Committed to connecting the world



​​FIGI Security Clinic: Securing the infrastructure and applications for digital financial services ​ 
Geneva Switzerland, 4-5 December 2019


Wednesday, 4 December 2019

08:00 - 09:30 Registration
09:30 - 10:00 Welcome and Opening Remarks
10:00 - 10:15​FIGI Security, Infrastructure and Trust (SIT) Working Group Overview and Outcomes
10:15 - 10:40Coffee Break + Group Photo
10:40 - 12:15

INFRASTRUCTURE SECURITY: Securing the DFS Applications and Infrastructure

SS7 vulnerabilities can be exploited by an intruder to intercept calls and SMSs, bypass billing, steal money from mobile accounts, or affect mobile network operations. In addition, vulnerabilities in DFS applications can also lead to hackers being able to obtain unauthorized access to consumer data if not properly addressed. This session will present the main findings of the Security, Infrastructure and Trust Working Group on securing the vulnerabilities and threats to the DFS Infrastructure (i.e. SS7 Vulnerabilities) and the work that is taking place in ITU-T Study Group 11 and other industry consortia to address this issue.

Moderator: Leon Perlman, Columbia University

12:15 - 13:15 Lunch Break
13:15 - 14:45 AUTHENTICATION: Strong authentication frameworks for seamless user experience in DFS

Strong consumer authentication frameworks are becoming the norm for financial services. This session will consider the various authentication frameworks as well as emerging ones based on decentralized identifiers to leverage digital ID infrastructure and provide a seamless user experience (i.e. out needing to remember passwords). The session will consider authentication frameworks based on FIDO, Mobile Connect and Decentralised identifiers with examples for financial inclusion.

Moderator: Vijay Mauree, TSB, ITU 
14:45 - 16:15 DLT SECURITY: Security of Distributed Ledger Technologies for Digital Financial Services

Distributed Ledger Technologies (DLTs) could be a game changer in financial services. This session will consider the research of the Security, Infrastructure and Trust WG on the security of distributed ledger technologies and will provide a deep dive on the security of public permissioned and private blockchains, security of smart contracts, how DLTs can protect integrity of the information and privacy of consumer data and the measures for mitigating the impact of the security risks.

Moderator:  TBC
16:15 - 16:30 Coffee Break
16:30 - 18:00SECURITY ASSURANCE FRAMEWORK: Managing Risks in Digital Financial Services 

DFS providers should put in place adequate measures to address the security threats and vulnerabilities and demonstrate compliance against regulatory measures. This session will consider the various threats and vulnerabilities that can impact the confidentiality, integrity and availability of digital financial services from a value chain perspective. The session will also highlight mitigation measures that DFS providers can implement to reduce the impact of these risks and discuss a framework that can be implemented by DFS providers to better manage the risks and show compliance.

Moderator: Leon Perlman, Columbia University 
18:00 - 18:20Closing Session
18:30 Networking Reception

 *To be confirmed

 Thursday, 5 December 2019

Day 2-Security Clinics

08:30 - 09:30 Registration
09:30 - 10:45Deploying Decentralized ID Authentication in DFS

Part I: Introduction

This session covers the limitations of centralized identity systems and lay down the principles of decentralized identity and its role for enabling DFS systems. The session will review distributed ledger technology and its role in trust frameworks establishment.

Tracking Crypto Ponzi Schemes

Part I:  Introduction

Participants will learn and receive tools to investigate Ponzi schemes that use crypto-currency. The tools that will be provided in this bootcamp will enable the participants to track the crypto deposits made to the Ponzi and plot their course until they are converted to fiat and exfiltrated out through an exchange, where forfeiture of funds can be performed. Tracking the money to its endpoint will enable regulators and law enforcement to potentially de-anonymize the operators of the Ponzi. The goal of this session is that every participant will have successfully used the tools to track a Ponzi scheme and find its endpoints.



App. Security Framework for DFS

Part I: What is an App. Security Framework 
This session aims to facilitate common knowledge and understanding, the issues related to the security of mobile payment applications. 
The protection of sensitive data, such as user credentials and private information, is a key focus in mobile payment security. Mobile devices can be lost or stolen more easily compared to other types of devices. In that case, additional protection can be implemented to make retrieving the sensitive data more difficult. The session will discuss the best practices that developers need to observe when developing mobile payment apps and also discuss a template for an app security policy framework that can be adopted by DFS providers and financial service providers.


Fast Identity Online (FIDO):

Part I: Why Multi Factor Authentication is not enough 
This session looks at the security issues facing current identity management systems that relay on the use of passwords and   multi-factor authentication. The session will look at various security threats and methods that can be used to enhance the security that are based on FIDO alliance technology. The session will also include an overview of FIDO and how it works.


10:45 - 11:00Coffee Break
11:00- 13:00Deploying Decentralized ID Authentication in DFS

Part II: Standard Based Component of Decentralized Identity System and relation to DFS

Decentralized identity is being standardized in many bodies in order in order to enable a consistent and interoperable implementation. This session provides an overview of the essential core technology which will enable a secure and interoperable decentralized identity solution that work well with DFS. The session will cover Verifiable claims, Distributed Ledgers, Decentralized identifiers and zero knoweldge proof.

​Tracking Crypto Ponzi Schemes

Part II: Know your block explorer, how to use and how to analyze transactions

In this session, the participants will learn how to use block explores (on line tools) and will receive a tutorial on how to track a crypto ponzi using these tools.



App. Security Framework for DFS (continued)

Part 2: Application Security Testing


This session will discuss how the security of applications can be assessed. We examine tools and software frameworks that can be used for performing analysis of application code and interfaces, including a walkthrough of how such an assessment of a smartphone application can occur in practice, as well as a discussion of vulnerabilities seen in practice.​

Fast Identity Online (FIDO)

Part II: FIDO 2 Overview and use cases

This session is provide an overview of FIDO2 and gow it works. It details use cases and support for FIDO 2 in the industry. The use of FIDO 2 with varying identity assurance schemes in support of Digital Financial transsactions (DFS) systems will be discussed.  
13:00 - 14:00Lunch​ Break
14:00 - 16:00

Deploying Decentralised ID Authentication in DFS

Part III: Sovrin Trust Network

This session will provide an overview of the Sovrin Network and how it can be used to enable establish trust systems that are essential for developing a DFS for secure financial transaction. This sesssion will provide a summary of basic tools and software projects that can be utilized for DFS based systems to empower users and financial industries. The discussion will focus on the emerging new identity stack and how to secure it including mobile wallets.



Tracking Crypto Ponzi Schemes

Part III: Case study: example on how to follow the money of a crypto ponzi

This session is a frontal example of how to use block explorers to follow the money of a Ponzi scheme. 

Securing Digital Financial Services in Tunisia

This session will explore how Tunisia Post has been working on introducing secure digital financial services using the post infrastructure


Fast Identity Online (FIDO):

Part III: Public Private Sector Adoption of FIDO

In this session the need for adopting FIDO 2 as an industry requirement by regulators will be discussed. The session will include information on how FIDO certification and the push for better industry definition of strong authentication is needed to help regulators adapt to security challenges facing identity-based systems.

16:00 - 16:15Coffee Break
16:15 - 17:30Deploying Decentralised ID Authentication in DFS

Part IV: Use Case

This session will showcase how decentralized identity can be developed and provide a hands on session using Mobile ID wallets. Examples of identity proofing and verifiable claims will be demonstrated using mobile payments.


Tracking Crypto Ponzi Schemes

Part IV: Law enforcemenet and international collaboration

This session will explore how law enforcement authorities investigate digital Ponzi schemes and the mechanism for collaboration and information sharing about such incidents.


​Fast Identity Online (FIDO):

Part IV: FIDO Developer Resources  
This session will provide an insight in the FIDO developer resources available at ITU and the FIDO demo application on Android and IOS. The use of FIDO SDK for user enrolment, authentication and de-registration  will be explained.



 *To be confirmed