Committed to connecting the world

WTSA

Addressing Vulnerabilities and Managing Risks for Digital Financial Services

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​ 12 -14 October 2021



 The main objectives of the Security Clinic on DFS security were to share findings and lessons learned from the FIGI Security Infrastructure and Trust working group.  The findings will assist the regulators and providers to: i) learn about the different vulnerabilities within the DFS ecosystem, ii) how to mitigate these threats and perform continuous assessments on the security of DFS iii) how to build confidence and trust in the use of digital financial services, provide a framework to manage security risks in the DFS ecosystem. The security clinics were intended for IT security professionals and policymakers from the telecom/ICT regulator, DFS provider and Central Bank.

The sessions focused on  the following areas: 
  • DFS security vulnerabilities: Insights into the security vulnerabilities of DFS applications and infrastructure:
    • USSD, STK and Android platform vulnerabilities and how these can be mitigated
    • ​SS7 vulnerabilities and their mitigation measures
  • Security tests that can be undertaken at the DFS Security Lab at ITU.
  • Implementing the DFS security framework
  • Performing a DFS security assessment.

Target audience: This event was for DFS and Telco regulators in Malawi

Draft Programme



Day 1: 12 October  2021​​

10:00 - 10:15 ​​​​Welcome Address
  • ​​MACRA
  • Reserve Bank of Malawi
  • ITU
10:15 - 12:00

DFS Security Vulnerabilities: USSD, STK and Android Platform Vulnerabilities

This session introduced the ITU DFS security lab and highlight the vulnerabilities to USSD and STK and Android based applications. Threats like Man in the middle attacks that could impact digital financial services and the SIM jacker vulnerability in SIM Cards would be discussed. The session will also provide and an overview of the security tests that can be undertaken in the DFS Security Lab at ITU.
 
Panellists: 
  • "Introduction to the ITU DFS Security Lab" : Vijay Mauree, Programme Coordinator, TSB, ITU: 
  • "Android, USSD and STK tests" : Arnold Kibuuka, Project Officer, TSB, ITU
​Related Reports

​​ ​ ​Day 2: 13 October 2021

10:00 - 12:00
DFS Security Vulnerabilities: Infrastructure Vulnerabilities and Mitigation Measures (Mobile Infrastructure Vulnerabilities)

Telecom infrastructure vulnerabilities such as SS7 can be exploited by an intruder to intercept calls and SMSs, bypass billing, steal money from mobile money accounts, or affect mobile network operations.  This session presented the main findings of the Security, Infrastructure and Trust Working Group on securing the infrastructure against SS7 vulnerabilities and threats. 

Panellists: 
  • Faaez Burney & Karel Van Der LecqAdaptive Mobile 
  • Assaf Klinger, Klinger Consulting 
​​Related Report: 

​​​Day 3: 14 October 2021

09:30 - 10:30
DFS Security Assurance Framework and Conducting a DFS Security Assessment

This session introduced the DFS security assurance framework and how it can be implemented by DFS providers to better manage the risks and mitigate their impact. The session also covered how a Regulator or DFS provider can assess the compliance to the minimum-security controls using the DFS audit guideline.

Panellists: 
  • Vijay Mauree, Programme Coordinator, TSB, ITU
  • Arnold Kibuuka, Project Officer, TSB, ITU
​Related Reports
10:45 - 12:00​​Implementing the DFS Security Assurance Framework 

This was a hands-on session focusing on initiating the process to implement the DFS security assurance framework in Malawi and identify the DFS Mobile Money applications that could be tested in the ITU DFS security lab. MACRA and RBM team familiarized themselves with the DFS security assurance framework prior to the session. A follow-up session was held afterwards to assess the implementation​.

Panellists: 
  • Vijay Mauree, Programme Coordinator, TSB, ITU
  • Arnold Kibuuka, Project Officer, TSB, ITU



© ITU All Rights Reserved

Back to top