Rec. ITU-T X.1149 (05/2020) Security framework of an open platform for FinTech services
Summary
History
FOREWORD
Table of Contents
1 Scope
2 References
3 Definitions
     3.1 Terms defined elsewhere
     3.2 Terms defined in this Recommendation
4 Abbreviations and acronyms
5 Conventions
6 Overview
     6.1 FinTech and security
     6.2  Open platform
7 Reference architectures for FinTech services
     7.1 Architecture of digital financial service provided by traditional financial companies
     7.2  Architecture with FinTech service providers
     7.3  Open platform for FinTech services
8 Threats and vulnerabilities of open platform
     8.1 Threats
          8.1.1 Account aggregation
          8.1.2 Account creation
          8.1.3 Advertisement fraud
          8.1.4 CAPTCHA defeat
          8.1.5 Card cracking
          8.1.6 Carding
          8.1.7 Cashing out
          8.1.8 Credential cracking
          8.1.9 Credential stuffing
          8.1.10 Denial of inventory
          8.1.11 Denial of service
          8.1.12 Expediting
          8.1.13 Fingerprinting
          8.1.14 Footprinting
          8.1.15 Scalping
          8.1.16 Scraping
          8.1.17 Skewing
          8.1.18 Sniping
          8.1.19 Spamming
          8.1.20 Token cracking
          8.1.21 Vulnerability scanning
          8.1.22 Unauthorized access
     8.2 Vulnerabilities
          8.2.1 Glibc vulnerability
          8.2.2 Quadrooter
          8.2.3 Drown attack
          8.2.4 Zero-day attack vulnerability
          8.2.5 Database vulnerability
          8.2.6 Operating system kernel vulnerability
          8.2.7 OpenJDK vulnerability
9 Open API usage procedure for FinTech services
10 Security requirements for open platform of FinTech services
     10.1 Security requirements to financial companies
          10.1.1 Authentication to use open APIs
               10.1.1.1 Appropriateness of entity authentication
               10.1.1.2 Appropriateness of FinTech company authentication
               10.1.1.3 Appropriateness of high risk electronic financial transaction authentication
               10.1.1.4 Appropriateness of authorization when handling API access request
               10.1.1.5 API server authentication
               10.1.1.6 User authentication bypass prevention
               10.1.1.7 Mitigating risks of leakage of access keys
               10.1.1.8 Avoid guessing FinTech company's authentication information
               10.1.1.9 Authentication and transaction record management
               10.1.1.10 Authentication key management
          10.1.2 Confidentiality and integrity of transaction information
               10.1.2.1 Confidentiality of transaction information
               10.1.2.2 Integrity of transaction information
               10.1.2.3 Use a secure cryptographic algorithm
               10.1.2.4 Secure key management
               10.1.2.5 Secure cryptographic program management
          10.1.3 Information processing system protection measures
               10.1.3.1 Designation and operation of managers and administrators
               10.1.3.2 Perform critical patches
               10.1.3.3 Additional authentication for operating system account
               10.1.3.4 Key terminal protection
               10.1.3.5 Prevention of server hacking
               10.1.3.6 Security verification and vulnerability check
               10.1.3.7 Open server installation and access control
               10.1.3.8 Response to FinTech company's infringement incidents
          10.1.4 User terminal protection
               10.1.4.1 Input information protection
               10.1.4.2 FinTech company's user terminal protection
          10.1.5 Information leakage prevention
               10.1.5.1 Access account management
               10.1.5.2 Information system log preservation and analysis
               10.1.5.3 Information leakage prevention
          10.1.6 Countermeasures against abnormal financial transactions
               10.1.6.1 Monitoring and detection of abnormal financial transactions
               10.1.6.2 Respond when anomalous financial transactions are detected
               10.1.6.3 Notification of important transactions to user
          10.1.7 System availability and emergency measures
               10.1.7.1 Establishment of work continuity plan
               10.1.7.2 Redundancy of main computer equipment
               10.1.7.3 Backup and dispersion management
          10.1.8 Physical access control to FinTech company's facilities
               10.1.8.1 Physical access control to FinTech company's facilities
     10.2 Security requirements to FinTech companies
          10.2.1 Information security policy and organization
               10.2.1.1 Appointment of chief information security officer and his supporting team
               10.2.1.2 Establishment and announcement of information security policy
          10.2.2 Outsider management
               10.2.2.1 Selection and management of consigner
          10.2.3 Information asset management
               10.2.3.1 Identification and rating of information assets
               10.2.3.2 Designation of a responsible person for an information asset
          10.2.4 Information security education
               10.2.4.1 Establishment and execution of information security education plan
               10.2.4.2 Information security education for practitioners
          10.2.5 Human resource security
               10.2.5.1 Confidentiality agreement
               10.2.5.2 Separation of duties
               10.2.5.3 Retirement and job change management
          10.2.6 Risk management
               10.2.6.1 Establishing vulnerability inspection policy and carrying out inspection
          10.2.7 Infringement incident response
               10.2.7.1 Procedures for responding to infringement and education
               10.2.7.2 Preservation and monitoring of logs related to incident response
          10.2.8 Fault response
               10.2.8.1 Establishing backup policy and establish recovery procedures
          10.2.9 User protection
               10.2.9.1 Protection of users related to personal information processing
               10.2.9.2 Notification to accessing personal and credit information and trading orders
               10.2.9.3 Establishing and disclosing policy for handling user grievance
               10.2.9.4 Notification of user security precautions
          10.2.10 Physical security
               10.2.10.1 Designation of protected areas and access control
               10.2.10.2 Import and export management of protected areas
               10.2.10.3 Establish and execute an office environmental security policy
          10.2.11 Security of system development
               10.2.11.1 Identify and reflect security requirements in system design stage
               10.2.11.2 Secure coding and security vulnerability check and correction
               10.2.11.3 Restrictions on use of user personal and credit information in testing
               10.2.11.4 Access and change control for source programs and computer ledgers
          10.2.12 Password control
               10.2.12.1 Establish and execute a sensitive information encryption policy
          10.2.13 Access control
               10.2.13.1 Management of critical information asset accounts and access rights
               10.2.13.2 Key terminal assignment and access control
          10.2.14 System security
               10.2.14.1 Prevention of malware infection and information leakage of critical systems
               10.2.14.2 Remote management control through Internet
               10.2.14.3 Removal of functions, programs, and ports other than critical system purpose
               10.2.14.4 Independent operation of critical server and application of information protection system
               10.2.14.5 Public web server protection measures
               10.2.14.6 Establishment and implementation of security patch application guidelines
          10.2.15 Network security
               10.2.15.1 DMZ segment configuration
               10.2.15.2 Internal network private IP utilization and main system deployment
               10.2.15.3 Minimize use of wireless networks and establish security measures for applications
               10.2.15.4 Secure communication with external organizations
Appendix I  Use cases of open application programming interface
     I.1 Useful points about APIs
     I.2 Use cases (business models) using open APIs
          I.2.1 Platform as a service
          I.2.2 Online payment
          I.2.3 E-commerce
          I.2.4 User relationship management
          I.2.5 Metadata for electronic media
          I.2.6 Connectivity between apps and devices
Bibliography