Executive Summary










               Digital financial services promise to enable financial inclusion and can improve the physical security of their
               users. However, emerging threats to the security of DFS can compromise stakeholders at every level within
               the ecosystem.

               This report considers the stakeholders involved within the DFS ecosystem and examines the security vulnerabilities
               and recommendations to mitigate risks for each of them. Using criteria set out by the Recommendation ITU-T
               X.805 standard, security criteria are considered in light of existing and emerging attacks. Recommendations
               are given for each stakeholder environment. The specific security recommendations made in the report are
               listed below:

               R1 – Consider the use of strong authentication mechanisms to demonstrate ownership of the device.

               R2 – Make use of hardware and software mechanisms within mobile devices, such as secure elements and TEEs,
               which can ensure device integrity, and promote the use of devices equipped with security features for use in DFS.

               R3 – Whether an application is designed for deployment on the handset or secure element, it should be designed
               and implemented in accordance with best practices, including encrypted and authenticated communication
               and secure coding practices to harden the app.

               R4  –  Apps  should  be  subjected  to  external  security  review  and  penetration  testing,  and  any
               recommendations acted upon.
               R5 – Apps should securely manage username and password information so that adversaries cannot easily
               forge credentials, and should use strong authentication mechanisms to protect against unauthorized access.

               R6 – Regular security updates are critical to ensure that mobile operating systems running on user devices
               operate using the latest security patches.

               R7 – Ensure that security libraries offered by the operating system are correctly designed and implemented
               and that the cipher suites they support are sufficiently strong.

               R8 – The handset operating system should be configured in a way to reduce the size of the trusted computing base.

               R9 – Harden the security of SIM cards by using strong cryptographic ciphers, and protect updates through
               whitelisting techniques such as in-network filtering.
               R10 – Discontinue the use of A5/0, A5/1, and A5/2 GSM encryption ciphers.

               R11 – Consider transitioning away from mobile applications that leverage SMS and USSD in favour of solutions
               that use strong public key cryptography and end-to-end security.

               R12 – MNOs should implement the security policies that maintain the integrity of their networks and prevent
               unauthorized access to customer accounts.

               R13 – The integrity of backend DFS systems must also be maintained through continuous testing, intrusion
               filtering, and monitoring of networks and infrastructure.

               R14 – MNOs and regulators should undertake active customer awareness campaigns to educate consumers
               about malicious messages, phishing, and spoofing attacks.
               R15 – MNOs should monitor incoming calls from interconnect carriers and undertake fake CLI analysis, and
               implement a black or white list of CLIs, as well as other security mechanisms, associated with attempts to
               steal customer credentials.




                                                                                                       xi