[フレーム] [フレーム]

Connecting the world and beyond

DFS Security Clinic - Addressing security risks to digital finance ecosystem

Rollup Image
Page Content 10

​​​​​​​​​​​​​​​​​

The International Telecommunication Union organized an online Digital Financial Services Security Clinic jointly with the East African Communications Organization (EACO) from 30 - 31 March 2022 titled: "Addressing security risks to digital finance ecosystem". 

The main objectives of the DFS Security Clinic are to share the findings and recommendations from the FIGI Security Infrastructure and Trust working group for regulators and DFS providers with regards to addressing security challenges for digital finance. The event provided insights into security best practices for SIM swaps, mobile payment applications operating on USSD, STK and Android, methodology for testing security of mobile payment applications and addressing infrastructure vulnerabilities such as SS7.

Under the Financial Inclusion Global Initiative program (FIGI), the ITU set up a DFS Security Lab in November 2020 to work in collaboration with DFS regulators on adopting a common methodology to manage security risks and conduct security audit for DFS applications. The objectives of the ITU DFS security lab are as follows:
  • Support regulators to implement DFS security recommendations from FIGI.
  • Conduct security audits on DFS applications (i.e., USSD, STK and Android DFS applications).
  • Provide guidance on managing the DFS ecosystem security risks and mitigation measures.
  • Organize security clinics targeting DFS regulators and providers to stay up to date with new vulnerabilities and mitigation measures.
  • Conduct assessments on cyber preparedness among the DFS ecosystem stakeholders on responding to cybersecurity incidents targeting digital finance.
  • Provide a neutral platform to share knowledge on security incidents and vulnerabilities in digital finance.
Key guidelines and recommendations for regulators on DFS security:
The intended audience for the DFS Security Clinic were IT security professionals and policymakers from the telecom/ICT regulators, DFS providers, Central Banks and Mobile Network Operators.

Note:  The time indicated below was in East Africa Time​ – UTC+3​​

Watch recording here:

​30 March 2022​ ​​ ​​

​​​

Programme

Page Content 2

​​​Day 1: 30 March 2022

​​10:00 - 10:20
UTC+03

Opening and Welcome Remarks
  • ​​ Bilel Jamoussi, ​Chief of Study Groups Department, TSB, ITU
  • Ally Yahaya Simba, Executive Secretary, EACO
10:20 - 11:50
UTC+03
​DFS security vulnerabilities: Infrastructure vulnerabilities and mitigation measures (Mobile Infrastructure vulnerabilities)

Telecom infrastructure vulnerabilities such as SS7 can be exploited by an intruder to intercept calls and SMSs, bypass billing, steal money from mobile money accounts, or affect mobile network operations. This session presented the main findings of the Security, Infrastructure and Trust Working Group on securing the infrastructure against SS7 vulnerabilities and threats.
  • "Signalling Security": Faaez Burney & Karel Van Der Lecq, Adaptive Mobile
  • "SS7 Security: What regulators need to do?": Assaf Klinger, Klinger Consulting [Presentation​]
Related Report:  
11:50 - 12:00
UTC+03
​Coffee Break
12:00 - 13:00
UTC+03
​DFS security vulnerabilities: USSD, STK and Android platform vulnerabilities

This session introduced the ITU DFS security lab and highlighted the vulnerabilities to USSD and STK and Android based applications. Threats like Man in the middle attacks that could impact digital financial services and the SIM jacker vulnerability in SIM Cards were discussed. The session provided​ and an overview of the security tests that can be undertaken in the DFS Security Lab at ITU. 
  • "Introduction to ITU DFS security lab" Vijay Mauree, Programme Coordinator, TSB, ITU [Presentation]
  • "Android, USSD and STK testsArnold Kibuuka, Project Officer, TSB, ITU [Presentation]
Related Reports: 

​​Day 2: 31 March 2022

10:00 - 11:15
UTC+03
DFS Security Assurance Framework 

This session discussed the DFS security assurance framework that can be implemented by DFS providers to better manage the risks and mitigate their impact.
  • Vijay Mauree, Programme Coordinator, TSB, ITU [Presentation]
​Related Report:
11:15 - 11:25
UTC+03
​​​Coffee Break
​​11:25 - 12:00
UTC+03
​DFS security audit guideline

The session covered how a Regulator or DFS provider can assess compliance with the minimum-security controls using the DFS audit guideline
Related Report:
12:00 - 13:00
UTC+03
​Implementing the DFS security recommendations and security audits for DFS.

An interactive session that focused at initiating the process to implement the DFS security recommendations and identifying ​the DFS Mobile Money applications that could be tested at the ITU DFS security lab.​

 

Page Content 3

 

Page Content 4

 

Page Content 5

 

Page Content 17

 

Page Content 18

 

Page Content 19

 

Page Content 20

 

Page Content 15
Page Content 6

 




Page Content 7
Page Content 8

 

Page Content 14

 

Page Content 16

AltStyle によって変換されたページ (->オリジナル) /