Page 22 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 22
ITU-T Focus Group Digital Financial Services
Technology, Innovation and Competition
Data integrity
Any unauthorised modification of the mobile device can compromise platform security. Tampering with the
device can lead to the storage being replaced with the installation of malware. Such an attack is called the
“Evil Maid” attack, and it works even on devices with encrypted storage [10]. A similar type of attack, the “Cold
Boot” attack, involves freezing the device after it is powered down and extracting details from the memory [11].
Both attacks can compromise data integrity and are possible if the user loses possession of the mobile device.
Availability
The device’s availability is contingent on its being in a serviceable condition. Tampering with the device or
damaging it can hinder availability.
Privacy
A user’s privacy can be compromised if the device has been made vulnerable. A device that has been tampered
with can be exfiltrating information in a manner contrary to a user’s privacy settings. Improper configuration
can also leak information that the user had not intended to share with others.
Recommendations for mitigation
R1 – Consider the use of strong authentication mechanisms to demonstrate ownership of the device.
Because the key space of PINs makes them susceptible to a brute-force attack, consider the use of longer PINs
or alphanumeric PINs, such as easily remembered passphrases, as arbitrarily long random sequences can lead
to password information being written down. Caution should be exercised before mandating complex PINs and
it should be ensured that any such adoption goes hand-in-hand with user education, as overly complex PINs
are likely to be written down or entered by others, thus degrading their security. Also, it should be considered
how biometrics may aid with authentication and provide a second factor if they are stored securely within
the device. To prevent uncontrolled access to the mobile device, the owner must use available means of
authentication, such as a PIN code, password, control figure, fingerprint, etc. Additionally, back-end analytics
systems providing services such as IP velocity, geolocation, and time of day access expectations, can act as
authentication factors for the mobile device user.
R2 – Make use of hardware and software mechanisms within mobile devices, such as secure elements and
TEEs, which can ensure device integrity, and promote the use of devices equipped with security features for
use in DFS. Because a tampered or “rooted” device can potentially compromise the confidentiality, integrity,
and privacy of user data, it is important to ensure that only properly functioning devices are able to participate
in DFS transactions. The use of mechanisms such as TEEs can provide a means for attesting the integrity of
devices as well as providing private storage for sensitive data. Such mechanisms can also provide the ability
to perform remote wipes of a mobile device and locking data in case a mobile device is lost or stolen.
3.2 DFS application (software)
Role within the ecosystem
The DFS app is the primary means by which the customer interfaces with the DFS ecosystem. Users either
directly use the application or have transactions performed by an agent on their behalf. Both agents and users
interact with the DFS application, which can reside on the mobile device, or on the device’s SE. Interactions
may occur over USSD, SMS, or a special application menu enabled by code, password, fingerprint, etc., enabling
users to send money, make bill payments, top up airtime, and check account balances. From the DFS security
point of view, it is important that mobile applications adhere to Security Level, 4 as described in [ITU-T Y.2740].
8
