Executive Summary
















           The world of digital financial services (DFS) relies heav-  In order to advance the issue and mitigate many of
           ily on the underlying telecommunications infrastructure   these vulnerabilities, the working group recommends
           to  enable  users  to  send  and  receive  money.  In  most    the following:
           developing countries where DFS is popular, most of the   •  Educate telecom and financial services regulators
           end-users do not have reliable and accessible means to   on the vulnerabilities that plague the “DFS over tele-
           connect to Internet and thus rely heavily on the mobile   com” ecosystem;
           communications  infrastructure.  The  communication
           channels with which the end-user communicates with   •  Telecom and financial services regulators should
           the DFS provider are mostly Unstructured Supplemen-  implement regulation that puts the liability where
           tary Service Data (USSD), Short Messaging Service    it should be and forces the telcos to put mitigation
           (SMS). USSD and SMS have long been known as “bro-    measures in place;
           ken” and have many published vulnerabilities, some   •  Telecom and financial services regulators should
           over 20 years old, which enables attackers to commit   ensure signalling security is covered in the legal frame-
           fraud and steal funds.                               work in terms of reporting incidents and adopting
             The core issue that inhibits the mitigation of these
           vulnerabilities is a misalignment of interests and mis-  minimum security requirements;
           placed liability between the telecom and the financial   •  Telecom regulators are encouraged to establish base-
           regulators. ITU and GSMA have long ago published     line security measures for each category (3G/4G/5G)
           guidelines and advisories to telecom operators (telco)   which should be implemented by telecom operators
           on how to mitigate many of these vulnerabilities; how-  to ensure a more secure interconnection environ-
           ever, the implementation rate of these mitigation mea-  ment. ITU-T Study Group 11 could develop technical
           sures is extremely low. According to surveys performed   guidelines for the baseline security measures;
           by this working group and the European Union Agency   •  Create dialogue between the DFS providers and tele-
           for Network and Information Security (ENISA), less   com regulators with the telecom security industry, by
           than 30% of the telcos in the European Union (EU) and   means of round tables to expose the DFS providers
           less than 0.5% of telcos in developing countries have   and regulators to the existing mitigation solutions
           implemented these mitigation strategies. This low rate   already in the market and create an incentive for the
           of implementation is attributed to lack of awareness   industry to develop more solutions;
           to the existence of these vulnerabilities and the pro-
           hibitive cost set on the telcos to implement mitigation   •  Incentivize both the telcos, DFS providers and indus-
           measures. Since the telcos are not liable in cases of DFS   try to work together and implement solutions, by
           fraud, there is no financial incentive for the telcos to   either levying fines  or  providing  grants,  to  build  a
           mitigate these telecom vulnerabilities.              more secure DFS ecosystem.





                                            Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions • 7