|Sealing the Gap in WAP|
Posted: 04-Jan-2001 [Source: Wireless Networks Online]
[WAP 1.3 security standard to address some of the major security holes.]
by Betsy Harter -- "Security has been an issue in the wireless industry since cellular's inception. On the voice side, carriers have had to deal with tumbling, cloning, and subscription fraud. Unfortunately, adding data services and wireless Internet access brings a whole new set of security issues.
"It wasn't until the last year or so that people finally became comfortable giving out credit card and other personal information over the Internet. Consumers have every reason to be wary of the Web. Cybercriminals have electronically penetrated almost every one of the 500 largest U.S. corporations, not to mention government entities such as the Pentagon. Cybercrime is not limited to the United States -- telecommunications experts estimate that computer crime is responsible for $15 billion in losses worldwide. Now that valuable personal information, including financial and medical data, is traveling over airwaves, consumers and wireless carriers are more concerned about security than ever before.
"Verne Meredith, Diversinet vice president of sales & marketing, said WAP -- the protocol which most wireless carriers use to offer wireless Internet services -- has several security holes.
"We strongly believe that any secure digital wireless application needs to be the mirror image of the security model in the brick-and-mortar world," he said. "The WAP 1.2 security standard in its current state has significant shortfalls."
"Meredith said there are five pillars to security in the brick-and-mortar world that the wireless world needs to emulate. For example, if a person goes to a bank to withdraw money, the bank first verifies the person's identity, known as authentication in the digital world. Next, the bank verifies what the customer is allowed to do, or authorization. Third, the bank creates a space between a customer doing a transaction and other customers, known by digital companies as encryption. Fourth, the teller counts out a customer's money in front of him to ensure he receives what he requested, called data integrity by digital companies. Last, the customer gets a receipt, known in digital transactions as proof of contract, or non-repudiation.
"Although these five pillars exist in the wired Internet, WAP 1.2 is missing the authentication, authorization and proof-of-contract elements, Meredith said. In addition, WAP doesn't mention application level security, which means if a bank wants to secure its application for customers and manage the security behind its firewall, it can't do it using WAP because the intelligence is at the transport layer rather than the application layer, Meredith explained.
Back to Headlines...