FRAMINGHAM (04/03/2000) - Building wireless applications? Analysts warn that using handhelds and smart phones to work wirelessly over the Web can raise some security risks.
Two analysts at Gartner Group Inc. in Stamford, Connecticut, recently raised three specific security issues, based on using a Sprint PCS Group wireless phone to buy a book from the Amazon.com Inc. Web site. They said the concerns, which involve password and credit-card protection, suggest serious implications for companies moving to provide wireless e-mail access to employees.
Here's what happened: Gartner security analyst John Pescatore borrowed the Sprint PCS phone of colleague Bob Egan in December to find out if it was easy to place an order with Seattle-based Amazon.com. Pescatore contacted the site wirelessly to buy a Harry Potter book.
Pescatore was prompted to enter his Amazon.com user name and password. He was shocked, he said, to see his password appear as he typed it in, rather than have it hidden with a series of Xs, as one might see when typing a password using a PC. Problem 1.
Then, Pescatore was asked if he wanted to buy the book. He said he was surprised that when he clicked a "yes" box, the order was completed without his entering a credit-card number. Even though Pescatore had previously used a credit card at Amazon via a PC, he had specifically decided not to use the trademarked 1-Click easy purchase option. (1-Click allows Amazon users to store a credit-card number and shipping information with Amazon.) Problem 2.
Problem 3 occurred a week later, when Pescatore asked Egan to scroll back in the phone's memory. When he did, Egan found Pescatore's user name and password stored in cache. He ordered another book using Pescatore's credit card, the analysts reported.
Sprint PCS said the practice of showing the password will continue, because the small keyboard and screen would make it too hard for a user to input a password if it were X'd out.
"It's a technology trade-off," said Billy Stephens, director of product management and development for wireless data services at Sprint PCS in Kansas City, Missouri.
Regarding Problem 2, an Amazon.com official denied that Pescatore could have ordered the book without inputting the credit-card information unless he had enabled 1-Click in a prior visit.
As for the caching of the password, Stephens called it a "glitch on our part," since it isn't Sprint's policy to allow caching of a password.
Corporations might face dire consequences if they create applications to allow smart phone access to e-mail or corporate data and a password is stolen, Pescatore said.
"What if somebody steals your company's network password from a cell phone you lost in an airport?" he said.