ITU: Committed to connecting the world



Summary of the FIGI Security, Infrastructure and Trust (SIT) Working Group Online Meeting, 16-17 April 2020The FIGI SIT WG meeting was exceptionally held online due to COVID-19 outbreak and was attended by a total of 51 remote participants from 20 countries over the two half days. The meeting documents, presentations and draft reports for the meeting are accessible via the following links from the SIT Working Group Meeting Documents (on SharePoint) page. Detailed agenda of the meeting and presentations (see Annex 1)Final list of participantsWelcome and Opening remarks Vijay Mauree, ITU, chaired the e-meeting and opened the floor by welcoming all participants. Dr Bilel Jamoussi, Chief ITU-T Study Groups Department delivered opening remarks and thank all participants and emphasized the importance of the work on Security in DFS, particularly during the current COVID-19 crisis, where there is heavy reliance on ICT. Bilel highlighted that the FIGI SIT Working Group was designed to conduct research on security aspects for digital finance, and thus accelerate digital financial inclusion and trust in developing countries. Bilel pointed out that the Working Group has investigated FinTech security challenges ranging from the underlying telecommunications infrastructure (SS7), to USSD vulnerabilities, to consumer authentication, to the security of distributed ledger technologies and the impact of big data analytics and artificial intelligence on data privacy and consumer protection. Bilel added that the Working Group completed eight deliverables last year and is now working towards finalizing the remaining deliverables in 2020 as planned.FIGI SIT WG Status Vijay provided an overview of the achievements of the working group in 2019 and the work plan for 2020 and expected milestones this year.It was noted that as at December 2019, the working group had finalized eight outputs, which includes seven technical reports and developer resources for implementation of FIDO UAF.Vijay pointed out that, the ongoing work items planned for 2020 in all the workstreams, includes the following technical reports:DFS Consumer Competency FrameworkDLT Legal AspectsMethodology for QoS KPIs measurements for interoperability and cross border payment use casesSecurity testing of DFS applications based on USSD and STK environmentsSecurity testing of DFS applications based on AndroidDFS Security Assurance Framework – Part 2eKYC use casesStudy of APIs use in Digital Financial ServicesIn addition to the above reports, the Security test lab will be established by July/August 2020, and a GitHub page for sharing resources and field work for the DFS Security Assurance Framework and DFS Consumer Competency Framework reports will be explored.It was also observed that among the remaining deliverables, two technical reports were on the agenda for approval at this meeting, namely: DFS Consumer Competency Framework and Security testing of DFS applications based on USSD and STK.There was a question from the audience as to whether there were any specific initiatives related to COVID-19. In this context, Vijay mentioned that ITU was planning a series of webinars highlight measures to enhance DFS usage and the first one would be on the benefits of Digital ID solutions for governments during the pandemic. Further details will be communicated via the mailing list in due course. The World Bank was invited to also participate in the upcoming planned webinar on Digital ID benefits during the pandemic.Actions:Members interested in contributing to ITU’s Webinar is highly encouraged to contact the Secretariat (tsbfigisit@itu.int).Helen, World Bank to inform ITU if Digital ID working group will be interested to participate in the webinar.Kanwaljit, Gates Foundation would inform ITU later whether he would participate in the webinar.Trust Workstream session Jami Solli and Vijay Mauree introduced the draft report on DFS Consumer Competency Framework. The report aims to identify the basic competences and skills that will enable consumers safely use DFS. It is intended as a guide for use by public authorities, regulators, DFS providers and policymakers when developing consumer education/training programmes for digital financial services. The draft report was presented for approval of the Working Group. It was noted that this version was the third draft based on the comments received from two meetings of the Trust Workstream and from comments received from a several organizations (listed in the Acknowledgments section of the report).Comments from the audience: Prioritization of competencies and legal framework: This report is aspirational and not prescriptive. Countries are invited to determine the skills that are critical to them, including how this is going to interact with their legal framework.Surveys and financial-literacy data collection: The report features an example of Kenya’s financial literacy survey (2019). Dominic Ooko, Communications Authority of Kenya, was invited to share the main conclusions of this survey: He pointed out that, study results in Kenya showed that the male gender has a slightly higher level of financial literacy and so does the urban population. In addition, most people rely on their friends and family for financial advice.Accessibility: ITU confirmed that framework includes proactive steps for enabling access to the physically challenged. ITU stressed however that it was up to the countries to implement these measures at their level.COVID-19: it was suggested to include origination of new types of fraudulent schemes and other issues which may challenges competencies.The draft report was approved by the Working Group. Action:Members were provided an additional two weeks after the meeting to provide any further comments of editorial nature by email to FIGI SIT Secretariat (tsbfigisit@itu.int) before 4th May 2020.Security Workstream - Authentication GroupPresentation of Jeremy Grant, Venable Jeremy provided an overview of the FIDO open source authentication standards which aims at enhanced user experience by offering secure authentication without passwords. An update on FIDO was provided during the presentation.Jeremy highlighted that with password-authentication, phishing had become a major threat. For this reason, Jeremy stressed that FIDO is multifactor authentication and can effectively combat phishing attacks.It was noted that FIDO’s new Working Group on IoT Security and eKYC organized a webinar that explains further IoT devices authentication and members cab follow the discussion on IoT authentication using the link: . Ramesh Kesanupalli, Digital Trust Ramesh presented about the DID alliance whose goal is to provide a unique digital address to everyone to reinforce trust and accountability. He pointed out that the core principles of the DID alliance are: Will not own user identity or keep identity data, Personal identity data should remain with issuing sources with no consolidation anywhere, Data disclosures should be at the user’s discretion with their consent, Include identity issuers and users into the value chain , Include people who don’t have a presentable identity, don’t have a smart phone or who are not technically savvy. Ramesh added that while FIDO is proposing an authentication component, DID alliance is proposing an identity layer which complements FIDO. It was observed during discussion, that although DID does not prescribe an authentication method, it is critical they use FIDO credentials. Presentation of Kim Hamilton, MIT Kim presented on Standards for Decentralized ID (DID), the models of Identity and standards track status. She distinguished between the centralized Identity, federated Identity and the decentralized (self- sovereign identity)She added that In a decentralized ID ecosystem, DIDs allow individuals to make verifiable claims about their identity and provided some of the relevant use cases of DIDs including KYC, GLEIF and Consys.DID offer a decentralized identity management system to address the shortcomings of existing decentralized solutions such a blockchain-based credentialing.Matthew Davie, KIVAMatthew Davie, KIVA, was not able to present as he had to leave the meeting due to other commitments. His presentation is accessible as .Security Workstream - Infrastructure Security GroupAssaf Klinger, Vaulto, gave a presentation on SS7 Work in ITU-T Study Group 11 following the publication of the report of the SIT WG on Mitigating the SS7 Vulnerabilities. The report proposed recommendations measures for both DFS providers, mobile network operators and strategies for regulators to mitigate SS7 vulnerabilities.The report was presented to ITU-T Study Group 11 and three work items were subsequently initiated. Amongst those work items initiated in ITU-T Study Group 11 following the presentation of the FIGI SIT WG report on Mitigation of SS7 Vulnerabilities, is the draft Recommendation ITU-T Q. 3057 which propose similar requirements and architecture for interconnection between trustable network entities. This is in the process to be approved as an international technical standard in July 2020. The next steps for the Infrastructure Security Group are to organize awareness activities, such as virtual Security Clinics to promote the recommendations with regulatory coordination. The group is also working on facilitating the implementation of the series of recommendations from the report.Questions from the audienceIs the investment required to protect SS7 vulnerabilities worthwhile since, in countries like Nigeria, USSD is only allowed for low-value transactions? Assaf responded that the DFS providers must abide by transaction value regulations, and in doing so lose business. However, by mitigating the SMS OTP and SS7 vulnerabilities the maximum transaction value can be increased and thus boost their revenues and increase use of USSD based DFS services. Who would be running the root CA in the Q.3057 model? Assaf indicated that it was up to the National Regulator to decide, however this issue is currently open for discussion.Vijay summarized the main discussions at the end of the meeting on 16 April 2020 and thanked members for their participation.Day 2: 17 April 2020 – 15:00 – 18:05 CESTVijay welcome members to the second day of the e-meeting. Security Workstream – Application Security Group Presentation of Draft Report on Security testing for USSD and STK based Digital Financial Services applications.Arnold Kibuuka, ITU, presented the draft report on Security testing for USSD and STK based Digital Financial Services applications. Arnold introduced the various security threats and vulnerabilities to USSD and STK, and explained how USSD and STK based DFS applications can be exploited by external/internal threat vectors. Kevin Butler, University of Florida, presented the best practices and recommended mitigation measures for DFS providers, mobile network operators and strategies for regulators to counter the USSD and STK DFS application attacks.Question from the audienceWhy hasn’t industry paid more attention to SS7 since it has a potential impact on digital financial services? Kevin B. cited the entrenched nature of the infrastructure as one of the reasons. He recalled that SS7 originates from the time where Telcos were nationalized, before the desegregation of telecom services in the 90’s. Assaf pointed to two other issues: financial literacy and regulatory gap between the Telco Regulator and the Financial Regulator. Telcos are not looking for solutions to encrypt or solve SS7 vulnerabilities, because it is costly and they are not mandated. Likewise, DFS providers are not held responsible. DFS providers use the lack of financial literacy skills and the abusive terms and conditions to transfer the risk of the SS7 security issues to the consumers. Meanwhile, the Financial regulator defers the responsibility of telecom issues, and frauds, to the DFS providers. Stiepan Kovac, QRCrypto SA, observed that the quantum encryption of SIM card, mentioned during the presentation, was an essential technology to protect DFS services since it offers USSD end to end encryption. His organization is working on this and will be sharing the findings in the upcoming meeting of ITU-T Study Group 11.The report on Security testing for USSD and STK based Digital Financial Services applications was approved. Members will have an additional two weeks after the meeting to provide any further comments of editorial nature by email to FIGI SIT Secretariat (tsbfigisit@itu.int).Empirical Study of Wireless Carrier Authentication for SIM Swaps PresentationKevin Lee, Princeton University, presented his research project on the “Empirical Study of Wireless Carrier Authentication for SIM Swaps”. His presentation demonstrated how easy it is for attackers to perform SIM swaps. Kevin also explained how online services offer phone-based authentication in comparison with SIM swaps. To conclude, Kevin proposed a series of recommendations for Carriers to combat SIM Swaps.Question from the audienceHow is the issue of SIM swaps addressed in other countries? In Nigeria, there is a watchlist for SIM swaps. In India, SIM swap is allowed only with Government ID and the physical presence of the person.PCI DSS Security Certification presentationDaphne Yao, Virginia Tech, gave a presentation on open source testbeds and measurements for PCI DSS Security Certification for the Payment Card Industry (PCI). She pointed out that PCI offers a set of comprehensive specifications and best practices for the payments card industry, and through an extensive auditing process, merchants can obtain a PCI Security certificate to prove compliance. Daphne detailed how practical measurements are done with the use of scanners, and testbeds to test compliance to some of the main PCI-DSS recommendations. To conclude, Daphne shared two open source Github projects that can be used to test and scan for PCI-DSS compliance.BuggyCart:? to send the links on results and open source tools to Kevin Butler for FIGI SIT Secretariat to circulate to the mailing list.DFS Security LabVijay Mauree, ITU, presented the objectives of the DFS Security Lab and an update on its status.The main objectives of the DFS Security Lab are to:investigate the security of DFS applications operating on?USSD and STK environments? (completed February 2020)Android platforms? (to be completed in July 2020)?Demonstrate strong authentication technologies on FIDO. (Completed September 2019)Establish test platform for conducting security tests for DFS applications? – Scheduled for July 2020Provide recommendations and best practices for developers?Recommendations and best practices for developers for using FIDO and securing DFS applications based on USSD and STK environments (Completed February 2020)Recommendations for developers of Android DFS applications - Scheduled for July 2020Arnold Kibuuka, ITU, presented the Lab tools for USSD, STK, and Android testing. DFS Security Assurance FrameworkVijay mentioned that the technical report on DFS Security Assurance Framework which was approved in November 2019, was submitted to ITU-T Study Group 17 meeting in March 2020.Since this is meant to be a living document, it is planned to upload the document on Github. Once the document is uploaded on Github, the details would be sent to members to contribute to the maintenance of this document. Members who are interested to contribute to the maintenance of the document are invited to contact the FIGI SIT WG secretariat.The Application Security group is now working on the audit and implementation checklist for the DFS Security Assurance Framework which will be completed in June 2020.Second Trust workstream session Rory Macmillan, briefly introduced the recommendations of the technical report on Big data, Machine learning, Consumer protection and Privacy. Alexandra Rizzi, ACCION, delivered a presentation on Responsible Digital Credit. Alexandra presented the Smart Campaign which is a community that developed digital credit standards through an extensive process to protect the financial consumer. It was noted that these standards are used as a guide for good practice and are not used to certify organizations yet due to lack of data and benchmarking issues. Observations from the audienceACCION noted that the biggest gaps lie on responsible pricing, data securities, privacy and servicing.Dominic Ooko, Communications Authority of Kenya, noted that in Kenya, the most pressing issue was the pricing of loans, and that given the current COVID-19 situation, defaults on loans should not result in blacklisting. Realeboha Lekhanya, Bankers Association of Lesotho, noted that in Lesotho, digital lending was most traditional type of loan.Data Privacy session at FIGI Symposium 2021. It was recalled that FIGI Symposium, originally scheduled in June 2020, had been postponed to 2021 due to COVID-19.One of the sessions on the draft programme, include a panel on data security and privacy. It was agreed to include as one of the topics for the panel, data privacy measures for digital credit. Quality of Service (QoS) Workstream Vijay Mauree, ITU, provided a brief update on the activities of the QoS Workstream, and advised that it had already completed one use case last year which resulted in the report on Methodology for measurement of Quality of Service (QoS) Key Performance Indicators (KPIs) for DFS. This report was submitted to ITU-T Study Group 12 and was subsequently approved as an ITU-T Recommendation in December 2019. The scope is now being expended to a new project to cover additional new use cases on interoperability and cross border mobile money payments in Ghana, Rwanda and Uganda.Wolfgang Balzer, Focus InfoCom, presented the project, and stressing focus on the measurement of the technical performance of cross border mobile money payments. The purpose of the test is to measure money transfers in a controlled environment and test the influence of the mobile networks involved. The measurement is carried out by teams onsite put forward by the National Telecom Regulators in the respective 3 countries. A snapshot of the result is expected at the end of May 2020.Questions from the audience:Although, cross-border adds a feature to the service, Rory Macmillan noted that cross border interoperability with other countries expose to competition. Wolfgang observed that there is no technical evidence of that.Driss Choukri, Central Bank of Morocco, raised the issue of cross-border multicurrency transfer systems and forex exchange conversion. It was noted that this methodology is expected to be finalised by August 2020 and will be presented in the format of a capacity building session at the FIGI Symposium 2021. The methodology will also be presented to the Study Group 12 meeting for standardization. If countries are interested in holding a workshop on the topic, they can contact ITU. It was observed that workshops had been held during the Study Group 12 regional meeting in 2019 and 2020. Vijay noted that the workshop could also be held virtually. Interested countries were invited to reach out to FIGISIT secretariat.Closure of the meeting.Vijay thanked everyone for their participation, with special thanks to the speakers for their presentations and the workstream leaders for their dedication.The next meeting of the FIGI SIT WG will take place at the end of May 2020. It will be e-meeting over half a day and will focus on the FIGI SIT remaining reports.Annex 1Agenda, FIGI Security, Infrastructure and Trust Working Group e-MeetingDay1: 16 April 202015:00- 15:15Welcome Vijay Mauree, TSB, ITU & SIT WG Chair [SIT-0091]15:15 – 16:00Session 1: Trust WorkstreamChair: Vijay Mauree & Jami SolliDraft DFS Competency Framework [Report: SIT-0088] – Vijay Mauree, TSB, ITUDiscussion on DFS Competency Framework 16:00 – 18:00Session 2: Security Workstream - Authentication GroupChair: Abbie Barbir FIDO: open standards for digital ID and authentication [SIT-0093], Jeremy Grant, VenableDID Alliance [SIT-0092], Ramesh Kesanupalli, CEO, Digital TrustStandards for Decentralised ID [SIT-0083]– Kim Hamilton, Digital Credentials Consortium, MITUpdate on Implementation of Digital Credit System in Sierra Leone, [SIT-0082] Matthew Davie, KIVA18:00 – 18:20Session 3: Security Workstream - Infrastructure Security GroupChair: Assaf KlingerPresentation on SS7 Work in ITU-T Study Group 11 following the report of the SIT WG on Mitigating the SS7 Vulnerabilities, [SIT-0087] Assaf Klinger, VaultoDiscussion on next steps where FIGI could intervene (eg awareness event or other activities)18:20 – 18:30Summary of Day 1 & ClosingDay 2: 17 April 202015:00 – 16:45Session 4: Security Workstream – Application Security GroupChair: Kevin Butler DFS Application Security Tests for USSD, STK [Draft Report SIT-0085] [Presentation SIT-0086]– Kevin Butler, University of Florida and Arnold Kibuuka, ITU An Empirical Study of Wireless Carrier Authentication for SIM Swaps [SIT-0089]– Kevin Lee, Princeton UniversitySecurity Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations [SIT-0084] – Daphne Yao, Virginia TechDFS Security Lab [SIT-0094], Vijay Mauree and Arnold Kibuuka, ITU16:45 – 17:30Session 5: Trust Workstream Chair: Rory Macmillan & Vijay MaureeResponsible Digital Credit [SIT-0090] – Alex Rizzi, Centre for Financial InclusionData Privacy session for FIGI Symposium – Rory Macmillan17:30 – 17:50Session 6: QoS Workstream Chair: Vijay Mauree Update on activities in QoS Workstream – Wolfgang Balzer, FocusInfoCom17:50Close of meeting ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download