Page 32 - Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions
P. 32

d) Detection, as far as may be technically possible, of     iv) In an effective and affordable manner;
             unauthorized radio frequency devices operated by     v) In a fair and equitable manner;
             unauthorized parties that may be designed to disrupt     vi) Not in a manner that may amount to abuse
             the MNOs licensed activities and/or to gain unautho-   of their license or authorization to operate to
             rized access to customer handsets, SIM cards, cus-     the detriment of other entities reliant on these
             tomer access rights to MNO and DFS facilities, and     resources.
             customer data.
                                                                 vii) Transparently;
           B.2.6 The NATIONAL TELECOMMUNICATIONS REGU-           viii) Without exercising any price, access, and Qual-
           LATOR shall also ensure that its licensees and any other   ity of Service differentiation between DFSPs;
           entities under its supervision:                        ix) Without delaying the transfer and the delivery of
           a) Provide to the NATIONAL TELECOMMUNICATIONS            any service messages;
             REGULATOR reports on penetration tests that relate     x) Without violating any intellectual property rights
             to the security of their systems. These reports must     xi) Whilst ensuring the availability of service access
             include any remedial action taken, if applicable;      in accordance with applicable standards;
           b) Provide to the NATIONAL TELECOMMUNICATIONS      b) Do not act in a manner that may amount to anti-com-
             REGULATOR  reports on  incidents  that  relate  to   petitive behaviour.
             authorized access to their systems and data; These
             reports must include any actual and potential data   c) Undertake, as may be required, continuous testing,
             losses and breaches of consumer data protection    intrusion filtering and monitoring of their infrastruc-
             measures, and any remedial action taken;           ture to ensure that there is no unauthorized access,
                                                                disruption or use; and expeditiously:
           c) Expeditiously implement the most recent interna-     i. Provide to the CENTRAL BANK reports on pen-
             tional technical and security standards;
                                                                    etration tests that relate to the security of their
           d) Allow DFS end users to choose and fully access any    systems. These reports must include any reme-
             of the available DFSPs, without any restrictions, dis-  dial action taken if applicable.
             crimination, or preferential treatment among them.    ii. Provide  to  the  CENTRAL  BANK  reports  on
                                                                    incidents  that  relate  to  authorized  access  to
           CENTRAL BANK-DESIGNATED ROLES                            their systems and data. These reports must
                                                                    include any actual and potential data losses and
           B.2.7 The CENTRAL BANK shall undertake continuous        breaches of  consumer data protection mea-
           monitoring of its supervised entities.                   sures, and any remedial action taken.
                                                                   iii. Implement the most recent international techni-
           B.2.8 The CENTRAL BANK will operate through its          cal and security standards;
           mandate of oversight and supervision to ensure that
           their licensees and entities under their supervision:  d) Allow DFS consumers to choose any of the available
                                                                DFSPs, without any restrictions, discrimination, or
           a) Offer their services to DFSPs:
                                                                preferential treatment among them.
               i) At a high technical level;
               ii) At a high security level;
               iii) At a high availability level in ensuring uninter-
                 rupted communications and/or data transfer for
                 customers;
























           30 • Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions
   27   28   29   30   31   32   33   34   35   36