Page 25 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 25
ITU-T Focus Group Digital Financial Services
Technology, Innovation and Competition
communication with backend DFS systems. These applications should also be designed to be resilient against
denial-of-service attacks.
R4 – Apps should be subjected to external security review and penetration testing, and any recommendations
acted upon. In particular, applications should be designed to be robust against phishing software. Other
methods of increasing application security may include increasing the complexity of Java reflections and anti-
compilation countermeasure, although software obfuscation remains an arms race between code writers
and reverse engineers. An important focus should be on guiding the customer to access and download the
application through official channels to mitigate the risk of running malware-infected code.
R5 – Apps should securely manage username and password information so that adversaries cannot easily
forge credentials, and should use strong authentication mechanisms to protect against unauthorized
access. Default usernames and passwords should be removed or reset so that an adversary cannot easily
guess credentials. It is strongly recommended to use PIN codes, passwords, or biometric authentication to
protect mobile device and DFS application from unauthorized access. Multi-factor authentication may provide
additional security guarantees and is required for Y.2740 Security Levels 3 and 4. Credential information must
be securely stored and managed so that they are not accessible to adversaries. Encryption of at-rest data along
with strong access control mechanisms can aid in ensuring tamper-resistance.
Within the application, ensure support for password complexity (enforced by the server), unsuccessful login
attempts, password history and reuse periods, account lock-out periods to a reasonable minimal value in order
to minimize the potential for offline attack. Sensitive information should also be transferred using methods to
assure its integrity and authenticity, through the use of protection mechanisms such as message authentication
codes (MACs) and digital signatures, employing primitives, such as nonces, to prevent replay attacks.
To ensure application consistency, complete fault recovery and synchronization mechanisms should be required
to ensure the reliability of information storage.
3.3 Mobile phone operating system
Role within the ecosystem
The operating system represents the software base that applications (whether app-based or USSD/SMS/
IVR-based) rely upon. It is also used to monitor and contain other applications and users in a mobile device.
The security of the operating system is critical to the security of applications that run on it, including DFS
applications.
Security threats and vulnerabilities
Access control
Mobile operating systems offer only very coarse-grained controls over dialling. In Android, this means that any
application with dialling privileges can also dial USSD codes, allowing an unauthorized or malicious application
to perform actions on behalf of a user. Additionally, if an adversary has access to the physical phone, it may
be possible to recover billing information or passwords if this information remains in text messages. Such
conditions can become possible when the operating system is overly permissive; in other words, it provides
a surfeit of interfaces that are not essential for applications to possess and thus become potential vectors for
vulnerability. More generally, the operating system itself has numerous ways by which access to privileged
instructions can be made, and numerous processes that can possess highly privileged access, such that if they
are compromised, the security of the entire system is at risk. This set of processes and interfaces is known
as the trusted computing base of the operating system, and an important goal from the standpoint of the
operating system vendor, or the handset manufacturer if they make modifications to the operating system,
is to minimize the set of processes and interfaces that have highly-privileged access to reduce the size of the
trusted computing base.
11