Page 16 - FIGI: Digital Financial Services security audit guideline

P. 16

(continued)

Impacted Group Risk and vulner- Control Security audit question Applicable policy
DFS Entity ability or procedure
MNO Authentica- - Inadequate controls C52: MNOs should ensure that an identity Are processes and policies in place to ensure Access control
tion for user identification verification process is in place before SIM that identity verification is in place prior to Policy - User access
and verification swaps is performed. SIM swap operations? Are there technical management
before SIM swap and mechanisms in place to prevent any leakage
SIM recycling (SD: or transfer of information until the SIM swap
Authentication) has been confirmed?
MNO Authentica- - Inadequate controls C53: The user's identity should be verified Does the mobile network operator perform Access control
tion for user identification using a combination of something they biometric authentication before SIM swaps or Policy - User access
and verification are, something they have, or something SIM replacement? management
before SIM swap and they know. For example, with the presen-
SIM recycling (SD: tation of a valid ID, biometric verification,
Authentication) and knowledge about the DFS account
details before a SIM swap/ SIM replace-
ment is performed.
MNO Authentica- - Inadequate controls C54: DFS and Payment Service Providers Is the DFS provider able to detect a SIM swap Access control
tion for user identification should be able to detect real-time when- or SIM change for a DFS account? Policy - System and
and verification ever a SIM card with DFS services has application access
before SIM swap and swapped or replaced. And perform further control
SIM recycling (SD: verification before any high-value trans-
Authentication) action or account changes are authorised
with new SIM.
MNO Authentica- - Inadequate controls C55: The mobile operator should safeguard Does the mobile network operator securely Asset management
tion for user identification and securely store SIM data like IMSI and store SIM data like IMSI, Kc and Ki? - Media handling
and verification SIM secret key values (KI values).
before SIM swap and
SIM recycling (SD:
Authentication)
MNO Authentica- - Inadequate controls C56: A mobile number recycling pro- Is the DFS provider involved in the SIM recy- Asset management
tion for user identification cess should be in place that involves cling process for DFS accounts? - Media handling
and verification communicating with DFS providers on
before SIM swap and Mobile Subscriber Identification Numbers
SIM recycling (SD: (MSIDN) being churned or recycled. (in
Authentication) this context: number recycling is when
the MNO reallocates a dormant/inactive
Mobile Subscriber Identification Number
(MSISDN) to a new customer). When a SIM
is recycled, the mobile operator will report
a new IMSI of the related account phone
number. The DFS provider should block
the account until the identity of the new
person holding the SIM card is verified as
the account holder.
Privacy and - Mobile device C57: DFS users should have the ability to Does the application or underlying operating Operations secu-
Confidenti- theft (SD: data perform remote wipes on a mobile device system provide support for remote wipes rity - Operational
ality confidentiality) and encrypting their data in case the of DFS data or of the mobile device, and are procedures and
device is lost or stolen. there mechanisms in place to ensure that responsibilities
data is encrypted in the event of device loss
or theft?
DFS Access - Inadequacies in SIM C58: DFS providers should ensure they Are there procedures in place for the DFS Operations secu-
Provider control swap and recycling have procedures in place to detect and provider to detect suspicious SIM swaps and rity - Operational
process[ii] (SD: data avert suspicious SIM swaps and SIM recycle SIM recycling? procedures and
integrity) by: responsibilities
a) Check if the IMSI associated with the
phone number has changed, this is an
indication of SIM swap.

b) If there is an indication of a SIM swap,
check the IMEI of the phone holding the
SIM. If the IMEI has also changed, there is a
high probability of a SIM swap. In that case,
the DFS provider should block the account
until performing account verification
procedures, for example, via a voice call or
an agent.

14 Digital Financial Services security audit guideline

11 12 13 14 15 16 17 18 19 20 21