“One word. Trust.”
“If the consumer or the user trusts that this new device and new solution will provide them the service that they want, with the security and privacy aspects, and that they are not going to lose their money, then people will use it more and more.”
This is the view of Bilel Jamoussi, Chief of the ITU-T Study Groups Department, a view that captures the motivations behind the Fintech security work of the Financial Inclusion Global Initiative (FIGI).
FIGI is designed to advance research in digital finance and accelerate financial inclusion in developing countries. FIGI is led by ITU, the World Bank Group, and the Committee on Payments and Market Infrastructures, with support from the Bill & Melinda Gates Foundation.
1.7 billion people are still without access to bank accounts. But, among them, 1.1 billion have a mobile phone.
The potential for digital channels to support financial inclusion is clear, but FIGI’s work has shown that security and trust will be key to their success.
Last week’s FIGI Security Clinic presented the latest findings of the ITU-led FIGI Working Group on ‘Security, Infrastructure and Trust’.
In focus were new FIGI reports on topics including the mitigation of security vulnerabilities in Signalling System 7 (SS7), digital identity and strong authentication, and security assurance frameworks to increase security across the value chain.
SS7 was standardized by ITU in the late 1970s. It enables all telcos to interconnect and will remain in use for years to come.
But SS7 was designed as a ‘walled garden’. Entry to the SS7 network was intended to be highly regulated. Security was not considered in the design of SS7, on the assumption that only trusted telcos would be granted access SS7’s walled garden.
“Today this approach is completely untrue,” says Assaf Klinger, Head of R&D at Vaulto Technologies. “Today a lot of actors, and even a lot of bad actors, are connected to the SS7 network … I’m sure you’ve gotten a lot of SMS spam.”
Why is that important in the context of digital financial services (DFS)?
“Because DFS in developing countries is mostly on infrastructure for cellular and mobile money …and cellular networks in the developing world is usually second-generation networks,” says Klinger.
Klinger emphasizes the need to raise awareness of SS7’s vulnerabilities and their countermeasures.
He highlights two key contributions being made by ITU.
“One is to standardize and add more security features to the existing legacy networks and the second one is to educate and promote the roundtable discussion between the telecom and the financial regulators.”
Vaulto Technologies is an SME participating in ITU standards work for SS7 security as part of a pilot project offering SMEs free-of-charge participation. This pilot project will be succeeded by a new category of ITU membership for SMEs characterized by a greatly reduced membership fee.
“We don’t want digital financial services to be built on the wrong foundation, which is the password,” says Abbie Barbir, Rapporteur for ITU standardization work on ‘Identity management architecture and mechanisms’ (Q10/17).
Over 3 billion usernames and passwords were stolen in 2016, and the number of data breaches in 2017 rose 44.7 per cent higher than that recorded in 2016.
FIGI’s work on customer authentication is supporting the shift away from the ‘shared secret’ model of authentication, principally the username-password model of authentication.
The prevalence of data breaches has jeopardized the shared secret model.
Designed to overcome the limitations of passwords, specifications developed by the FIDO Alliance (‘Fast Identity Online’) enable users to authenticate locally to their device using biometrics, with the device then authenticating the user online with public key cryptography.
“Instead of a username and password, I could rely on biometrics but these [biometrics] never leave the device,” explains Kim Hamilton-Duffy, Researcher at MIT.
This model is not susceptible to phishing, man-in-the-middle attacks or other forms of attacks targeting user credentials.
Google, Microsoft and Apple are among the companies incorporating FIDO specifications into their products. FIDO authentication is supported by the majority of devices and browsers on the market.
FIGI’s work on next-generation authentication has been influential in ushering FIDO specifications into the ITU standardization process. The December 2018 approval of FIDO specifications as ITU international standards ITU X.1277 and ITU X.1278 is expected to stimulate their adoption globally.
“The security risk is not only the concern of the bank or the DFS provider. It also concerns all the other players that are involved in the industry in providing the service … security is only as strong as the weakest link in the chain,” says Vijay Mauree, Programme Coordinator for ITU’s work on digital financial inclusion.
DFS security demands coordinated defences, defences attuned to evolving security threats.
“From various version to various version, the report grows,” says Leon Perlman, Head of the DFS Observatory at Columbia University, speaking of the FIGI report security aspects of blockchain and distributed ledger technologies.
“There are vulnerabilities that are exposed, if you will, everyday … literally every day, from the base use cases around distributed ledger technology to the end-user,” says Perlman.
FIGI’s blockchain report will remain a ‘living document’ incorporating the latest information as it becomes available.
Another key FIGI living document provides a ‘Security Assurance Framework’ describing the security considerations relevant to each actor in the DFS value chain.
The framework speaks to everyone in the DFS ecosystem, “from customers to mobile network operators to DFS providers to even the third-party providers who interface with the financial system,” says Kevin Butler of the University of Florida.
The best practices suggested by framework are a “basis for a safer ecosystem,” says Butler.
“It is in everybody’s best interest, from the DFS provider to the application developer through the mobile provider, to really provide the most secure experience in order to keep the usability and the security of the system high for users. I think that message is becoming increasingly clear.”