Digital financial services promise to enable financial inclusion and can improve the physical security of their users. However, emerging threats to the security of DFS can compromise stakeholders at every level within the ecosystem.
This report considers the stakeholders involved within the DFS ecosystem and examines the security vulnerabilities and recommendations to mitigate risks for each of them. Using criteria set out by the Recommendation ITU-T X.805 standard, security criteria are considered in light of existing and emerging attacks. Recommendations are given for each stakeholder environment. The specific security recommendations made in the report are listed below:
R1 – Consider the use of strong authentication mechanisms to demonstrate ownership of the device.
R2 – Make use of hardware and software mechanisms within mobile devices, such as secure elements and TEEs, which can ensure device integrity, and promote the use of devices equipped with security features for use in DFS.
R3 – Whether an application is designed for deployment on the handset or secure element, it should be designed and implemented in accordance with best practices, including encrypted and authenticated communication and secure coding practices to harden the app.
R4 – Apps should be subjected to external security review and penetration testing, and any recommendations acted upon.
R5 – Apps should securely manage username and password information so that adversaries cannot easily forge credentials, and should use strong authentication mechanisms to protect against unauthorized access.
R6 – Regular security updates are critical to ensure that mobile operating systems running on user devices operate using the latest security patches.
R7 – Ensure that security libraries offered by the operating system are correctly designed and implemented and that the cipher suites they support are sufficiently strong.
R8 – The handset operating system should be configured in a way to reduce the size of the trusted computing base.
R9 – Harden the security of SIM cards by using strong cryptographic ciphers, and protect updates through whitelisting techniques such as in-network filtering.
R10 – Discontinue the use of A5/0, A5/1, and A5/2 GSM encryption ciphers.
R11 – Consider transitioning away from mobile applications that leverage SMS and USSD in favour of solutions that use strong public key cryptography and end-to-end security.
R12 – MNOs should implement the security policies that maintain the integrity of their networks and prevent unauthorized access to customer accounts.
R13 – The integrity of backend DFS systems must also be maintained through continuous testing, intrusion filtering, and monitoring of networks and infrastructure.
R14 – MNOs and regulators should undertake active customer awareness campaigns to educate consumers about malicious messages, phishing, and spoofing attacks.
R15 – MNOs should monitor incoming calls from interconnect carriers and undertake fake CLI analysis, and implement a black or white list of CLIs, as well as other security mechanisms, associated with attempts to steal customer credentials.
R16 – The development of security benchmark assessments and regular testing of defences to protect against new attacks is vital to assuring the continued confidentiality and integrity of stored data in these environments.
R17 – MNOs should ensure that when DFS agents are involved in SIM swap operations, mechanisms are in place to ensure that the verified, legal owner is being provided with a new customer SIM.
R18 – PSPs should ensure that companion general purpose reloadable cards linked to DFS accounts require the use of EMV chips with cardholder verification methods, such as PINs or biometrics (where practical), and that all card transactions result in an alert to customers.
R19 – Employ strong cryptography practices to assure confidentiality and integrity of data as it enters the provider network and as it is processed and stored within this environment.
R20 – Keep systems up to date and monitored against malicious threats from outside code and employ robust input validation routines on external-facing services.
R21 – Maintain a trustworthy supply chain to assure the integrity of systems supporting DFS used within these networks.
More information about the recommendations is given within the report. Additionally, a larger set of recommendations based on securing the information technology systems used within and across stakeholders, such as DFS providers and external entities, is also provided. The conclusions summarize and encapsulate the most important of our findings, particularly the need for the safe and secure transmission of data between users and data providers, the use of hardware-enabled security on mobile devices to assure the security of information on those platforms, and best practices for handling data within DFS provider systems and networks, as well as the development of security benchmark assessments and regular testing of defences.