ITU-T Focus Group Digital Financial Services
                                                      Recommendations







                Title of recommendation       Network Access and Fake Base Stations
                Working Group                 Technology, Innovation and Competition

                Workstream                    Security
                Audience for recommendation   DFS providers, MNOs





                Mobile Network Operators should implement security policies that maintain the integrity of their networks and
                prevent unauthorized access to customer accounts.


               DFS providers should consider transitioning away from mobile applications that leverage unencrypted
               access technologies such as unencrypted SMS and USSD. Instead, solutions that use public cryptography
               and end-to-end security, that employ standardized and up-to-date cryptographic algorithms and ciphersuites,
               are strongly recommended. Such algorithms should be reviewed to ensure they remain robust against new
               security vulnerabilities.  While existing architectures may be in place for the near-term future and it will
               likely take years for smartphones to become widespread enough to supplant feature phones, and hence to
               decommission SMS- and USSD-based DFS services, transitioning high-value and high-volume accounts (e.g.,
               business and merchants) to smartphones that support end-to-end security can protect those accounts while
               ensuring that risk mitigation strategies are in place for feature phones.
               MNOs in co-operation with national telecommunications regulators should install devices to identify fake
               base stations designed to capture clear-text SMS and USSD session data and customer credentials, and
               software should be installed to find these fake base stations. So-called “IMSI-catcher-catcher” devices can
               be used to identify and isolate these fake base stations or IMSI catchers.

               MNOs should be required to report to the relevant authorities any intrusions to their base station
               infrastructure through SS7 exploits and fake base station attacks. Any evidence of “man-in-the-middle”
               attacks where data is being intercepted should be reported, as a centralized view of such activity can provide
               better resources to determine the scope of such activity and means of eliminating it.






































                                                                                                       29