ITU hosts new security lab for digital financial services

ITU

A new security lab created by the Financial Inclusion Global Initiative (FIGI) will support innovators in ensuring the security and resilience of financial applications and enabling infrastructure.

FIGI supports national policy reforms to stimulate financial inclusion and leads research to build trust in digital financial services (DFS). The 2021 edition of the FIGI symposium – free of charge and open to all – takes place online from 18 May to 24 June. Register to participate.

The DFS Security Lab is a product of FIGI’s Working Group on ‘Security, Infrastructure and Trust’.

The lab provides a structured approach to security audits of DFS applications. This structured approach targets greater consistency in the implementation of controls to protect personal data and the integrity and confidentiality of financial transactions.

Four main objectives

The lab will support government and industry in assessing compliance with established best practices in DFS security, establishing a security baseline for DFS applications, and adopting interoperable authentication technologies. It will also organize clinics for security professionals to exchange knowledge and stay up to date with the evolution of security risks and associated mitigation techniques.

The lab will provide:

  • Guidance to regulators in assessing the security of DFS infrastructure and conducting security audits of DFS applications
  • Mechanisms for threat-intelligence sharing
  • Application guides to international standards for DFS security
  • Assessments of cybersecurity preparedness across DFS value chains

DFS security from 2G to 5G

The test offered by the lab address the security of DFS applications running over legacy as well as cutting-edge network infrastructure.

Tests for DFS apps based on Unstructured Supplementary Service Data (USSD) and SIM Toolkit (STK) include:

  • Simulating man-in-the-middle attacks on STK
  • Testing susceptibility to binary over-the-air attacks
  • Testing remote USSD execution attacks
  • SIM clone testing

Tests for Android DFS apps are based on the Top 10 Mobile Risks from the Open Web Application Security Project (OWASP), addressing the the following attack points :

  • Improper platform usage
  • Insecure data storage
  • Insecure communication
  • Insecure authentication
  • Insufficient cryptography
  • Code tampering

/Public Release. This material comes from the originating organization and may be of a point-in-time nature, edited for clarity, style and length. View in full here.