Page 17 - FIGI: Digital Financial Services security audit guideline

P. 17

(continued)

Impacted Group Risk and vulner- Control Security audit question Applicable policy
DFS Entity ability or procedure
DFS Fraud - Unauthorized C59: Protect against tampering and allow Does the app store transactions for later Operations secu-
provider Detection changes to system only online transactions transmission? rity: Operational
configuration and a) Protect and monitor DFS application procedures and
log files and data (SD: responsibilities
Data Integrity) files from tampering and changes using
file integrity monitors, e.g., by calculating
checksums or validating digital signatures.
b) By policy, the DFS provider or merchant
should not use the mobile payment solu-
tion to authorize transactions offline or
store transactions for later transmission.
DFS Authentica- - Inadequate user C60: Use strong multi-factor authentication Is multi factor used for authenticating users? Access control
provider tion access validation or for user and 3 party provider access to Policy - System and
rd
user input validation DFS systems, e.g., token or biometrics, the application access
(SD: Authentication) use of multi-factor authentication to verify control
system users increases non-repudiation
of origin.
DFS Authentica- - Inadequate user C61: Check incoming data against Is the DFS provider performing XML valida- Communications
provider tion access validation or expected values in API related data tion of data through APIs and USSD requests? security - Informa-
user input validation schema, for USSD, perform XML validation . E.g., input validation, amounts, special charac- tion transfer
(SD: Authentication) ters in amounts, currency checks etc.
DFS Authentica- - Inadequate user C62: Use analytics systems to check user Does the DFS system have capability to detect Access control
provider tion access validation or velocity between transactions, transaction out-of-pattern transactions based on cus- Policy - System and
user input validation time of day access tracking for additional tomer profile? application access
(SD: Authentication) authorization validation checks. control
Are the DFS provider performing checks
based on user transactions profile? E.g. agent
shops performing late transactions, DFS
users perfuming transactions in two different
locations?
DFS Authentica- - Inadequate user C63: Regardless of the method used for Does the DFS app stores or transmits Personal Asset management
provider tion access validation or producing receipts (e.g., e-mail, SMS, or Account Number/Sensitive Authentication - Media handling
user input validation attached printer), the method should mask Data in plain text over SMS/email?
(SD: Authentication) the Primary Account Number (PAN) in sup-
port of applicable laws, regulations, and
payment-card policies. By policy and prac-
tice, the DFS Provider/merchant should
not permit the use of non-secure channels
such as e-mail and SMS to send PAN or
Sensitive authentication data (SAD).
MNO Network - Inherent SS7 secu- C70: Ensure all sensitive consumer data Are the encryption algorithms and keys used Cryptography
Security rity weakness[iii] such as PINs and passwords are securely are strong enough to protect customer PINs - Cryptographic
(SD: Communication stored with strong encryption algorithms and data? controls
Security) within the internal network and while at
rest to mitigate internal threats against
this data.
MNO Network - Inherent SS7 secu- C71: Use firewalls to detect and limit Does the MNO have a firewall in place to Communica-
Security rity weakness[iii] attacks based on SS7 security flaws. detect and protect against external SS7 based tions security
(SD: Communication attacks? For example (firewall protection - Network security
Security) against subscriber traffic interception, unau- management
thorized USSD and SM use)
MNO Access - Interception C72: Check if the IMEI of the device Is the DFS provider performing real time Access control
control of MO-USSD performing the transaction matches the device validation before transaction Policy - System and
transactions (SD: registered IMEI of the account holder's processing? application access
Communication phone (a MITM system may clone the SIM control
Security) with a different IMEI)
MNO Network - Unprotected sensi- C73: Monitor user velocity by comparing Is the DFS provider performing user transac- Access control
security tive traffic and weak the location of the phone used to perform tion geo-velocity checks before transaction Policy - System and
encryption practices transactions to the last reported location of processing? application access
(SD: Communication the phone (last in/out SMS or call). control
Security)
MNO Network - Unprotected sensi- C74: MNO's should enforce the use of the Does the MNO enforce use of the Personal Communications
Security tive traffic and weak Personal Unlocking Key (PUK) on the SIM Unlock Key on SIM cards to reduce the risk security - Informa-
encryption practices card for additional security in case the associated with stolen SIMs that are used for tion transfer
(SD: Communication mobile device is lost or stolen. DFS?
Security)

Digital Financial Services security audit guideline 15

12 13 14 15 16 17 18 19 20 21 22