Wireless Security Still in its Infancy

Jan. 31, 2005 — -- More Americans than ever are using mobile technology, from sophisticated cell phones to hand-held personal digital assistants to laptop computers. And millions of people now do their banking online. But the convergence of these trends raises a key question: Is your money safe in the wireless world?

After all, wireless banking -- as opposed to online banking performed through a personal computer wired to the Internet -- could offer even more convenience for consumers. But using a cell phone or PDA, or a wireless connection for a laptop, introduces a brand new set of security issues into the banking arena.

Despite some enthusiastic forecasts from technologists, the adoption of wireless banking has been a gradual process -- perhaps in part due to the security concerns. About 1.5 million adults made banking transactions using a "smart" cell phone or PDA in the last year, according to Gartner Inc., a technology research firm in Stamford, Conn. That represents a little less than 1 percent of all transactions with financial institutions.

Still, as smart cell phones proliferate -- research firm IDC of Framingham, Mass., projects U.S. sales will increase from nearly 5 million in 2004 to 35 million by 2008 -- the range of banking services available online seems likely to increase as well, as most major banks have introduced wireless initiatives within the last five years.

The most common current use for wireless banking appears to be consumer alerts -- messages notifying customers about things such as their account balances, lists of transactions, updates about the stock market or portfolio summaries. Wachovia, the nation's fourth-largest bank, based in Charlotte, N.C., sends out 1.9 million alerts to customers every day. Of these, 30 percent are viewed on wireless devices.

Wireless Transaction Still Limited

Still, industry observers note wireless banking has its limitations -- or at least will until the day someone invents a cell phone capable of dispensing a crisp set of $20 bills. "For different types of transactions, there are different types of channels," says Avivah Litan, an analyst at Gartner. "People go into banks to make deposits or get loans, they use ATMs to withdraw cash, and there is a demand to track balances, transfer funds and pay bills online."

Current wireless banking customers tend to be "professionals, people who travel a lot and need to access their account from different places," says Ilieva Ageenko, Wachovia's director of emerging enterprise applications. But in the long run, adds Ageenko, banks will need to provide services for the "newer generation" of young adults who have grown up with cell phones and will expect a wider range of functions from their mobile devices.

To do so, banks will have to tackle two main areas of concern when it comes to wireless banking security. One is the security of cell phones and other mobile devices, which are often too small to devote much computing power to security tools and could be vulnerable to a variety of attacks.

The other issue involves the potential vulnerability of wireless local area networks, including those using the popular 802.11 standard network. This pertains to people using a regular laptop computer to access the Internet, anywhere from airports to a local café.

Cell Phone Security Minimal

Despite only minimal built-in security in cell phones, most users are free from the threat of hacking because the devices are not used for elaborate financial applications --and because wireless transactions still represent a minority of online banking business. This means there is less incentive for thieves or hackers to target the devices.

"The main difficulty for a miscreant at this point is that there's not a heck of a lot there," says Joshua Lackey, who works at IBM as an "ethical hacker" -- a security analyst hired by the firm's clients to see if he can penetrate their computer networks.

"As of today, the phones really aren't quite smart enough for the attacker to get a foothold. But that's certainly changing," Lackey said.

In recent weeks, the Gavno.a virus, which targets Nokia smart phones and prevents them from making calls, has gained notoriety as one of the first viruses aimed at mobile devices.

Typical Safety Measures Recommended

What can be done? To keep a cell phone safe from viruses, the cardinal rule of PC safety applies: Be wary of what you download.

To guard against hackers trying to obtain valuable data, financial institutions have developed a variety of security procedures. Some use authentication tokens, which contain unique information for each user, while others may ask a consumer for a basic password, then send a unique, one-time only password for each transaction.

Banks themselves are still examining numerous authentication procedures.

"If you think about wireless, we might say it's like the early days in the Internet when the technology was still being worked out," says Penny Gillespie, an analyst for Forrester Research, based in Arlington, Va.

Industry observers suggest consumers should welcome these extra layers of security and be informed about their bank's policies and procedures before using wireless banking. Consumer guidance from the Federal Reserve Bank of New York, for instance, includes making sure you receive a confirmation number for each transaction, in case your cell phone call is interrupted before being completed.

When dealing with wireless networks, especially of the 802.11 standard, different problems can crop up. At issue is not only the security of the computing devices -- in this case, laptops -- but the safety of local wireless networks themselves. In recent years, many wireless networks have been shored up using a security protocol called Wired Equivalent Privacy, which limits access to those with the right passwords. But WEP is now known to be vulnerable.

"WEP is totally broken," says Lackey. He estimates a good hacker with the right tools could penetrate a WEP-protected network in a couple of hours. The good news is that WEP may still discourage hackers looking for easier targets, while stronger replacement protocols have been developed, including Wi-Fi Protected Access. Lackey's suggestion for firms with wireless networks: "Make sure you're running something that is WPA compliant."

Individuals Face Different Problems

For individuals logging onto a wireless network, whether conducting company business or making a personal transaction, Lackey suggests another approach: Since most wireless networks cannot be completely insulated from hackers, ramp up security on your own computer. "For any type of information you would like to keep secure or confidential, including banking, you should be using another layer of encryption," says Lackey.

Check to see you are using an HTTPS connection to the Internet (as signified by the small lock on your browser window). Internet transactions are enabled by security certificates sent from your financial institution to your computer, so be alert for messages telling you the origin of a certificate is "unknown" -- it could be a fake generated by a fraudster. Finally, guard against the same privacy threats facing desktop PCs: Spyware or keystroke logging tools monitoring computer use. There are numerous anti-spyware programs on the market.

Ultimately, there is no magic bullet to keep wireless banking safe, just a set of common-sense rules, from upgrading security to monitoring your accounts closely. By adding multiple layers of security to wireless banking, consumers can deter hackers who consider totally unsecured targets a better investment of time and energy. Wireless banking may offer convenience, but that does not mean consumers should abandon caution.