Table of contents - Recommendation X.1150 (03/2024) - Security assurance framework for digital financial services

Table of Contents - X.1150 (03/2024) - Security assurance framework for digital financial services

1	Scope
2	References
3	Definitions
	3.1	Terms defined elsewhere
	3.2	Terms defined in this Recommendation
4	Abbreviations and acronyms
5	Conventions
6	Introduction
7	Overview of Recommendation ITU-T X.805
8	DFS provider business models
	8.1	Bank led business model
	8.2	MNO led business model
	8.3	MVNO model
	8.4	Hybrid model
9	DFS ecosystem
	9.1	Elements of a DFS ecosystem for USSD, SMS, IVR, STK and NSDT
	9.2	Elements of a DFS ecosystem based on applications and digital wallets
10	Security threats
	10.1	Threats to DFS using USSD, SMS, IVR, STK and NSDT
	10.2	Threats to DFS ecosystem based on apps and digital wallets
11	DFS security assurance framework
12	Security risk management process
	12.1	Overview
	12.2	Establishing a context
	12.3	Risk assessment
13	Assessment of DFS security vulnerabilities, threats and mitigation controls requirements
	13.1	Threat: Account and session hijacking
	13.2	Threat: Attacks against credentials
	13.3	Threat: Attacks against systems and platforms
	13.4	Threat: Code exploitation attacks
	13.5	Threat: Data misuse
	13.6	Threat: Denial of service (DoS) attacks
	13.7	Threat: Insider attacks
	13.8	Threat: Man-in-the-middle and social engineering attacks
	13.9	Threat: Compromise of DFS infrastructure
	13.10	Threat: SIM attacks
	Page
	13.11	Threat: Compromise of DFS services
	13.12	Threat: Unauthorized access to DFS data
	13.13	Threat: Malware
	13.14	Threat: Zero-day attacks
	13.15	Threat: Rogue devices
	13.16	Threat: Unauthorized access to mobile devices
	13.17	Threat: Unintended disclosure of personally identifiable information
14	DFS security incident management
Annex A – Detailed DFS ecosystem infrastructure and threats
	A.1	Customer – mobile device
	A.2	Mobile device – mobile application
	A.3	Customer – DFS agent
	A.4	Mobile device – Base station
	A.5	Mobile device – Internet
	A.6	Base station - mobile switching station – gateways
	A.7	Mobile network - DFS operator
	A.8	DFS operator – third party
Annex B – Additional key components and recommendations for future work
Appendix I – Template for best practices of application security
	I.1	Device and application integrity
	I.2	Communication security and certificate handling
	I.3	User authentication
	I.4	Secure data handling
	I.5	Secure application development
Bibliography