Committed to connecting the world

WRC-23

Joint ITU-MACRA-RBM DFS security clinic – Addressing vulnerabilities and managing risks for Digital Financial Services

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​7 - 8 December 2021

The main objectives of the Security Clinics on DFS security were to share findings and lessons learned from the FIGI Security Infrastructure and Trust working group. The findings assisted the DFS providers and Network operators to:
​Audience: The security clinics were intended for IT security professionals and policymakers from the telecom/ICT regulator, DFS providers and Central Bank.

The sessions addressed the following areas of focus:
Note:  The time indicated below is in Malawi local time – UTC+2

Programme


​​Day 1: 7 December 2021​​

​10:00 - 10:20
UTC+02
​Welcome:
​​10:20 - 11:20
UTC+02
​DFS security vulnerabilities: Infrastructure vulnerabilities and mitigation measures (Mobile Infrastructure vulnerabilities)

Telecom infrastructure vulnerabilities such as SS7 can be exploited by an intruder to intercept calls and SMSs, bypass billing, steal money from mobile money accounts, or affect mobile network operations.  This session presented the main findings of the Security, Infrastructure and Trust Working Group on securing the infrastructure against SS7 vulnerabilities and threats. 
11:20 - 11:35
UTC+02
Break
11:35 - 12:35
UTC+02
​DFS security vulnerabilities: Infrastructure vulnerabilities and mitigation measures (Mobile Infrastructure vulnerabilities)

This session focused on the SIM jacker and other mobile financial services vulnerabilities.
12:35 - 13:30
UTC+02
Lunch Break
13:30 - 14:15
UTC+02
USSD and STK platform vulnerabilities

This session highlighted the vulnerabilities to USSD and STK and Android based applications. Threats like Man in the middle attacks, the SIM jacker vulnerability in SIM Cards  will be discussed. The session also provided an overview of the methodology used for performing the USSD and STK security tests at the ITU DFS Security Lab. 
​14:15 - 15:00
UTC+02
​DFS security lab

This session introduced the ITU DFS security lab and highlight the vulnerabilities in Android based DFS applications. The session also provided, and an overview of the Android app security tests based on the OWASP Mobile Top 10.

15:00 - ​ 15:15
UTC+02

Break
15:15 - 16:15
UTC+02
​Testing Android Mobile Payment applications

This session introduced the ITU DFS security lab and highlight the vulnerabilities in Android based DFS applications. The session also provided, and an overview of the Android app security tests based on the OWASP Mobile Top 10.
Related Reports: 

Day 2: 8 December 2021

10:00 - 11:00
UTC+02
DFS Security Assurance Framework and conducting a DFS security assessment (Managing threats in the DFS ecosystem)

This session discussed the DFS security assurance framework that can be implemented by DFS providers to better manage the risks and mitigate their impact. RBM and MACRA also provided insights on how they are handling DFS security issues.
Related Reports: 
11:0011:30
UTC+02​​​

Break
11:30 - 12:15
UTC+02
​DFS audit guideline

The session also covered how a Regulator or DFS provider can assess compliance with the minimum-security controls using the DFS audit guideline. 
Related Reports: 

12:15 - ​14:00
UTC+02
Lunch Break
​14:00 - 16:00
UTC+02
​Implementing the DFS security assurance framework and security audit for DFS.

This was a hands-on session focusing on initiating the process DFS providers in Malawi can use to implement the DFS security assurance framework.  DFS providers familiarized themselves with the DFS security assurance framework prior to the session.​

​​