Page 31 - Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions
P. 31
j) Consultations on the need for any new laws, guide- B.2.4 The NATIONAL TELECOMMUNICATIONS REGU-
lines, by-laws, or regulations where these may relate LATOR will operate through its mandate of oversight
to DFS; and supervision to ensure that their licensees offer
their services to DFSPs:
k) Use of technical expertise;
a) At a high technical level;
l) Management and operation of DFS infrastructure;
b) At a high security level;
m) Availability of, and fair access to, MNO communica-
tion channels by DFSPs; c) At a high availability level in ensuring uninterrupted
communications and/or data transfer for customers;
n) Availability of, and fair access to, any MNO data that
can legally be shared with DFSPs or other parties; d) In an effective and affordable manner;
o) Development and enforcement of minimum techni- e) In a fair and equitable manner;
cal and operational standards;
f) Not in a manner that may amount to abuse of their
p) Identification, mitigation, and expeditious handling licensed access to and provision of scarce telecom-
and containment of all security issues and incidents; munications resources to the detriment of other
entities reliant on these resources;
q) Participation where necessary in the development of
RMFs related to DFS; g) Transparently;
r) Anti-money laundering, counter terrorism financing, h) Without exercising any price, access, and Quality of
and fraud; Service differentiation between DFSPs and for any
other entities reliant on these resources;
s) Consumer protection generally;
i) Without delaying the transfer and the delivery of any
t) Monitoring of systems and networks for security service messages;
breaches and intrusions where these may affect DFS,
and the reporting of any breaches and intrusions j) Without violating any intellectual property rights;
relating to DFS provision to the other Authority;
k) Whilst ensuring the availability of network access in
u) Mutually support the other Authority’s activities in accordance with applicable standards;
relation to DFS and adjacent matters;
l) In a manner that may amount to anti-competitive
v) Mutual and expeditious notification to the other of behaviour; and
any issues, processes, and events that may affect the m) Where the licensees are MNOs, to validate and
operation of DFS in (the country); and
ensure that only verified and authorized persons are
w) Any other strategy relating to the scope of this able to have access to—or provide, as the case may
MOU deemed necessary and appropriate by the be —customer SIM cards;
Authorities;
n) Undertake, as may be required, continuous testing,
intrusion filtering and monitoring of their core net-
NATIONAL TELECOMMUNICATIONS AUTHORITY- works, BTS infrastructure and licensed mobile phone
DESIGNATED ROLES
frequency bands to ensure that there is no unautho-
rized access, disruption or use.
B.2.3 The NATIONAL TELECOMMUNICATIONS REGU-
LATOR hall undertakes continuous monitoring of the B.2.5 Tests and monitoring that may be required and
licensed frequencies operated by the MNOs so as to which relate to specific issues identified in Section 2.4
ensure that no unauthorized radio frequency devices above shall include, but not be limited to, those for:
are being used on these frequencies to, inter alia, cap-
ture customer information and to disrupt MNO commu- a) Unauthorized access to and use of any Signalling Sys-
nications with their customers. tem 7 (SS7)-based core components of the MNO’s
This monitoring may be undertaken jointly between infrastructure;
the NATIONAL TELECOMMUNICATIONS REGULATOR b) Use of any SS7 components of the MNO’s infrastruc-
and the MNOs as may be necessary. Any breaches and ture by any party where that use may be designed to
intrusions that may have an effect on the operation and undertake unauthorized or fraudulent activities;
financial security of DFS in (the country) shall be expe-
ditiously reported by the NATIONAL TELECOMMUNI- c) Unauthorized access to and use of any LTE-based
CATIONS REGULATOR to the CENTRAL BANK. core components of the MNO’s infrastructure;
Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions • 29