[フレーム] [フレーム]

Connecting the world and beyond

Digital Financial Services Security Clinic - Pakistan

Rollup Image
Page Content 10

​​​​​​​​​​​​​​ 

The main objectives of the DFS Security Clinic are to share the findings and recommendations from the FIGI Security Infrastructure and Trust working group for regulators and DFS providers with regards to addressing security challenges for digital finance.  

The event provided insights into security best practices for SIM swaps, mobile payment applications operating on USSD, STK and Android, methodology for testing security of mobile payment applications and addressing infrastructure vulnerabilities such as SS7. The participants of the event:

  • Learned about the different infrastructure and application vulnerabilities within the DFS ecosystem.
  • Learned about the DFS security assurance framework, security governance and how to manage security risks in the DFS ecosystem.
  • How to mitigate DFS threats and how to perform continuous assessments on the security of DFS to ensure applicable controls are in place to mitigate threats and vulnerabilities.
  • Learned about the recommendations for regulators on SS7 vulnerabilities, SIM swap fraud and application security best practices. 
Target audience: The security clinic is intended for IT security professionals, security auditors and policymakers from the telecom/ICT regulator and Central Bank/Financial Regulator.

Watch recordings here:

Programme

Page Content 2
​​​

Day 1: 12 April 2022

​11:00 - 11:10 
UTC+05​​​​

Opening remarks
  • Ms. Sima Kamil, Deputy Governor, State Bank of Pakistan
​11:10 - 12:00
UTC+05
​DFS security vulnerabilities: USSD, STK and Android platform vulnerabilities

This session introduced the ITU DFS security lab and highlighted the vulnerabilities to USSD and STK and Android based applications. Threats like Man in the middle attacks that could impact digital financial services and the SIM jacker vulnerability in SIM Cards were discussed. The session also provided and an overview of the security tests that can be undertaken in the DFS Security Lab at ITU. 
  • ​​"Introduction to ITU DFS security lab"​ Vijay Mauree, Programme Coordinator, TSB, ITU [Presentation]
  • "Android, USSD and STK vulnerabilities" Arnold Kibuuka, Project Officer, TSB, ITU​ [Presentation]
Related Reports: 
12:00 - 12:05
UTC+05
Break
​12:05 - 13:00
UTC+05
​SIM and Infrastructure vulnerabilities: mitigation guidance for regulators vulnerabilities: 

Telecom infrastructure vulnerabilities such as SS7 can be exploited by an intruder to intercept calls and SMSs, bypass billing, steal money from mobile money accounts, or affect mobile network operations. This session focused on the summary of the key ITU DFS recommendations on DFS security especially in issues of SS7, SIM swaps, SIM recycling and SIM vulnerabilities like SIM jacker that could be used to compromise DFS.
Related Reports:

Day 2: 13 April 2022

11:00 - 11:50
UTC+05
​DFS Security Assurance Framework 

This session discussed the DFS security assurance framework that can be implemented by DFS providers to better manage the risks and mitigate their impact.
  • ​​Vijay Mauree, Programme Coordinator, TSB, ITU [Presentation]
Related Reports:
​11:50 - 11:55
UTC+05
Break
​11:55 - 12:10
UTC+05
​DFS security audit guideline

The session covered how a Regulator or DFS provider can assess compliance with the minimum-security controls using the DFS audit guideline.
Related Report:
​12:10 - 13:00
UTC+05
​Participant Exercise: Implementing the DFS security assurance framework and security audit for DFS

This was a hands-on session focusing on initiating the process to implement the DFS security assurance framework. The stakeholders were involved in an exercise on the applying the DFS security assurance framework and the DFS audit guideline. [Presentation]

Page Content 3
Page Content 4
Page Content 5
Page Content 17
Page Content 18
Page Content 19
Page Content 20
Page Content 15
Page Content 6
​​​​.​dd




Page Content 7
Page Content 8
Page Content 14
Page Content 16

AltStyle によって変換されたページ (->オリジナル) /