Page 24 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 24
ITU-T Focus Group Digital Financial Services
Technology, Innovation and Competition
breaching confidentiality. The GSM ciphers are known to be vulnerable to attack. In smartphone applications
using IP transactions, the incorrect use of secure sockets layer (SSL) or the negotiation of known weak cipher
suites can also lead to breaks in the encryption and the exposure of user data, again breaching confidentiality.
Data left unencrypted within the application, written in an insecure manner to application logs, or stored in
databases with no or weak encryption can also lead to an adversary exposing this information. Caches can
also be exploited to harvest sensitive information. Minimizing the amount of sensitive data stored within the
application can mitigate confidentiality risks, such as the use of DFS with host card emulation (HCE).
Communication security
The security of the communication link is contingent on the negotiated cipher suite between the application
and the back-end services. Information in applications has been demonstrated to flow to a variety of sinks
outside the authorized end-point, including into logs and databases. Consequently, only strong encryption
mechanisms such as SSL ensure data security in public telecommunications networks. It is also important
to ensure that the cipher suites used are not subject to downgrade attacks to older versions that contain
potentially weak ciphers. If session keys are not periodically renegotiated, the accumulation of enciphered
material can make the key vulnerable to attack. Protocols such as SSL and transport layer security (TLS) can be
set to renegotiate ciphers, but it is important for the protocols to be resistant to renegotiation attacks from
attackers injecting traffic into legitimate client-server exchanges.
Data integrity
The integrity of information is at risk from the lack of a secure communication channel in applications that use
USSD or unauthenticated SMS. There are no integrity guarantees provided in these environments. Similarly, with
smartphone applications, negotiation of weak cipher suites that downgrade security can allow an adversary
to modify transactions and, hence, the integrity of financial data. Within applications, a lack of access control
amongst some applications provides an avenue for adversaries to modify financial data. Applications that do
not require credentials prior to performing sensitive operations such as bill pay are subject to adversaries
modifying this information. If the application does not provide stateful tracking mechanisms, the adversary
can easily perform remote exploits leading to data compromise.
Availability
Application availability is a measure of code quality and security. If applications do not perform robust
input validation an adversary can potentially perform buffer overflow attacks that may end up crashing the
application. Denial of service can also occur if resources are not sufficiently allocated from the application or if
logging mechanisms are subverted by the adversary. Partially-completed actions can have negative effects on
availability and lead to lack of system consistency; as such, it is important that interactions with applications
are atomic.
Privacy
The use of weak cryptographic algorithms by the application can lead to privacy violations as data and metadata
can be inferred through network activity. In the worst case, weak ciphers can be completely compromised,
leading to full breaches of privacy.
Recommendations for mitigation
R3 – Whether an application is designed for deployment on the handset or secure element, it should be
designed and implemented in accordance with best practices, including encrypted and authenticated
communication and secure coding practices to harden the app. Such practices should additionally extend
to software embedded in third party systems and web pages for communication with mobile money
systems. Sufficiently strong encryption should be employed for both data protection within the app and for
10