BBC NEWS Americas Africa Europe Middle East South Asia Asia Pacific
BBCi NEWS   SPORT   WEATHER   WORLD SERVICE   A-Z INDEX     

BBC News World Edition
 You are in: Business  
News Front Page
Africa
Americas
Asia-Pacific
Europe
Middle East
South Asia
UK
Business
E-Commerce
Economy
Market Data
Entertainment
Science/Nature
Technology
Health
-------------
Talking Point
-------------
Country Profiles
In Depth
-------------
Programmes
-------------
BBC Sport
BBC Weather
SERVICES
-------------
EDITIONS
Thursday, 26 October, 2000, 13:21 GMT 14:21 UK
M-commerce fraud fears
By BBC News Online's Orla Ryan

First Barclays, then Egg.

News of security scares at some of Britain's leading online banks earlier this year damaged consumer confidence in e-commerce.

Commerce on the mobile internet - m-commerce - is still in its infancy and if it is to gain momentum, consumers need to have confidence in the system's security.

Industry observers say securing the mobile internet won't be easy and opinions are mixed as to whether it will ultimately pose greater risks than the fixed-line internet.

Out of thin air

The requirements for protecting m-commerce transactions are similar to those for protecting fixed-line transactions - sensitive data must be secured during transmission.

With the mobile internet, fear exists that a fraudster can literally pluck sensitive information out of the air.

As yet, there have been no reported incidents of security breaches on m-commerce services but some experts warn that gaps exist where it is easier for hackers to access data.

Messages sent from a Wap handset to the server of, for example, an online bank, go through three stages, says Yag Kanani, partner in charge of the secure e-Business practice (EMEA) at Deloitte Consulting.

First, it crosses the GSM telephone network to a Wap gateway. There it is decrypted from its Wap language and reencrypted to make it intelligible for the bank's computer systems. Then it is transmitted from the Wap gateway through either the public internet or a private network to finally reach the bank.

Many net security companies agree that this so-called "wap gap" could be a problem.

Ed Wood, director of product marketing with software firm nCipher, agrees that there "is quite a complicated path from your handset all the way through to the merchant. There are potentially more points where information has to be decrypted and reencrypted."

Plugging the gap

How much longer this will remain a problem is unclear.

When third generation mobile phones become widely available, they could use Wap standards or an internet protocol.

If they use Wap standards, the gap still exists, albeit at a different point, some argue.

The use of an open protocol - instead of the Wap standard - might plug the Wap gap but may increase the potential for other sorts of malicious activity, such as viruses.

nCipher's Ed Wood says that "third generation plugs a whole bunch of holes and flaws".

Others warn that the greater capability of next generation phones could pose greater risks.

Buchanan International's director of e-security, Mark Shaw, warns that these phones may be more insecure than Wap phones, as they will " have the same sort of utility as a small PC".

"Some would say there is always going to be a technology gap," he says, referring to the constant updating of security to meet the demands of evolving technology.

Who are you?

Just as with the fixed line internet, authenticating a user's identity may be the next hurdle at which demand for m-commerce services could fall.

John Fallon, director of wireless at Baltimore Technology believes that end-to-end authentication could be a greater concern than end-to-end encryption.

Baltimore has sealed a deal with Motorola, allowing the US mobile phone company to use its digital certificates to check people's identity.

So is m-banking safe?

One of the earliest mobile banking services in the UK is that offered by Woolwich on Vodafone phones.

While at present, banking via a mobile phone is as secure as internet banking, it could in time surpass that of fixed line internet, Vodafone argues.

"In the near future, we will be able to allocate users private keys in association with the SIM card contained within the handset," a spokeswoman said. This would provide strong client authentication.

But that is still in the future, and potential users of m-commerce may wait for such strong assurances from their services providers.

Until then, it is doubtful whether enough people will use m-commerce services to make them profitable.



Mobile web worries
See also:

25 Oct 00 | Business
24 Aug 00 | Business
02 Aug 00 | Business
Internet links:


The BBC is not responsible for the content of external internet sites

Links to more Business stories are at the foot of the page.


E-mail this story to a friend

Links to more Business stories

© BBC ^^ Back to top

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East |
South Asia | UK | Business | Entertainment | Science/Nature |
Technology | Health | Talking Point | Country Profiles | In Depth |
Programmes