ITU-T Focus Group Digital Financial Services
                                              Technology, Innovation and Competition



               Data integrity

               As described above, communication between the base station and the provider network may occur without
               any cryptographic protections. In this situation, there are no integrity guarantees for data that is transmitted in
               SMS and USSD-based systems. Additionally, MNO customers can fall victim to trusted phone number spoofing,
               otherwise known as fake caller line ID (CLI) attacks that can be the starting point of SIM swap attacks or other
               activities to compromise user accounts.


               Privacy

               As described above in the communication security section, there are substantial issues with SS7 network
               security that can compromise user privacy.


               Recommendations for mitigation

               R12 – MNOs should implement the security policies that maintain the integrity of their networks and
               prevent unauthorized access to customer accounts. This includes logical and physical access controls,
               including ensuring there is no unauthorized access to and any use of SS7 core components of the MNO’s
               infrastructure, as well as the use of SS7 components of the MNO’s infrastructure by any parties that may be
               undertaking unauthorized or fraudulent activities. Controls against SIM swaps should also be implemented.

               R13 – The integrity of backend DFS systems must also be maintained through continuous testing, intrusion
               filtering, and monitoring of networks and infrastructure.

               Tests and monitoring shall include, but not be limited to, those for:

               •    Unauthorized access to and use of any SS7 core components of the MNO’s infrastructure;
               •    Use of any SS7 components of the MNO’s infrastructure by any parties where that use may be designed
                    to undertake unauthorized or fraudulent activities.
               •    Detection, as far as may be technically possible, of unauthorized radio frequency devices operated
                    by unauthorized parties that may be designed to disrupt the MNO’s licensed activities and/or to gain
                    unauthorized access to customer handsets, customer access rights to MNO and MFS facilities, and
                    customer data.
               •    Expeditiously provide to the telecommunications regulator reports on penetration tests that relate to
                    the security of their systems. These reports must include any remedial action taken, if applicable.
               •    Expeditiously provide to the telecommunications regulator reports on incidents that relate to authorized
                    access to their systems and data. These reports must include any actual and potential data losses and
                    breaches of consumer data protection measures, and any remedial action taken.

               R14 – MNOs and regulators should undertake active customer awareness campaigns to educate consumers
               about malicious messages, phishing, and spoofing attacks. MNOs and regulators should undertake active
               customer awareness campaigns to educate consumers about malicious messages, phishing, and spoofing
               attacks.
               R15 – MNOs should monitor incoming calls from interconnect carriers and undertake fake CLI analysis, and
               implement a black or white list of CLIs, as well as other security mechanisms, associated with attempts to
               steal customer credentials.















                18