362 U Varshney et al move in and out of multiple wireless networks, and many US wireless networks do not authenticate a particular user to a particular device [6]. In addition to these, many more ecurity issues arise due to poor implementation, feature interactions, unplanned growth and new flaws that are created due to prior attacks(Figure 5) Figure 5 Security issues in the wireless enterprise environment by previous attacks Inability to authenticate Interoperable and nd secure wireless ted channels Wireless network infrastructure Unplanned for Enterprise growth problems etwork or attacks problems Poor management Feature and control ating unintended nteraction problem flaws) and upgrades Several US-based financial companies and associated vendors in the financial services technology corporation(FSTC) are working on implementing the end-to-end transaction support for financial applications involving mobile devices, wireless networks and financial institutions [7]. One of the major hurdles is end-to-end encryption, which is not widely available but could become possible with widespread deployment and use of wireless application protocol (WAP)2.0. There is some support for security in mobile middleware. For example, WAP provides security using a wireless transport security layer (WTLS), but it does not result in end-to-end security (only between device and WAP gateway). The translation between secure socket layer(SSL) and WTSL occurs at the WAP gateway, which is vulnerable to denial of service(Dos)attacks as malicious WML script may run on a device, making other existing security techniques( signing, authentication and encryption)less effective, as shown in [6]. WAP 1.0 requires a proxy/WAP gateway: however, WAP 2.0, released recently, does not. It uses WML2 based on XHTML, and thus does not require a proxy or gateway. However, for push operation, improved services and optimised communications, WAP proxy is still necessary. It also supports a variety of user interfaces and standard internet protocols such as Tcp/ip and Http. It is possible to add some security feature for financial services as GSM supports both user(PIN) and device authentication (SSL). Finnish wireless provider Sonera is offering PKI on a SIM card. Another possibility is wireless PKI, a system to manage keys and certificates, and requires the user to enter two PINS (authentication and digital signature). The WPKI is used in WTLS to support two-way authentication(anonymous, class 1: server, class 2; user, class 3)362 U. Varshney et al. move in and out of multiple wireless networks, and many US wireless networks do not authenticate a particular user to a particular device [6]. In addition to these, many more security issues arise due to poor implementation, feature interactions, unplanned growth and new flaws that are created due to prior attacks (Figure 5). Figure 5 Security issues in the wireless enterprise environment Several US-based financial companies and associated vendors in the financial services technology corporation (FSTC) are working on implementing the end-to-end transaction support for financial applications involving mobile devices, wireless networks and financial institutions [7]. One of the major hurdles is end-to-end encryption, which is not widely available but could become possible with widespread deployment and use of wireless application protocol (WAP) 2.0. There is some support for security in mobile middleware. For example, WAP provides security using a wireless transport security layer (WTLS), but it does not result in end-to-end security (only between device and WAP gateway). The translation between secure socket layer (SSL) and WTSL occurs at the WAP gateway, which is vulnerable to denial of service (DoS) attacks as malicious WML script may run on a device, making other existing security techniques (signing, authentication and encryption) less effective, as shown in [6]. WAP 1.0 requires a proxy/WAP gateway; however, WAP 2.0, released recently, does not. It uses WML2, based on XHTML, and thus does not require a proxy or gateway. However, for push operation, improved services and optimised communications, WAP proxy is still necessary. It also supports a variety of user interfaces and standard internet protocols such as TCP/IP and HTTP. It is possible to add some security feature for financial services as GSM supports both user (PIN) and device authentication (SSL). Finnish wireless provider Sonera is offering PKI on a SIM card. Another possibility is wireless PKI, a system to manage keys and certificates, and requires the user to enter two PINs (authentication and digital signature). The WPKI is used in WTLS to support two-way authentication (anonymous, class 1; server, class 2; user, class 3)