Committed to connecting the world

Advanced Search

Programme

FIGI Security Clinic: Securing the infrastructure and applications for digital financial services
Geneva Switzerland, 4-5 December 2019

Contact: tsbevents@itu.int

Wednesday, 4 December 2019, (Popov)

08:00 - 09:30	Registration
09:30 - 10:00	Welcome and Opening Remarks Bilel Jamoussi, Chief of Study Groups Department, TSB, ITU [ Biography ] Jamie Zimmerman, Senior Program Officer, Financial Services for the Poor, Bill & Melinda Gates Foundation [ Biography ]
10:00 - 10:15	FIGI Security, Infrastructure and Trust (SIT) Working Group Overview and Outcomes Vijay Mauree, Programme Coordinator, TSB, ITU [ Biography I Presentation ]
10:15 - 10:40	Coffee Break + Group Photo
10:40 - 12:20	INFRASTRUCTURE SECURITY: Securing the DFS Applications and Infrastructure SS7 vulnerabilities can be exploited by an intruder to intercept calls and SMSs, bypass billing, steal money from mobile accounts, or affect mobile network operations. In addition, vulnerabilities in DFS applications can also lead to hackers being able to obtain unauthorized access to consumer data if not properly addressed. This session will present the main findings of the Security, Infrastructure and Trust Working Group on securing the vulnerabilities and threats to the DFS Infrastructure (i.e. SS7 Vulnerabilities) and the work that is taking place in ITU-T Study Group 11 and other industry consortia to address this issue. Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions: Download Moderator: Leon Perlman, Head of DFS Observatory, Columbia University [ Biography ] Panellists: Assaf Klinger, Head of R&D, Vaulto [Biography I Presentation ] Samuel Gitta, Senior Manager, Enterprise Risk Management, MTN, Uganda [ Biography I Presentation ] Milan Brezina, PositiveTech [ Presentation ] Xiaojie Zhu, China Telecom & ITU-T Study Group 11 (remote) [ Biography I Presentation ]
12:20 - 12:50	FIRESIDE CHAT ON AADHAAR SECURITY Aadhaar began with an investment by the Indian government eight years ago and today there are one billion Indian residents and citizens who have an Aadhaar number with key identifiable pieces of information. The government then began linking Aadhaar with the banking system and enlisted fintech firms to begin extending microloans to individuals and SMEs. Aadhaar helps to solve the biggest issue with lending, KYC, by using a retina scan or biometric signature to verify the user. During this session we will examine some of the security features provided by Aadhaar and the new security features that were included recently. Moderator: Leon Perlman, Head of DFS Observatory, Columbia University [ Biography ] R.S Sharma, Chairman, TRAI
12:50 - 14:00	Lunch Break
14:00 - 15:30	AUTHENTICATION: Strong authentication frameworks for seamless user experience in DFS Strong consumer authentication frameworks are becoming the norm for financial services. This session will consider the various authentication frameworks as well as emerging ones based on decentralized identifiers to leverage digital ID infrastructure and provide a seamless user experience (i.e. out needing to remember passwords). The session will consider authentication frameworks based on FIDO, Mobile Connect and Decentralised identifiers with examples for financial inclusion. Technical report on Secure Authentication Technologies for Digital Financial Services: Download Moderator: Vijay Mauree, Programme Coordinator, TSB, ITU [ Biography ] Panellists: Abbie Barbir, CVSHealth [ Presentation ] Kim Hamilton, MIT [ Presentation ] Matthew Davie, Chief Strategy Officer, KIVA [ Biography ] Sharmista Appaya, World Bank [ Presentation ]
15:30 - 15:45	Coffee Break
15:45 - 17:15	DLT SECURITY: Security of Distributed Ledger Technologies for Digital Financial Services Distributed Ledger Technologies (DLTs) could be a game changer in financial services. This session will consider the research of the Security, Infrastructure and Trust WG on the security of distributed ledger technologies and will provide a deep dive on the security of public permissioned and private blockchains, security of smart contracts, how DLTs can protect integrity of the information and privacy of consumer data and the measures for mitigating the impact of the security risks. Technical report onSecurity Aspects of Distributed Ledger Technologies: Download Moderator: Jamie Zimmerman, Senior Program Officer, Financial Services for the Poor, Bill & Melinda Gates Foundation [ Biography ] Panellists: Leon Perlman, Head of DFS Observatory, Columbia University [ Biography I Presentation ] Matthew Davie, Chief Strategy Officer, KIVA [ Biography ] Adrian Hope-Bailie, Head of Services, Coil, South Africa [ Presentation ] Anne-Sophie Cartray, Executive Director, ConsenSys Solutions [ Presentation ]
17:15 - 18:30	SECURITY ASSURANCE FRAMEWORK: Managing Risks in Digital Financial Services DFS providers should put in place adequate measures to address the security threats and vulnerabilities and demonstrate compliance against regulatory measures. This session will consider the various threats and vulnerabilities that can impact the confidentiality, integrity and availability of digital financial services from a value chain perspective. The session will also highlight mitigation measures that DFS providers can implement to reduce the impact of these risks and discuss a framework that can be implemented by DFS providers to better manage the risks and show compliance. Digital Financial Services Security Assurance Framework:Download Moderator: Amy Ulrich, Info Security Advisor, CVSHealth [ Biography ] Panellists: Dorothee Delort, World Bank [ Presentation ] Kevin Butler, University of Florida [ Presentation ] Vijay Mauree, Programme Coordinator, TSB, ITU [ Biography I Presentation ] Rehan Masood, Deputy Director, Payment Systems Department, State Bank of Pakistan [ Biography I Presentation ] Dalit Caspi-Schachner, Head of Cybersecurity Strategy, Bank Hapoalim (remote) [ Presentation ]
18:30	Closing Session Bilel Jamoussi, Chief of Study Groups Department, TSB, ITU [ Biography ]
18:45	Networking Reception

*To be confirmed

Thursday, 5 December 2019

Day 2-Security Clinics
08:30 - 09:30 Registration
09:30 - 10:45
Room: H1 Deploying Decentralized ID Authentication in DFS Part I: Introduction This session covers the limitations of centralized identity systems and lay down the principles of decentralized identity and its role for enabling DFS systems. The session will review distributed ledger technology and its role in trust frameworks establishment. Speakers: Andy Tobin, Evernym [ Presentation ]	Room: L1 Tracking Crypto Ponzi Schemes Part I: Introduction Participants will learn and receive tools to investigate Ponzi schemes that use crypto-currency. The tools that will be provided in this bootcamp will enable the participants to track the crypto deposits made to the Ponzi and plot their course until they are converted to fiat and exfiltrated out through an exchange, where forfeiture of funds can be performed. Tracking the money to its endpoint will enable regulators and law enforcement to potentially de-anonymize the operators of the Ponzi. The goal of this session is that every participant will have successfully used the tools to track a Ponzi scheme and find its endpoints. Speakers: Jami Solli, GALA [ Presentation ] Assaf Klinger, Head of R&D, Vaulto [ Biography ]	Room: H2 App. Security Framework for DFS Part I: What is an App. Security Framework This session aims to facilitate common knowledge and understanding, the issues related to the security of mobile payment applications. The protection of sensitive data, such as user credentials and private information, is a key focus in mobile payment security. Mobile devices can be lost or stolen more easily compared to other types of devices. In that case, additional protection can be implemented to make retrieving the sensitive data more difficult. The session will discuss the best practices that developers need to observe when developing mobile payment apps and also discuss a template for an app security policy framework that can be adopted by DFS providers and financial service providers. Speakers: Kevin Butler, University of Florida [ Presentation ] Rehan Masood, Deputy Director, Payment Systems Department, State Bank of Pakistan [ Biography ]	Room: L2 Fast Identity Online (FIDO): Part I: Why Multi Factor Authentication is not enough This session looks at the security issues facing current identity management systems that relay on the use of passwords and multi-factor authentication. The session will look at various security threats and methods that can be used to enhance the security that are based on FIDO alliance technology. The session will also include an overview of FIDO and how it works. Speakers: Abbie Barbir, CVSHealth [ Presentation ] Jorge Coelho, Acceptto [ Presentation ]
10:45 - 11:00 Coffee Break
11:00- 13:00
Deploying Decentralized ID Authentication in DFS Part II: Standard Based Component of Decentralized Identity System and relation to DFS Decentralized identity is being standardized in many bodies in order in order to enable a consistent and interoperable implementation. This session provides an overview of the essential core technology which will enable a secure and interoperable decentralized identity solution that work well with DFS. The session will cover Verifiable claims, Distributed Ledgers, Decentralized identifiers and zero knoweldge proof. Speakers: Kim Hamilton,MIT [ Presentation ]	Tracking Crypto Ponzi Schemes Part II: Know your block explorer, how to use and how to analyze transactions In this session, the participants will learn how to use block explores (on line tools) and will receive a tutorial on how to track a crypto ponzi using these tools. Speakers: Assaf Klinger,Head of R&D, Vaulto [ Biography I Presentation ]	App. Security Framework for DFS (continued) Part 2: Application Security Testing This session will discuss how the security of applications can be assessed. We examine tools and software frameworks that can be used for performing analysis of application code and interfaces, including a walkthrough of how such an assessment of a smartphone application can occur in practice, as well as a discussion of vulnerabilities seen in practice. Speakers: Kevin Butler, University of Florida Rehan Masood, Deputy Director, Payment Systems Department, State Bank of Pakistan [ Biography I Presentation ]	Fast Identity Online (FIDO) Part II: FIDO 2 Overview and use cases This session is provide an overview of FIDO2 and gow it works. It details use cases and support for FIDO 2 in the industry. The use of FIDO 2 with varying identity assurance schemes in support of Digital Financial transsactions (DFS) systems will be discussed. Speakers: Abbie Barbir, CVSHealth Jorge Coelho, Acceptto Amy Ulrich, Info Security Advisor, CVSHealth [ Biography I Presentation ]
13:00 - 14:00 Lunch Break
14:00 - 16:00
Deploying Decentralised ID Authentication in DFS Part III: Sovrin Trust Network This session will provide an overview of the Sovrin Network and how it can be used to enable establish trust systems that are essential for developing a DFS for secure financial transaction. This sesssion will provide a summary of basic tools and software projects that can be utilized for DFS based systems to empower users and financial industries. The discussion will focus on the emerging new identity stack and how to secure it including mobile wallets. Speakers: Andy Tobin, Evernym	Tracking Crypto Ponzi Schemes Part III: Case study: example on how to follow the money of a crypto ponzi This session is a frontal example of how to use block explorers to follow the money of a Ponzi scheme. Speakers: Assaf Klinger, Head of R&D, Vaulto [ Biography ] Jami Solli, GALA	Homomorphic encryption application in digital finance Privacy-conscious data sharing for financial services This session will discuss advanced privacy enhancing technologies for enabling financial data sharing scenarios. We briefly go through the main privacy and confidentiality challenges that usually constrain or prevent outsourced and distributed financial data sharing and processing, and explore the link with health data sharing scenarios. We then examine the main privacy enhancing technologies that can address these challenges, and hence fundamentally improve applications such as fraud detection and personal finance advice. The session has a special focus on homomorphic encryption and the recent standardization initiatives for this essential technology, called to support a more collaborative financial environment that benefits both financial institutions and their customers. Speakers: Juan Ramon Troncoso-Pastoriza,Senior Researcher, EPFL [ Biography I Presentation ]	Fast Identity Online (FIDO): Part III: Public Private Sector Adoption of FIDO In this session the need for adopting FIDO 2 as an industry requirement by regulators will be discussed. The session will include information on how FIDO certification and the push for better industry definition of strong authentication is needed to help regulators adapt to security challenges facing identity-based systems. Speakers: Abbie Barbir, CVSHealth [ Presentation ] Rolf Lindemann, Nok Nok Labs [ Presentation 1 & Presentation 2 ]
16:00 - 16:15 Coffee Break
16:15 - 17:30
Deploying Decentralised ID Authentication in DFS Part IV: Use Case This session will showcase how decentralized identity can be developed and provide a hands on session using Mobile ID wallets. Examples of identity proofing and verifiable claims will be demonstrated using mobile payments. Speakers: Andy Tobin, Evernym Abbie Barbir, CVSHealth Kim Hamilton, MIT	Tracking Crypto Ponzi Schemes Part IV: Law enforcemenet and international collaboration This session will explore how law enforcement authorities investigate digital Ponzi schemes and the mechanism for collaboration and information sharing about such incidents. Speakers: Muhammad Imran, Criminal Intelligence Officer, INTERPOL [ Biography ]		Fast Identity Online (FIDO): Part IV: FIDO Developer Resources This session will provide an insight in the FIDO developer resources available at ITU and the FIDO demo application on Android and IOS. The use of FIDO SDK for user enrolment, authentication and de-registration will be explained. Speakers: Jorge Coelho, Acceptto [ Presentation ] Arnold Kibuuka, TSB, ITU [ Presentation ]