SECURITY; INFRASTRUCTURE AND TRUST WORKING GROUP Digital Financial Services security assurance framework
DISCLAIMER
About this report
Executive Summary
Acronyms
1 Introduction
2 ITU-T Recommendation X.805 Overview
3 DFS Provider Business Models
     3.1 Bank led business model
     3.2 MNO led business model
     3.3 Model with Mobile Virtual Network Operator
     3.4 Hybrid Model
4 Elements of DFS ecosystem
     4.1 Elements of a DFS ecosystem using USSD; SMS; IVR; STK and NSDT
     4.2 Elements of a DFS ecosystem based on applications and digital wallets (e.g Google Pay, Apple pay, WeChat Pay, Samsung Pay).
5 Security threats
     5.1 Threats to DFS using USSD; SMS; IVR; STK and NSDT
     5.2 Threats to DFS ecosystem based on apps and digital wallets
6 DFS Security Assurance Framework
7 Risk assessment methodology
     7.1 Scope
     7.2 Establishing a context
     7.3 Security Assessment
     7.4 Risk Identification
     7.5 Risk Analysis
     7.6 Risk Evaluation
8 Assessment of DFS security vulnerabilities; threats and mitigation Measures
     8.1 Threat: Account and Session Hijacking
     8.2 Threat: Attacks against credentials
     8.3 Threat: Attacks against systems and platforms
     8.4 Threat: Code Exploitation Attacks
     8.5 Threat: Data Misuse
     8.6 Threat: Denial of Service Attacks
     8.7 Threat: Insider Attacks
     8.8 Threat: Man-in-the-middle and social engineering attacks
     8.9 Threat: Compromise of DFS Infrastructure
     8.10 Threat: SIM attacks
     8.11 Threat: Compromise of DFS Services
     8.12 Threat: Unauthorized access to DFS data
     8.13 Threat: Malware
     8.14 Threat: Zero-Day Attacks
     8.15 Threat: Rogue Devices
     8.16 Threat: Unauthorised Access to Mobile Devices
     8.17 Threat: Unintended Disclosure of Personal Information
9 Template for application security best practices
     9.1 Device and Application Integrity
     9.2 Communication Security and Certificate Handling
     9.3 User Authentication
     9.4 Secure Data Handling
     9.5 Secure Application Development
10 DFS Security Incident management
Annex 1 Detailed DFS ecosystem infrastructure and threats