Page 38 - ITU-T Focus Group Digital Financial Services – Recommendations
P. 38

ITU-T Focus Group Digital Financial Services
                                                      Recommendations







                Title of recommendation       Infrastructure security
                Working Group                 Technology, Innovation and Competition

                Workstream                    Security
                Audience for recommendation   MNOs, DFS Providers





                MNOs should be discouraged from using weak encryption ciphers and switching off encryption on their
                networks.


               Where practical, MNOs should discontinue use of the GSM A5/0, A5/1, and A5/2 ciphers. These ciphers
               are known to be vulnerable to attack, and in the case of A5/0, no actual encryption is occurring.

               Encryption should not be switched off in order to enhance data spends on mobile networks. Doing so can
               lead to data intrusions on the mobile handset and through the MNO’s network.
               MNOs should implement security policies that maintain the integrity of their networks and prevent
               unauthorized access to customer accounts. This includes logical and physical access controls, including
               ensuring there is no unauthorized access to and any use of Signaling System 7 (SS7) core components of the
               MNO’s infrastructure.

               MNOs should undertake, as may be required, continuous testing, intrusion filtering, and monitoring of
               their core networks, base station infrastructure, and licensed mobile phone frequency bands to ensure that
               there is no unauthorized access, disruption, or misuse. Testing and monitoring includes not only mechanisms
               to detect SS7-based attacks but also detection, where technically possible, of unauthorized radio frequency
               devices.

               DFS providers and MNOs should develop security benchmark assessments and regular testing of defenses
               to protect against new attacks as part of a risk management framework. This is necessary to assure the
               continued security of stored data within these systems.

               MNOs should install hardware and software solutions that filter rogue SS7 messages emanating from
               potential attackers. A significant number of attacks over SS7 can be prevented if ingress and egress filtering
               is performed by network providers.

               Telecom and central bank regulators should jointly ensure that PSPs and MNOs undertake penetration
               testing of systems and networks. These testing, using either internal or third-party resources, should check
               for vulnerabilities within the provider networks. The results of these tests should be reported to regulators.

               PSPs and MNOs should implement disaster recovery systems and processes to ensure that any intrusions
               into their networks do not result in loss of customer data and funds. The same resilience and best practices
               for IT security should optimally be followed by all stakeholders within the DFS ecosystem who are responsible
               for processing and storing critical data.

















                32
   33   34   35   36   37   38   39   40   41   42   43