Wireless security getting better: Analysts

Security for wireless banking transactions does have its weaknesses, but banks and users can bolster security protections, analysts say.

“Security is not a reason to slow down growth of wireless banking, but it is a responsibility of the (banks) to continually improve so they don’t get embarrassed by loss of (personal identification numbers) or passwords,” says Alan Paller, director of research at the SANS Institute in Bethesda, Md.

Paller and two other analysts say that wireless transactions are vulnerable to hacks at the Wireless Application Protocol (WAP) gateway server, which sits at the site of the wireless carrier today.

The current WAP standard, WAP 1.1, “leaves much to be desired,” but WAP 1.2 is “much better” for security, says Alan Reiter, an analyst at Wireless Internet and Mobile Computing in Chevy Chase, Md.

WAP 1.2 will be updated later this year, allowing wireless carriers to transport encrypted wireless data through the gateway and out to the desired Web site, such as a bank. Today, that encryption is dropped momentarily as the data is converted from WAP to the wired world, analysts say. Even that moment is enough time for a skilled hacker to retrieve such data as credit-card numbers and passwords, analysts say.

When WAP 1.2 is more fully implemented, the gateway server can be placed at a bank’s premises, which is more secure than at the phone company’s premises, says John Pescatore, an analyst at Gartner Group Inc. in Stamford, Conn.

Pescatore, Reiter and banks say something more than a user name and a password should be required to authenticate smart phones or personal digital assistants. For a company treasurer, two smart cards that interact with a wireless device to authorize a money transfer of great value might be necessary, Pescatore said.