Page 23 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 23

ITU-T Focus Group Digital Financial Services
                                              Technology, Innovation and Competition



               Security threats and vulnerabilities

               These applications are subject to a variety of security risks that differ based on how the application is deployed.
               In many cases, the applications have minimal security and no encryption built in, while even if the application
               is deployed on a smartphone, deficiencies in the application code can render these applications vulnerable
               to attack and outright compromise.


               Access control
               As a result of implementation or design decisions, applications are at risk of attackers leveraging code
               vulnerabilities. Past analysis has shown that smartphone applications can be running on devices where other
               applications have permissions to read incoming SMS messages and thus gain access to sensitive customer
               information [1]. Applications can also be vulnerable if their credential storage mechanisms are weak, since
               an adversary can then extract these credentials and gain unauthorized access to customer data. In addition,
               applications whose access control is compromised face risks from viruses and Trojans controlled by remote
               adversaries, malicious and fraudulent activity that can compromise customer accounts; privacy threats from
               advertising; and plug-in services which can be cracked. They can potentially lower resistance to phishing
               attempts designed to exfiltrate or tamper with customer sensitive information.

               Access control is a risk in applications that run over SMS and USSD because of the lack of protections on those
               channels, allowing an adversary to read and tamper with data to gain unauthorized access.


               Authentication

               If the application does not sufficiently protect password and PIN credentials, application users are at risk,
               in which case an adversary who acquires this information can maliciously authenticate as the customer.
               A study of smartphone-based systems found that some applications are vulnerable due to the lack of PIN
               authentication prior to performing sensitive operations such as acquiring financial balance information or
               paying bills. Additionally, once mobile terminal applications are successfully accessed on the mobile platform,
               they may be considered trusted. Malicious applications accessing the mobile platform can then put the entire
               platform at risk.

               One-time passwords (OTP) may provide improved security compared to constant passwords. Biometric
               authentication may provide additional and more usable security beyond passwords but suffer from revocation
               issues.


               Non-repudiation

               Applications that do not support the use of digital signatures cannot provide non-repudiation guarantees when
               transactions are performed. If transactions occur over a communication channel that does not support integrity
               measures, transaction details can be tampered with, calling into question who performed the transaction.
               Furthermore, insecure applications are subject to having PINs stolen. A malicious adversary can use these
               stolen credentials to perform transactions not approved by the authorized PIN holder, which could be cause
               for complaint to the DFS provider in the case of fraudulent transactions. Digital signatures and the issuance
               of certificates during application registration can mitigate these risks; however, there is strong reliance on
               the security of the PKI roots in public-key infrastructures, many of which have been subject to compromise
               in the past.


               Data confidentiality
               Any application using a clear text channel such as USSD or unauthenticated SMS provides over-the air
               encryption between the mobile device and base station, but the encryption is weak and beyond the base
               station the message is unencrypted as it traverses the carrier network. Hence, there is no confidentiality at this
               point. The incorrect use of key cipher suites by the application as it communicates with other elements of the
               ecosystem can also provide an attacker with the means to break weak cryptography and expose information,



                                                                                                        9
   18   19   20   21   22   23   24   25   26   27   28