|
Work item:
|
X.1456 (ex X.sgdfs-us)
|
|
Subject/title:
|
Security guidelines for DFS applications based on USSD and STK
|
|
Status:
|
Determined on 2024-09-06 [Issued from previous study period]
|
|
Approval process:
|
TAP
|
|
Type of work item:
|
Recommendation
|
|
Version:
|
New
|
|
Equivalent number:
|
-
|
|
Timing:
|
2024-09 (Medium priority)
|
|
Liaison:
|
None
|
|
Supporting members:
|
Uganda, Ghana, Kenya, Côte d’Ivoire, Liberia, Zimbabwe , South Africa, Senegal, Mali, Egypt
|
|
Summary:
|
Digital Financial Services providers have increasingly utilized the Unstructured Supplementary Service Data (USSD) and SIM Tool Kit channels to enhance the growth and adoption of Digital Financial Services (DFS), primarily in the developing world. The GSMA estimated that in Africa, over 90 percent of mobile money transactions are driven by USSD.
There are different interaction points for the different parties within the DFS ecosystem based on USSD and STK, consequently, there are numerous ways in which attackers can leverage these points to attack the ecosystem, with successful exploits often having consequences that may lead to loss of funds, denial of service or disclosure of personal financial information.
Among the services provided using the USSD and STK channels include account opening, money transfer, bill payment, balance inquiries, etc. Traditional banks can now also extend their branches using the USSD and STK channels through their agent banking networks.
Therefore, the use of USSD and STK, especially for DFS, has raised security concerns on the inherent risks and vulnerabilities associated with using the channels that attackers may use to compromise the confidentiality, integrity, availability of services, and privacy of the transactions.
This recommendation provides a standardized and common approach to protecting the integrity and confidentiality of digital transactions. This involves having visibility of the security and integrity aspect of mobile payment applications on basic phones, feature phones and well as smartphones to address the identified vulnerabilities and earn users’ confidence.
|
|
Comment:
|
-
|
|
Reference(s):
|
|
|
Historic references:
|
|
Contact(s):
|
|
| ITU-T A.5 justification(s): |
|
|
|
|
First registration in the WP:
2023-09-28 15:24:22
|
|
Last update:
2024-11-15 10:05:49
|
|
