Page 23 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 23
ITU-T Focus Group Digital Financial Services
Technology, Innovation and Competition
Security threats and vulnerabilities
These applications are subject to a variety of security risks that differ based on how the application is deployed.
In many cases, the applications have minimal security and no encryption built in, while even if the application
is deployed on a smartphone, deficiencies in the application code can render these applications vulnerable
to attack and outright compromise.
Access control
As a result of implementation or design decisions, applications are at risk of attackers leveraging code
vulnerabilities. Past analysis has shown that smartphone applications can be running on devices where other
applications have permissions to read incoming SMS messages and thus gain access to sensitive customer
information [1]. Applications can also be vulnerable if their credential storage mechanisms are weak, since
an adversary can then extract these credentials and gain unauthorized access to customer data. In addition,
applications whose access control is compromised face risks from viruses and Trojans controlled by remote
adversaries, malicious and fraudulent activity that can compromise customer accounts; privacy threats from
advertising; and plug-in services which can be cracked. They can potentially lower resistance to phishing
attempts designed to exfiltrate or tamper with customer sensitive information.
Access control is a risk in applications that run over SMS and USSD because of the lack of protections on those
channels, allowing an adversary to read and tamper with data to gain unauthorized access.
Authentication
If the application does not sufficiently protect password and PIN credentials, application users are at risk,
in which case an adversary who acquires this information can maliciously authenticate as the customer.
A study of smartphone-based systems found that some applications are vulnerable due to the lack of PIN
authentication prior to performing sensitive operations such as acquiring financial balance information or
paying bills. Additionally, once mobile terminal applications are successfully accessed on the mobile platform,
they may be considered trusted. Malicious applications accessing the mobile platform can then put the entire
platform at risk.
One-time passwords (OTP) may provide improved security compared to constant passwords. Biometric
authentication may provide additional and more usable security beyond passwords but suffer from revocation
issues.
Non-repudiation
Applications that do not support the use of digital signatures cannot provide non-repudiation guarantees when
transactions are performed. If transactions occur over a communication channel that does not support integrity
measures, transaction details can be tampered with, calling into question who performed the transaction.
Furthermore, insecure applications are subject to having PINs stolen. A malicious adversary can use these
stolen credentials to perform transactions not approved by the authorized PIN holder, which could be cause
for complaint to the DFS provider in the case of fraudulent transactions. Digital signatures and the issuance
of certificates during application registration can mitigate these risks; however, there is strong reliance on
the security of the PKI roots in public-key infrastructures, many of which have been subject to compromise
in the past.
Data confidentiality
Any application using a clear text channel such as USSD or unauthenticated SMS provides over-the air
encryption between the mobile device and base station, but the encryption is weak and beyond the base
station the message is unencrypted as it traverses the carrier network. Hence, there is no confidentiality at this
point. The incorrect use of key cipher suites by the application as it communicates with other elements of the
ecosystem can also provide an attacker with the means to break weak cryptography and expose information,
9
