The wireless Internet industry pooh-poohed concerns over mobile data security Wednesday, downplaying the seriousness of an existing hole and patchy implementation of secure technology.
Wireless Application Protocol (WAP) transmissions are designed to be encrypted with one method while in the air and another on the wired network; but when they are handed over from one method to the other they have to decrypt and then re-encrypt themselves. That leaves a split second when the data is not secure -- though it would be extremely difficult to exploit such a hole.
A bigger problem might be that the infrastructure to deploy full encryption isn't yet widely available. WAP data must pass through a gateway server to exchange data with the Internet, but the first such server to offer end-to-end security (Nokia WAP Server 1.0) was only made available in February.
But even with these issues, security via WAP devices, such as mobile phones and Internet-enabled handheld computers, is "a 100-foot wall with a one-inch hole", according to Scott Goldman, CEO of WAP Forum, an industry consortium.
Appearing at Internet World in London, Goldman says he often buys goods and services over a WAP device himself. "I'm a lot more paranoid about giving someone my credit card number over the phone, or giving it to some waiter in a restaurant, than I am with putting it on a WAP-enabled device and sending it over the airwaves," he said.
Goldman insists the WAP system is secure enough today, pointing out data is already protected during transmission by GSM's built-in encryption. "M-commerce" is here today, he says, and "that's proven by the people who are already using it."
He took the opportunity to lash out at a recent survey questioning the effectiveness of the protocol. A study by WAP portal AnywhereYouGo.com found that a third of the sites they tested didn't work because of poor compliance with standards. "They tested all of 50 sites and found a third of those weren't working -- that isn't what I'd consider a statistically relevant sample."
