WAP (Wireless Application Protocol) fever is spreading and for very good reasons, according to WAP technology vendors and bankers alike.

Much like the Internet’s TCP/IP protocol is changing the competitive landscape by enabling the creation of new virtual banks, WAP promises to be another strategic channel where customers can check balances, make transactions and receive information from a mobile phone.

Banks not considering a mobile strategy now risk being seen as technological laggards which will lose market share, particularly in this paradoxical era when Internet businesses are not judged by a P/E ratio or other conventional market valuation techniques.

Take the UK Prudential’s Egg, for example: when the time comes for it to be floated, it will make many people rich, even though it has been making a loss from day one. Given the high market valuations of many Internet-only start-ups and the market’s positive sentiments for banks that have online services, banks would be taking on huge risks if they do not provide a WAP mobile phone service.

The hype has grown to a point where, according to Roy Smith, managing director at Brokat: "Banks are buying WAP servers despite not knowing what WAP is or how it will help their organisation." He adds that banks do not want to make the same mistakes as in the past with the Internet – being in the game too little and too late.

Understanding what WAP is and the numerous business models that will evolve between banks and network operators is an important issue. Equally important are the security aspects of WAP-enabled mobile banking because it is directly related to the business models banks will adopt. WAP-enabled mobile banking still has a few barriers to overcome before it becomes the norm. A true public key infrastructure for the mobile environment is difficult to create and needs the proper industry co-operation for a global certificate authority (CA) and its associated technologies (for example, validation system).

A mobile phone also has a short battery life because of the amount of computation power needed to process certificates and limited memory space to store information. The user interface is also difficult to manoeuvre and connection to the Internet is slow.

Still, banks are motivated to provide mobile banking primarily because it allows access to the mass market. For example, MeritaNordbanken is heavily investing in its WAP strategy because it has saturated the customer base that uses PC Internet banking in its domestic market. New segments can be defined, such as traders who make use of real-time news feed and can execute a trade with more convenience and mobility.

A recent report by Financial Times Market Trend and Booz-Allen & Hamilton, Mobile Financial Services, revealed that Europe has some of the highest levels of mobile penetration and per capita usage anywhere in the world, with bullish forecasts predicting one billion global users by 2002. By 2003, worldwide mobile financial services revenue is forecast to reach E20bn. And of this amount, Europe’s share is estimated to be around E4.7bn. Other figures provided by Datamonitor’s report, Next Generation Mobile Devices: The Call of Wireless Data, revealed that, by 2005, 69 per cent (186 million) of mobile subscriptions in Europe will be WAP-enabled. Many of these will be based on General Packet Radio Service and Universal Mobile Telephone Service standards, allowing greater bandwidth mobile data communications than today’s Global System for Mobile Communication networks. Moreover, WAP-enabled device shipments are forecasted to reach more than 144 million a year in Europe by the end of 2005.

According to Datamonitor, the phenomenal growth and size of the mobile data services market is being driven in part by the fact that mobile phones are seen as an essential fashion accessory. Few technological devices have life spans as short as the mobile phone (not necessarily the chip), typically one-and-a-half years. On the brokerage side, figures in a research note by the TowerGroup, Wireless Brokerage Update: Mainstreaming Has Begun, revealed that by the end of next year, wireless traders should number 158,000 in the US; by 2003 this should rise to 449,100.

According to the report, success will come because wireless brokerage is offered as part of a range of "hot" customer services, including banking, credit card authorisations, travel, news and lifestyle options that make it worthwhile turning to a wireless channel.

So what is WAP and how does it allow access on to the Internet? At a basic level, WAP is a series of wireless specifications designed to facilitate the development of networked applications that can be read by virtually any WAP-enabled wireless device. Supported by the WAP consortium – a group of network operators, equipment manufacturers, software vendors and content developers – it aims to be a truly open and global standard. WAP allows developers using WML (Wireless Mark-up Language) to build platform-independent wireless applications.

In a typical WAP solution, data packets from a wireless device pass along a wireless network in WML format to a WAP server/gateway. This then reconfigures the essential data and passes them to a standard HTML (Hypertext Markup Language)-capable web server. Conversely, if HTML data packets need to reach a wireless device, they must first pass through a WAP server/gateway.

A WAP solution usually comes in two parts: a WAP server, which distributes content and applications, and a WAP gateway, which controls access. Depending on the business models adopted by banks, the WAP server and gateway may be offered together or separately.

The "closed" model suggests that banks join forces with network operators to deliver a WAP solution, where both the WAP server and gateway reside on the network operator’s site. By doing this however, it relinquishes control of content and access to the network operators. The balance of power shifts from the bank to the network operators and is problematic because banks risk losing control of their customer relationships. The "open" model suggests that banks should bring the WAP server and/or gateway in-house. By having the technology under one domain name, banks have more control over the customer relationship and security.

In the closed model, when data packets arrive at the WAP gateway, the network operator during the reconfiguration stage unwraps the encryption on the wireless channel that the data packets pass through and re-encrypts the channel for normal Internet access. Encrypting the "pipe" or channel is called sessional layered security. The point at which data packets are received and redistributed by the gateway is called "clear text", and is a flaw because it does not guarantee end-to-end security between WAP-enabled devices and normal web servers.

In the open model, bringing the WAP server and/or gateway in-house means the break in security does not occur because the server and/or gateway is situated in the bank’s protected environment (secured intranet). So there is a compelling case to bring the technology in-house.

However, there are two other ways to overcome this problem. The first involves moving security up to the application layer, and the second uses WPP (Wireless Port Proxy) software. With the first method, the data packets, not the pipe through which data packets are transported, are encrypted. Even if there is a break in the pipe, the data packets cannot be infiltrated.

The second method, using WPP software, means data packets are bounced back from systems that have a "clear text" break and connect only to servers enclosed in a single domain (because messages cannot be sent between WAP gateways). The obvious limitation to this technique is that secure business can be done only between banks that have the WAP server/gateway implemented in-house and excludes businesses that adopt other models.

But this may not be a problem, according to David Clarke, business development manager (European Internet security products) at Hewlett-Packard. He suggests that most banks will adopt the in-house, or open model, because they want to have control over the level of security for transactions and are wary about the security "end-points".

Mr Clarke adds that it is likely that banks will outsource non-transactional information such as business news to create a mobile banking portal. Similarly, John Sims, chief executive officer of Tantau Software, a WAP server provider, said that, in the US, Charles Schwab and Ameritrade have decided to bring their WAP operation for mobile trading in-house because they did not want their customers forming relationships with network operators. But do opportunities exist for other business models to evolve?

Guy Singh, product manager at Baltimore Technologies, a leading Internet security and WAP provider, says there are two possibilities. "For the mass consumer market and the everyday punters, who want seamless interaction with banks for simple transactions, the network operators will likely host the WAP gateway and provide consolidated services by means of a portal, offering various products and services from a range of financial institutions," he says. However, "for corporate users, who make riskier and larger transactions (more valuable customers), banks may want to bring their WAP technology onsite so they can control content and security".

Banks are taking wireless devices seriously but WAP is a relatively new standard. Current solutions are based on proprietary standards such as GSM/SIM toolkit in Europe and the widely popular i-Mode in Japan.

So far, HSBC’s mobile solution is based on GSM/SIM toolkit but First Direct, HSBC’s Internet arm, will launch a WAP solution this summer. Alan Hughes, First Direct’s chief executive, says: "We are the first bank in the world to re-engineer our entire business for the e-age. The scale of the initiative creates a new category of e-banking and sets a benchmark for the industry and the globe. More than a bank, firstdirect.com will be the first Internet banking store."

Recently Australia’s ASB Bank implemented Schlumberger’s SIM toolkit to allow customers to check balances, receive lending and investment rates and receive information on foreign exchange. The Japanese telecom giant, NTT, has more than four million subscribers using the i-Mode standard, which has been widely accepted by the Japanese market.

However, phones using SIM Toolkit or other proprietary standards have pre-written applications on the smart card chip, which need to be replaced once new functions evolve. Unlike the WAP protocol, new applications cannot be downloaded over the air. With the WAP protocol, applications can run on any WAP-enabled phone. The other issue is that proprietary standards operate within an intranet and do not allow customers to connect to the Internet. But banks need something now, so a dual strategy has to emerge whereby they are installing a proprietary solution initially to make the transition to WAP technology much more seamless.

Last year, Singapore’s Overseas Union Bank Securities (OUBS) installed what Tan Khee Huat, its executive director, calls a "semi-WAP solution" to enable stock trading over the Internet. With M1, the Singaporean telco company, WIG (Wireless Internet Gateway) protocol was used as part of OUBS’s overall Internet brokerage offering to enable customers to buy and sell trades, receive price feeds and amend and confirm trades on a mobile phone.

Although the solution uses a business model that gives some control to the telco, Mr Tan says: "We wanted to be first to provide this solution, and last year WAP technology was not available, so we had to go with the best solution available at the time."

He adds: "Now that we have the infrastructure in place for wireless trading, upgrading to WAP is relatively easy and we plan to do so in the near future."

Mr Tan adds that mobile trading is limited to younger and more technology savvy people because working with a small interface requires a degree of patience, know how and initial enthusiam for the technology. Because of the recent link-up between Singapore’s banks and the stock exchange with the VTI (Virtual Terminal Interface), Singaporeans can perform both Internet and mobile trading directly with the exchange.

In the past couple of months, leading WAP integrators and providers such as US-based Tantau, Baltimore Technologies, S1, IBM have been presenting their own solutions with a common theme for the financial services sector: online security. Like Internet PC banking, when dealing with financial transactions, emphasis is usually placed on public key infrastructure (PKI) and its associated procedures and asymmetric encryption technology.

PKI fosters confidentiality by using a combination of DES (data encryption standard – symmetric encryption) and RSA (Rivest Shamir Adelman – asymmetric encryption) standards to prevent data packets from being "cracked" into or stolen during transmission. Because hackers are able to set-up a site that "spoofs" or pretends to be a bank, PKI enables authentication by proving the identity of a person or institution with a digital certificate. It also provides integrity because digital signatures are used to sign an electronic document; and in a non-repudiation situation, digital signatures make a person or institution accountable for a transaction and ensure they do not go back on their word.

Most of these precautions are needed in an Internet environment and, since WAP enables mobile phones to access it, a robust security solution is needed.

In a PKI solution that incorporates asymmetric encryption, a customer would buy a WAP phone that carries a dual smart card slot: one for normal mobile use and a second, called a WIM (wireless identity module), which stores the private and public keys. The customer would then have to register their public key with a CA (likely a bank that provides mobile banking). In a typical transaction, the bank uses the customer’s registered public key to encrypt a message and send it to them. When the customer receives the encrypted message, they then use their private key to decrypt the message. Likewise, when sending a message to the bank, the bank uses the customer’s public key to decrypt the incoming message.

To some degree, a PKI solution is easier to implement with mobile phones because they already have a security infrastructure (smart card reader), and newer phones will be equipped with a WIM slot. Also a WAP PKI solution will continue to use existing x509 digital certificates (currently used in e-commerce solutions) so new digital certificate standards are not needed. However, the challenge still lies in completing a true PKI system by having a wireless version of a validation system.

Baltimore Technologies is in the forefront in this area and is in discussions with ValiCert, a validation authority in search for a remedy. Baltimore’s chief engineer is also helping the WAP forum write the next version of WTSL (wireless transport security layer) specifications, the equivalent of SSL (secure sockets layer) currently embedded in many web browsers for securing e-commerce.

The other issue is that a mobile phone has limited battery life and memory. Given that many certificates need to be processed and stored on the smart card, it would drain the battery on the phone very quickly. Baltimore has a solution where these certificates can be stored at a specified URL (Uniform Resource Locator), whereby users can point to and retrieve the certificates.

Because these certificates are not stored on the phone, it reduces computation and thus should solve the battery life problem.

Also, with the advent of General Packet Radio Service (GPRS), connection speed to the Internet with a mobile phone should reach 56 kbps (kilobits per second) with maximum configuration reaching 171.2 kbps, three times faster than the normal land-line connections. This will allow consumers continuous connection to news feeds and real-time data, instead of having to press the connect button to access.

First-e group has announced it is merging with Uno-e, the Banco Bilbao Vizcaya Argentaria (BBVA) and Terra Networks-backed Spanish Internet bank, to create the world’s first global Internet banking group – unofirst group. The deal, valued at £1.5bn ($2bn), will enable the group to give customers better value. At a press conference last month, Gerhard Huber, chief executive of the new venture, said part of this value will be gained by expanding into different services and products, including mobile commerce.

Dr Huber said Internet banking is about gaining market share initially and he expects to turn a profit soon after it has completed its expansion into America, Latin America, and Asia.

The race to be the biggest and best Internet presence is heating up. The advent of WAP as a global standard for mobile banking will surely intensify the competitive landscape by providing another strategic medium to access the mass market. However, it will be interesting to see which mobile standards will be accepted, especially when Microsoft and Ericsson have recently announced they are developing ways to bypass a WAP server and directly translate HTML into mobile format.

Similarly, IBM’s WebSphere Transcoding Publisher can translate data and applications written in the standard mark-up languages of the Web – HTML and XML – to other formats, such as WML.

Meanwhile, the combination of reduced transaction costs, increased goodwill via market valuation and perception, and customer demand seems to be the main drivers implementing a WAP mobile phone strategy.

But WAP too is at a nascent stage and these strategies and technologies still need some time to evolve. With time, banks will decide on the business models that suit them, and technological hindrances such as connection and bandwidth speed, wireless security specifications and battery life are likely to be resolved.

The rate at which Internet businesses are being created is phenomenal, and banks that are first to market with the right mix of technologies, strategies and partnerships will be the winners.

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter