Security Getting Better, Isn't a Barrier, Analysts Say

Security for wireless banking transactions does have its weaknesses, but security analysts said banks and users can bolster security protections.

"Security is not a reason to slow down growth of wireless banking, but it is a responsibility of the [banks] to continually improve so they don't get embarrassed by loss of [personal identification numbers] or passwords," said Alan Paller, director of research at the SANS Institute in Bethesda, Md., and a Computerworld columnist.

Paller and two other analysts said wireless transactions are vulnerable to hacks at the Wireless Application Protocol (WAP) gateway server, which sits at the site of the wireless carrier today.

The current WAP standard, WAP 1.1, "leaves much to be desired," but WAP 1.2 is "much better" for security, said Alan Reiter, an analyst at Wireless Internet and Mobile Computing in Chevy Chase, Md.

WAP 1.2 will be updated later this year, allowing wireless carriers to transport encrypted wireless data through the gateway and out to the desired Web site, such as a bank. Today, that encryption is dropped momentarily as the data is converted from WAP to the wired world, analysts said. Even that moment is enough time for a skilled hacker to retrieve data such as credit-card numbers and passwords, analysts said.

When WAP 1.2 is more fully implemented, the gateway server can be placed at a bank's premises, which is more secure than at the phone company's premises, said John Pescatore, an analyst at Gartner Group Inc. in Stamford, Conn.

Pescatore, Reiter and banks say something more than a user name and a password should be required to authenticate smart phones or personal digital assistants. For a company treasurer, two smart cards that interact with a wireless device to authorize a money transfer of great value might be necessary, Pescatore said. - Matt Hamblen

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon