4�1  Best practices to mitigate against retrieval of   details  before  a  SIM  swap/  SIM  replacement  is
            user data                                            performed.
                                                               iii. DFS and Payment Service Providers should be
            i. Use a TLS v1.2 or higher to secure the connection  able to detect real-time whenever a SIM card with
               between the SMSC GW, USSD GW, and the DFS         DFS services has swapped or replaced. And per-
               application server.                               form further verification before authorizing any
            ii. The mobile operator should ensure the use of     high-value transaction or account changes with
               secure radio encryption between users' devices    new SIM.
               and base stations.                              iv. MNO should design a mobile number recycling
            iii. Use session timeout on the client-side to limit  process that involves communicating with DFS
               altered requests/responses.                       providers  on  Mobile  Subscriber  Identification
            iv. Deploy USSD PIN masking whenever possible.       Numbers (MSIDN) churned or recycled. (In this
            v. Follow the development of technologies that       context: number recycling is when the MNO real-
               enables to secure mobile payment through the      locates a dormant/inactive Mobile Subscriber
               encryption  (and  subsequent  decryption  on the  Identification Number (MSISDN) to a new cus-
               MNO side) of USSD messages. With the emergence    tomer). When a SIM is recycled, the mobile oper-
               of new low-performance requirements, quantum      ator reports the new IMSI related to the account
               computing resistant encryption schemes. End-to-   phone number. The DFS provider should block the
               end encryption of USSD becomes a viable possi-    account until the identity of the new person hold-
               bility, even within existing 2G networks. The ITU-T  ing the SIM card is verified as the account holder.
               study group 11 which focuses on signaling require-  v.  The mobile operator should safeguard and secure-
               ments, protocols, test specifications is currently  ly store SIM data like IMSI and SIM secret key val-
               working on a technical report (to be published in  ues (KI values).
               03/2021) which will survey these technologies and
               suggest applications to be integrated into USSD
               signaling, both on the core-network side and the  4�3  Best practices to avoid remote USSD execution
               user equipment (within the SIM card).           on devices
            vi. Ensure there is an auditable process in place to
               review access to traces and logs on interfaces that  i. Android device owners should disable the ADB
               use inherently insecure protocols.                interface, and device vendors should not  ship
            vii. Avail the customers the option to opt-out of the  products with Android Debug Bridge enabled
               USSD or STK channels for financial transactions,  over a network.
               especially those that can access the DFS using an  ii. DFS users should be educated on the dangers of
               app.                                              connecting to public Wi-Fi networks and how to
            viii. Set transaction limits for customer with-      handle risks associated with app permissions. In
               drawals and transfers over the USSD channel,      particular, DFS users should be aware of the priva-
               per customer, per day for transactions as may be  cy implications when granting permissions to an
               required.                                         app on a device. If the permissions are too inva-
                                                                 sive, they should avoid downloading the app.
                                                               iii. Avoid using rooted devices for DFS transactions
            4�2  Best practices to mitigate SIM swap and SIM     and ensure that device software is updated reg-
            recycling risks 13                                   ularly. Regular updates safeguard the devices
                                                                 against malware and spyware.
            i. Device authentication is one way of improving
               endpoint security by tracking the IMEI's of the
               devices used to access mobile money. In this way,  4�4  Best practices to mitigate SIM exploitation
               an account that changes devices can be flagged.  using binary OTA
            ii. The user identity should be verified using a com-
               bination  of  something  they  are,  something  they  i. SMS filtering: Remote attackers rely on mobile
               have, or something they know. For example, with   networks to deliver binary SMS to and from vic-
               the presentation of a valid ID, biometric verifi-  tim phones. Mobile operators should implement
               cation, and knowledge about the DFS account       blocking the ability to send and receive binary





           20    Security testing for USSD and STK based Digital Financial Services applications