Page 32 - Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions
P. 32
d) Detection, as far as may be technically possible, of iv) In an effective and affordable manner;
unauthorized radio frequency devices operated by v) In a fair and equitable manner;
unauthorized parties that may be designed to disrupt vi) Not in a manner that may amount to abuse
the MNOs licensed activities and/or to gain unautho- of their license or authorization to operate to
rized access to customer handsets, SIM cards, cus- the detriment of other entities reliant on these
tomer access rights to MNO and DFS facilities, and resources.
customer data.
vii) Transparently;
B.2.6 The NATIONAL TELECOMMUNICATIONS REGU- viii) Without exercising any price, access, and Qual-
LATOR shall also ensure that its licensees and any other ity of Service differentiation between DFSPs;
entities under its supervision: ix) Without delaying the transfer and the delivery of
a) Provide to the NATIONAL TELECOMMUNICATIONS any service messages;
REGULATOR reports on penetration tests that relate x) Without violating any intellectual property rights
to the security of their systems. These reports must xi) Whilst ensuring the availability of service access
include any remedial action taken, if applicable; in accordance with applicable standards;
b) Provide to the NATIONAL TELECOMMUNICATIONS b) Do not act in a manner that may amount to anti-com-
REGULATOR reports on incidents that relate to petitive behaviour.
authorized access to their systems and data; These
reports must include any actual and potential data c) Undertake, as may be required, continuous testing,
losses and breaches of consumer data protection intrusion filtering and monitoring of their infrastruc-
measures, and any remedial action taken; ture to ensure that there is no unauthorized access,
disruption or use; and expeditiously:
c) Expeditiously implement the most recent interna- i. Provide to the CENTRAL BANK reports on pen-
tional technical and security standards;
etration tests that relate to the security of their
d) Allow DFS end users to choose and fully access any systems. These reports must include any reme-
of the available DFSPs, without any restrictions, dis- dial action taken if applicable.
crimination, or preferential treatment among them. ii. Provide to the CENTRAL BANK reports on
incidents that relate to authorized access to
CENTRAL BANK-DESIGNATED ROLES their systems and data. These reports must
include any actual and potential data losses and
B.2.7 The CENTRAL BANK shall undertake continuous breaches of consumer data protection mea-
monitoring of its supervised entities. sures, and any remedial action taken.
iii. Implement the most recent international techni-
B.2.8 The CENTRAL BANK will operate through its cal and security standards;
mandate of oversight and supervision to ensure that
their licensees and entities under their supervision: d) Allow DFS consumers to choose any of the available
DFSPs, without any restrictions, discrimination, or
a) Offer their services to DFSPs:
preferential treatment among them.
i) At a high technical level;
ii) At a high security level;
iii) At a high availability level in ensuring uninter-
rupted communications and/or data transfer for
customers;
30 • Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions
