Committed to connecting the world

Search
Girls in ICT

DFS Security Clinic - Addressing security risks to digital finance ecosystem

​​​​​​​​​​

The International Telecommunication Union in joint collaboration with the Communications Regulators' Association of Southern Africa (CRASA) ​organized a Digital Financial Services Security Clinic from 24-25 May 2022 titled "Addressing security risks to digital finance ecosystem". The event took place from 10h00 to 13h00 UTC+2.

The main objectives of the DFS Security Clinic are to share the findings and recommendations from the FIGI Security Infrastructure and Trust working group for regulators and DFS providers with regards to addressing security challenges for digital finance. The event provided insights into security best practices for SIM swaps, mobile payment applications operating on USSD, STK and Android, methodology for testing security of mobile payment applications and addressing infrastructure vulnerabilities such as SS7.
  • Support regulators to implement DFS security recommendations from FIGI
    (https://figi.itu.int/working-group-reports/​).
  • Conduct security audits on DFS applications (i.e., USSD, STK and Android DFS applications).
  • Provide guidance on managing the DFS ecosystem security risks and mitigation measures.
  • Organize security clinics targeting DFS regulators and providers to stay up to date with new vulnerabilities and mitigation measures.
  • Conduct assessments on cyber preparedness among the DFS ecosystem stakeholders on responding to cybersecurity incidents targeting digital finance.
  • Provide a neutral platform to share knowledge on security incidents and vulnerabilities in digital finance.

Target audience: The security clinic was intended for IT security professionals and policymakers from the telecom, ICT regulator, DFS providers, Central Banks, Mobile Network Operators.​ 

Watch recordings here:

Programme



Day 1: 24 May 2022 (10:00 – 13:00)

10:00 - 10:20
(UTC + 2)
​Welcome remarks
  • ​ITU
  • CRASA​
10:20 - 11:50
(UTC + 2)
​DFS security vulnerabilities: USSD, STK and Android platform vulnerabilities

This session introduced the ITU DFS security lab and highlighted the vulnerabilities to USSD and STK and Android based applications. It discussed the threats like Man in the middle attacks that impact digital financial services and the SIM jacker vulnerability in SIM Cards. The session also provided an overview of the security tests that are undertaken in the DFS Security Lab at ITU. 
  • ​"Introduction to ITU DFS security lab" Vijay Mauree, Programme Coordinator, TSB, ITU: [Presentation​]
  • "Android, USSD and STK tests" Arnold Kibuuka, Project Officer, TSB, ITU: [Presentation​]
Related Reports: 
​11:50 - 12:00
(UTC + 2)
​Coffee Break
​12:00 - 13:00
(UTC + 2)
​DFS security vulnerabilities: SIM and Infrastructure vulnerabilities and mitigation measures 

Telecom infrastructure vulnerabilities such as SS7 are exploited by intruders to intercept calls and SMSs, bypass billing, steal money from mobile money accounts, or affect mobile network operations. This session focused on the summary of the key ITU DFS recommendations on DFS security especially in issues of SS7, SIM swaps, SIM recycling and SIM vulnerabilities like SIM jacker that could compromise DFS. [Presentation​]

Related Report:  

​​Day 2: 25 May 2022 (10:00 - 13:00)

10:00 - 11:15​
(UTC + 2)
​DFS Security Assurance Framework 

This session discussed the DFS security assurance framework that can be implemented by DFS providers to better manage the risks and mitigate their impact.
  • Vijay Mauree, Programme Coordinator, TSB, ITU: [Presentation]
Related Report:
​11:15 - 11:25
(UTC + 2)
​Coffee Break
​11:25 - 12:00
(UTC + 2)
​DFS security audit guideline

The session also ​covered how a Regulator or DFS provider can assess compliance with the minimum-security controls using the DFS audit guideline. 
Related Report:
​12:00 - 13:00
(UTC + 2)
​Implementing the DFS security recommendations and security audits for DFS

An interactive session focused at initiating the process to implement the DFS security recommendations and identify the DFS Mobile Money applications that could be tested at the ITU DFS security lab.

​​​​.










© ITU All Rights Reserved

Back to top