30 March, 2022
The International Telecommunication Union organized an online Digital Financial Services Security Clinic jointly with the East African Communications Organization (EACO) from 30 – 31 March 2022 titled: “Addressing security risks to digital finance ecosystem”.
The main objectives of the DFS Security Clinic are to share the findings and recommendations from the FIGI Security Infrastructure and Trust working group for regulators and DFS providers with regards to addressing security challenges for digital finance. The event provided insights into security best practices for SIM swaps, mobile payment applications operating on USSD, STK and Android, methodology for testing security of mobile payment applications and addressing infrastructure vulnerabilities such as SS7.
Under the Financial Inclusion Global Initiative program (FIGI), the ITU set up a DFS Security Lab in November 2020 to work in collaboration with DFS regulators on adopting a common methodology to manage security risks and conduct security audit for DFS applications. The objectives of the ITU DFS security lab are as follows:
- Support regulators to implement DFS security recommendations from FIGI.
- Conduct security audits on DFS applications (i.e., USSD, STK and Android DFS applications).
- Provide guidance on managing the DFS ecosystem security risks and mitigation measures.
- Organize security clinics targeting DFS regulators and providers to stay up to date with new vulnerabilities and mitigation measures.
- Conduct assessments on cyber preparedness among the DFS ecosystem stakeholders on responding to cybersecurity incidents targeting digital finance.
- Provide a neutral platform to share knowledge on security incidents and vulnerabilities in digital finance.
Key guidelines and recommendations for regulators on DFS security:
- Mobile Application Security Best practices: Contains best practices that Digital Financial Services regulators could adopt as mobile financial services application security policy/guideline.
- Recommendations for regulators to mitigate SS7 vulnerabilities: Contains details on the recommendations for DFS regulators and mobile network operators to mitigate SS7 vulnerabilities.
- Security recommendations to protect against DFS SIM risks and SIM swap fraud: Contains guidance and recommendations for regulators and providers to mitigate SIM vulnerabilities like SIM swaps, SIM recycling, and other SIM attacks like SIMjacker, WIB browser attacks.
- Template for a Model Memorandum of Understanding between a Telecommunications Regulator and Central Bank on Digital Financial Services Security: This template includes aspects that address DFS security that financial services and telecom regulators should consider adopting in their MOU.
The intended audience for the DFS Security Clinic were IT security professionals and policymakers from the telecom/ICT regulators, DFS providers, Central Banks and Mobile Network Operators.
Note: The time indicated below was in East Africa Time – UTC+3