ITU's 160 anniversary

Committed to connecting the world

Partner2Connect

Digital Financial Services (DFS) Security Clinic for Tunisia

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​22 - 23 0ctober 2021



 The International Telecommunication Union in partnership with ISET’Com  organized a virtual “Digital Financial Services (DFS) Security Clinic” for Tunisia  that took place from  22 to 23 October 2021. The DFS security clinic showcased the ITU DFS security lab and share knowledge with regulators, DFS providers, and Central Banks on mitigating threats and vulnerabilities that can impact on the security of digital financial services.

The main objectives of the DFS Security Clinic wereto share findings and lessons learned from security recommendations from the Financial Inclusion Global Initiative (FIGI) which is a joint collaboration of the ITU, World Bank and Bank for International Settlements and supported by the Gates Foundation. The security recommendations assisted DFS ecosystem stakeholders (regulators, providers & financial service providers) to:

  • Identify the different vulnerabilities within the DFS ecosystem, 
  • Implement countermeasures to mitigate these threats and perform continuous assessments on the security of DFS 
  • Build confidence and trust in the use of digital financial services by implementing a framework to manage security risks in the DFS ecosystem. 
The sessions addressed the following areas of focus: ​
  • DFS security vulnerabilities: Insights into the security vulnerabilities of DFS applications and infrastructure:
    • ​USSD, STK and Android platform vulnerabilities and how these can be mitigated.
    • SS7 vulnerabilities and their mitigation measures.
    • Security tests that can be undertaken at the ITU DFS Security Lab. 
  • Implementing the DFS security framework
  • Performing a DFS security assessment.

Participants & Target audience:  The security clinic was intended for those involved in DFS security and policymakers from the telecom/ICT regulator, DFS providers, Central Bank and Students.

Programme



Day 1: Friday  22 October 2021 ​​​​

​09:00 - 09:15
CET
Welcome and Opening Remarks
  • Welcome AddressRyma Abassi, Director, ISET’com
  • Introductory RemarksBilel Jamoussi, Chief of Study Groups Department, TSB, ITU
  • Opening RemarksNizar Ben Néji, Minister of Communications Technologies  (TBC)
​09:15 - 10:30
CET		​Panel 1: Digital finance: Cyber threat & experience sharing
  • ​​SS7 vulnerabilities: Qusai Qaryouti & Mohamed Darweesh, Adaptive Mobile [Presentation]
  • Experience sharing: Haider Harragui and Sofiene Maatallah, ANSI
  • Transmission of sensitive data over public Networks: Threats and Mitigation: Hassan Trabelsi, Advantio [Presentation]
​10:30 - 11:00
CET		​ Coffee Break
​11:00 - 12:15
CET		Panel 2: Digital finance security : Resiliency and Fraud Risk Mitigation 
  • Risk mitigation Framework: Bilel Jamoussi, Chief of Study Groups Department, TSB, ITU [Presentation]
  • Pros and Cons of Blockchain Versus Traditional Payment Systems, Diane Maurice, United States Treasure [Presentation]
  • ​Best practices (Tunisian Post, D17, banks, regulators, etc)
​12:15 - 13:15
CET
​Training Part 1: DFS security vulnerabilities: Infrastructure vulnerabilities and mitigation measures (Mobile Infrastructure vulnerabilities)

Telecom infrastructure vulnerabilities such as SS7 can be exploited by an intruder to intercept calls and SMSs, bypass billing, steal money from mobile money accounts, or affect mobile network operations.  This session presented the main findings of the Security, Infrastructure and Trust Working Group on securing the infrastructure against SS7 vulnerabilities and threats.
  • Qusai Qaryouti & Mohamed Darweesh, Adaptive Mobile [Presentation]
13:15 - 14:30
CET
​Lunch Break
14:30 - 16:00
CET​​		​Training Part 2 : DFS security lab: Testing Android application vulnerabilities that affect DFS

This session introduced the ITU DFS security lab and highlight the vulnerabilities in Android based DFS applications. The session also provided, and an overview of the Android app security tests based on the OWASP Mobile Top 10.
  • ITU DFS Security Lab: Vijay Mauree, Programme Coordinator, ITU [Presentation]
  • Security audit of Android DFS applications: Arnold Kibuuka, Project Officer, ITU [Presentation​]
​16:00
CET
​ Closing Remarks

Day 2: Saturday, 23 October 2021 ​​ ​​

​09:00 - 10:30
CET
Training part 3: DFS Security Assurance Framework and conducting a DFS security assessment

This session discussed the DFS security assurance framework that can be implemented by DFS providers to better manage the risks and mitigate their impact. The session also covered how a Regulator or DFS provider can assess the compliance to the minimum-security controls using the DFS audit guideline. 
  • DFS Security Assurance Framework, Vijay Mauree, Programme Coordinator, ITU [Presentation]
  • DFS security audit guideline, Arnold Kibuuka, Project Officer, ITU [Presentation]
10:30 - 10:45
CET
​Coffee Break
​10:45 - 12:30
CET
Training part 4: DFS security lab: USSD and STK platform vulnerabilities

This session highlighted the vulnerabilities to USSD and STK and Android based applications. Threats like Man in the middle attacks, the SIM jacker vulnerability in SIM Cards  were discussed. The session also provided an overview of the methodology used for performing the USSD and STK security tests at the ITU DFS Security Lab. 
  • ​Security testing for USSD and STK based DFS applications, Arnold Kibuuka, Project Officer, ITU [Presentation​]
​12:30
CET​​

​Certificate Awarding & Closing

​​

© ITU All Rights Reserved

Back to top