Designing secure mobile computing

Delivering financial information safely over the wireless Internet puts the onus on financial institutions to work with device manufacturers and wireless carriers to devise new and robust security processes to maintain their clients’ trust, according to Arijit Das and Alicja Turner, senior managers for Bank of Montreal m-commerce and wireless.

“The evolution of commerce and financial transactions has been closely associated with the concept of trust and security,” they write in a recent commentary on the challenges of secure mobile finance. “This trust was tested by the introduction of telephone and Internet banking, and is now being tested again by wireless banking. With more and more people using mobile devices to store and distribute sensitive, personal information, financial institutions must address security threats that go beyond financial loss, such as identity theft and cyber terrorism.”

While Das and Turner view today’s technology as allowing wireless devices to be used in a secure manner with financial applications, they caution that the implementation of the security layer for wireless services is much more complex than with traditional e-business applications.

They note that that a key issue with the security of wireless finance is the availability of encryption technology. They point out that wireless devices and Web sites currently must use different types of technology. Web sites use the traditional Secure Socket Layer (SSL) encryption, while wireless devices use encryption algorithms, optimized for slower networks and less powerful devices. When a wireless device must access a content provider’s secure Web sit, in order to gain access the wireless gateway must first convert the encryption protocol to SSL, they explain. To do this, the data is decrypted at the gateway and re-encrypted in an SSL connection to the back-end content provider, i.e. the financial institution. This results in what the industry sometimes calls the ‘Wap Gap’, a tiny window when the data is in the clear in the carrier’s network, giving rise to a wireless security gap.

Das and Turner describe an alternative technology, known as Wireless Transport Layer Security (WTLS), as similar to SSL but geared towards devices with limited processing power and less reliable networks. WTLS uses encryption algorithms that use less computing power, but are still cryptographically strong, they note. This means that a handset can encrypt data in much the same way a browser does when it accesses a secure site. While this solution is promising, there are few devices on the market which support WTLS technology.

They note that a third, even stronger encryption and mutual authentication solution that can run the full SSL protocol along with some sort of PKI support is also available, but only with a limited number of devices. “While these devices are beginning to penetrate the U.S. market, they are still fairly uncommon. However, in the interim, financial institutions have developed several solutions to address these challenges.” They cite four developments in particular: end-to-end encryption, Public Key Infrastructure (PKI), m-Certs (mobile certificates) and biometrics.

End-to-end encryption

“With the advent of the next generation of mobile devices and networks (be it GPRS, 3G or some other flavour), there will be more processing power and bandwidth available to allow stronger encryption algorithms,” they write. “This is being complemented by the development of an encryption technique based on a mathematical principle known as “elliptic curve cryptography,” which provides strong encryption with smaller key lengths and uses less processing power. What these developments suggest is that future mobile devices will provide end-to-end encryption capability in much the same way that today’s Internet browsers provide strong 128-bit SSL. This will address some of today’s privacy concerns.

Public Key Infrastructure (PKI)

“Great strides are being made in the areas of authentication and non-repudiation. Smart cards already provide a PKI infrastructure for digitally signing data, however, their market penetration in North America has been limited. Other initiatives are under way to create a framework for PKI to work with mobile devices.

m-Certs

“Outside North America there have been several initiatives to create a mobile certificate-based PKI infrastructure, like the electronic certificates used for Internet applications. A Hong Kong-based initiative led by a forum dubbed HKMIF, announced ‘m-Cert’ in April 2000. ‘m-Cert’ is a mobile certificate solution. One of the aims of this initiative is to develop a single, well-recognized solution for all mobile PKI-based e-commerce services in Hong Kong. When developed, m-Cert will be the equivalent in the mobile environment of the electronic certificate (e-cert) supporting PKI security on the Internet. In addition to other PKI-based services and applications, (e.g., paying utility bills or credit cards, purchasing movie or air tickets, trading stocks, etc.), m-Cert will support all banks in Hong Kong and will ensure the highest degree of security and flexibility for banking services. The forum invites industry players to work together and contribute to the development of an open standard, vendor-independent and future-proof m-Cert solution that will also complement international standards. It is managed by a steering committee, which comprises Hong Kong’s six mobile operators.”

Biometrics

Das and Turner describe biometrics as “another emerging technology that is expected to become mainstream in the future. Some examples of biometric authentication in use in limited applications today are voiceprints, fingerprints or retina images. This has potential applications in wireless when devices are misplaced or stolen. Once biometrics technology becomes more affordable and performance improves, this technology will likely be integrated into PDAs and cell phones.”

Crossing the wireless security gap

A number of security issues need special attention when designing wireless applications, caution Das and Turner. They charge that it is critical that IT professions re-examine security policies and procedures to ensure that they address issues like diversity of devices, different presentation formats (e.g.: WML, J2ME, HDML, etc.), and different types of networks through which the data flows.

One of the greatest weaknesses of wireless security protocols, including WTLS, is the support of weak cipher suites, they note. They cite by way of example, WTLS, noting that it allows the client to negotiate an encryption algorithm called RC5, with 40, 56 or 128 bit keys, or DES with 40 bit keys. They point out that since DES with 40 bit keys is insufficient for financial transactions, to achieve an acceptable level of encryption, financial institutions’ servers must be configured to reject any algorithms that would be considered too weak for the purposes of financial transactions.

“In addition to hardening the configuration files of the gateway, content providers need to conduct audits on carrier networks in order to ensure the ‘Wap Gap’ is properly addressed and the network is secure from external or internal hacking,” they write. “This is particularly critical at the vulnerable moment when the data is in the clear.”

Das and Turner see as an often overlooked risk the lack of control over service level commitments, resulting from the involvement of numerous partners — device manufacturers, the network carrier and the financial institution — in the delivery of wireless financial services. “While this risk is technical in nature, the solution involves implementing processes to manage partner relations, as well as client expectations,” they write. “For example, a financial institution’s client can be denied access to financial applications because a carrier’s data network is down. This situation has to be addressed through formalized Service Level Agreements with the different carriers and by educating clients about how wireless financial services are delivered.

“The user interface of mobile applications has to address another level of risk, since these devices are typically used in public places and are also prone to be lost or misplaced,” they continue. “This means the application design has to make sure that it is difficult for ‘over the shoulder’ attacks to occur, where a passerby can look at the displayed data and gain private information.”

They note that a number of initiatives have been started to promote the use of mobile technology in financial services, and to encourage and drive the adoption of open standards in the field. They cite the previously mentioned m-Cert plus these other initiatives:

    Fundamo, a mobile payment solution;Radicchio, a standard security platform for mobile using wireless PKI; andeSIGN, a uniform application interface for implementing mobile digital signatures – which they call the de-facto standard for the integration of mobile into the Internet.

“These initiatives, along with rapid advances in encryption techniques and processing capabilities of mobile devices, promise a future when content providers will be able to focus their energy on the creation of new services, rather than on security,” they conclude. “But until then, we must constantly keep learning and reviewing the security issues and implementations. One of the best defenses against security threats is knowledge – know and understand how and when threats occur, and how to prevent them.”

Securing wireless finance to meet client expectations

The Bank of Montreal Group of Companies, including Chicago-based Harris Bank, launched Veev in 1999, a mobile financial services solution that has evolved into a wireless application service provider. Here is Veev management’s list of best practices for delivering secure wireless transactions.

Partner only with trusted carriers.

Conduct an audit of the carrier’s network to ensure it meets the highest security standards.

Put appropriate Service Level Agreements in place.

Ensure secure and trusted connections are established between the carrier’s gateway and the content server, ensuring only the right levels of encryption is accepted in a session.

Extensively test new devices.

Pay attention to the user interface design, not only from a usability perspective, but also from a security perspective.

Put in place appropriate processes for threat detection and response. This is even more complex in the wireless arena, because of the plethora of devices, protocols and carrier networks.

Stay current. Understand that new technologies are constantly being brought to market, and new threats are constantly arising, resulting in the need to be nimble and adaptable.