Committed to connecting the world

Search
WTISD

Joint ITU-MACRA-RBM DFS security clinic – Addressing vulnerabilities and managing risks for Digital Financial Services

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​7 - 8 December 2021

The main objectives of the Security Clinics on DFS security were to share findings and lessons learned from the FIGI Security Infrastructure and Trust working group. The findings assisted the DFS providers and Network operators to:
  • learn about the different vulnerabilities within the DFS ecosystem
  • how to mitigate these threats and perform continuous assessments on the security of DFS 
  • how to build confidence and trust in the use of digital financial services, provide a framework to manage security risks in the DFS ecosystem.
​Audience: The security clinics were intended for IT security professionals and policymakers from the telecom/ICT regulator, DFS providers and Central Bank.

The sessions addressed the following areas of focus:
  • DFS security vulnerabilities: Insights into the security vulnerabilities of DFS applications and infrastructure:
    • USSD, STK and Android platform vulnerabilities and how these can be mitigated.
    • ​SS7 vulnerabilities and their mitigation measures.
    • Security tests that can be undertaken at the DFS Security Lab at ITU.
  • Implementing the DFS security framework
  • DFS security assessment: Performing a DFS security assessment.​


Note:  The time indicated below is in Malawi local time – UTC+2

Programme


​​Day 1: 7 December 2021​​

​10:00 - 10:20
UTC+02
​Welcome:
  • Daud Suleman, Director General, MACRA 
  • Fraser Mdwazika, Director for the National Payments System Department, Reserve Bank of Malawi
  • Vijay Mauree, Programme Coordinator, ITU
​​10:20 - 11:20
UTC+02
​DFS security vulnerabilities: Infrastructure vulnerabilities and mitigation measures (Mobile Infrastructure vulnerabilities)

Telecom infrastructure vulnerabilities such as SS7 can be exploited by an intruder to intercept calls and SMSs, bypass billing, steal money from mobile money accounts, or affect mobile network operations.  This session presented the main findings of the Security, Infrastructure and Trust Working Group on securing the infrastructure against SS7 vulnerabilities and threats. 
  • Faaez Burney, Adaptive Mobile [Presentation]
  • Karel Van Der Lecq, Adaptive Mobile 
11:20 - 11:35
UTC+02
Break
11:35 - 12:35
UTC+02
​DFS security vulnerabilities: Infrastructure vulnerabilities and mitigation measures (Mobile Infrastructure vulnerabilities)

This session focused on the SIM jacker and other mobile financial services vulnerabilities.
  • Faaez Burney, Adaptive Mobile [Presentation​]
  • Karel Van Der Lecq, Adaptive Mobile 
12:35 - 13:30
UTC+02
Lunch Break
13:30 - 14:15
UTC+02
USSD and STK platform vulnerabilities

This session highlighted the vulnerabilities to USSD and STK and Android based applications. Threats like Man in the middle attacks, the SIM jacker vulnerability in SIM Cards  will be discussed. The session also provided an overview of the methodology used for performing the USSD and STK security tests at the ITU DFS Security Lab. 
​14:15 - 15:00
UTC+02
​DFS security lab

This session introduced the ITU DFS security lab and highlight the vulnerabilities in Android based DFS applications. The session also provided, and an overview of the Android app security tests based on the OWASP Mobile Top 10.
15:00 - ​ 15:15
UTC+02
Break
15:15 - 16:15
UTC+02
​Testing Android Mobile Payment applications

This session introduced the ITU DFS security lab and highlight the vulnerabilities in Android based DFS applications. The session also provided, and an overview of the Android app security tests based on the OWASP Mobile Top 10.
Related Reports: 

Day 2: 8 December 2021

10:00 - 11:00
UTC+02
DFS Security Assurance Framework and conducting a DFS security assessment (Managing threats in the DFS ecosystem)

This session discussed the DFS security assurance framework that can be implemented by DFS providers to better manage the risks and mitigate their impact. RBM and MACRA also provided insights on how they are handling DFS security issues.
Related Reports: 
11:0011:30
UTC+02​​​
Break
11:30 - 12:15
UTC+02
​DFS audit guideline

The session also covered how a Regulator or DFS provider can assess compliance with the minimum-security controls using the DFS audit guideline. 
Related Reports: 
  • DFS security audit guideline

12:15 - ​14:00
UTC+02
Lunch Break
​14:00 - 16:00
UTC+02
​Implementing the DFS security assurance framework and security audit for DFS.

This was a hands-on session focusing on initiating the process DFS providers in Malawi can use to implement the DFS security assurance framework.  DFS providers familiarized themselves with the DFS security assurance framework prior to the session.​

​​

​​​​.​



© ITU All Rights Reserved

Back to top