't want to put out a product if we can't absolutely guarantee the security," Davis said.
Sound paranoid? Davis doesn't think so. And neither do security experts. In fact, analysts say enterprises need to make wireless security an imperative if they are to succeed in m-commerce.
"In general, security is not being particularly well-thought-out either for wired or for wireless implementations," said Lonadier of Hurwitz Group. "Taking the extra steps to secure your wireless implementation may seem extreme now, but in the long run, you'll be relieved you did."
