SAN FRANCISCO (04/07/2000) - Trading stocks or buying plane tickets on your mobile phone may be convenient, but how secure is an instrument that routinely disconnects when you talk?
With the coming of wireless application protocol for phones and wireless personal digital assistants, the Web is now mobile. Portals like Yahoo Inc. let you check e-mail and stocks, while electronic commerce sites like Amazon.com Inc. let you shop while you walk. Still, with hackers continuously attacking the wire-line Internet, how secure is the wireless Web?
As Good (or Bad) as the Net
It's true that people could eavesdrop on calls made with analog phones, says Craig Mathius, a principal at the Farpoint Group, an advisory and integration firm specializing in wireless.
"With digital phones [which Web phones are], this is not possible; digital calls are encrypted," he says.
Wireless carriers, WAP sites, and other technology providers tell us the wireless Web browser is as secure as using a regular browser. But experts say there's room for improvement.
"The hype over the wireless Web far exceeds the reality," Mathius says. "We'll get to the point where security over wireless is good enough, but I have to be convinced. Personally, I don't buy stocks on cell phones."
He's learned from bad experience on the wire-line Internet, Mathius adds.
"I've has my credit card number stolen twice now," Mathius says. He figures, why conduct risky transactions unnecessarily?
Many credit card companies promise to back you if your card is pilfered during Net transactions. Still, more than 60 percent of us think it is too easy for credit card information to be stolen online, according to Cyber Dialogue's 1999 American Internet User Survey.
Security on Two Levels
The wireless Web may offer some extra safety. Wireless transactions both encrypt information and provide authentication to prove your identity.
"WAP has features for both. The question is: Are they good enough? And that's hard to answer," Mathius says.
Phone.com licenses its UP.browser, an early version of the WAP browser, to mobile phone services in the United States. The company says its browser is as secure as the browser on your desktop.
"We use the same types of algorithms and encryption strengths as people do over the Internet," says Roger Snyder, senior product manager of Phone.com.
Safety in Flight
Because wireless data travels two roads--airwaves and the Internet--it could be argued that it is twice as vulnerable or doubly secure as Internet data.
WAP adds a second layer, wireless transport layer security (WTLS), on top of the base voice encryption that digital protocols use, Snyder says. "WTLS is a version of TLS, what SSL [Secure Sockets Layer] has become," he says.
Once data travels from the handset to the cellular base station, it hits the wire-line Internet, where it is encrypted with standard SSL, or TLS, security.
Individual sites don't have to implement WTLS to secure the transactions of their wireless customers; they just use standard encryption, Snyder says.
Wireless Web sites typically provide authentication when you enter a user name and password, using the same model that desktop access to a Web site does, Snyder says.
Sites like Shadowpack and Strategy.com offer personalized portals where you can set up a single stop to get your e-mail, news, and local information, and conduct financial transactions. To protect you, these sites require a user name and password to log on, and additional personal identification numbers to complete transactions.
"We encrypt all users' financial information using Certicom [a provider of managed certificate services that enable secure mobile transactions]," says Lance Schneier, Shadowpack's founder and chair. "Beyond password protection and encryption, we also have schemes in which you time out."
Passwords are fine, but no one wants to key them in every five minutes on a tiny handset.
"There's a balance between security and usability," Schneier acknowledges.
Members can store subsequent passwords on Shadowpack's server, and the site can fill in the information for you, so you enter a password only once.
Anyone who gets your Shadowpack password can get to your Web information; but that's true for any transaction site, Schneier says.
"If someone has my password log-in for E-Trade, they could trade on my account," he says.
Double Duty Passwords
Like Shadowpack, Strategy.com encrypts information and requires a PIN for transactions. Often, that PIN is a number you already use.
"When you conduct a stock trade on Ameritrade [through Strategy.com], the PIN is your regular Ameritrade access number," says Justin Langseth, chief technology officer for Strategy.com.
Trading stocks on a phone may be convenient, but what happens if you get cut off in midtrade?
"We pass a confirmation number from the trader back to the handset," Langseth says. "If you're cut off, you can go to the order status screen and see if the transaction went through."
And while you're unlikely to misplace a desktop PC, you could lose your phone.
Most handsets come with a key lock, Snyder says. "No one can place a voice or data call without a PIN to unlock it." The trick is getting into the habit of using it.
What Do We Even Want?
Beyond security issues, transaction services don't seem to be first on our wireless data wish list. E-mail is our top interest, named by 79 percent of those polled by Peter D. Hart Research Associates. Are we scared, or unimaginative?
Clearly, the industry thinks we'll warm up to doing more with mobile units, just as we have with the Internet. Wireless e-commerce, financial transactions, and location services bear the brunt of both the promise and the risk of the wireless Web.
Still, folks like Mathius think we will eventually do everything wirelessly.
His question is choosing the instrument: "a phone, a PDA, or some other device?" he asks.