Innovation in policy and regulation, women’s empowerment, the imperative of reliable ID systems, incentives for electronic payment – all are critical issues in expanding financial inclusion, but security and trust look to be the factors that will define our degree of success in encouraging the use of digital financial services (DFS).
The security of technologies underlying DFS will demand major improvement to protect consumers and build trust in DFS, agreed participants in the first symposium of the Financial Inclusion Global Initiative (FIGI), which wrapped-up today in Bangalore, India.
FIGI is a three-year programme of collective action led by ITU, the World Bank Group and CPMI, with support from the Bill & Melinda Gates Foundation. The initiative is designed to advance research in digital finance and accelerate digital financial inclusion in developing countries.
The need to ensure security and trust was a key motivation for FIGI’s establishment explains Daniel Radcliffe, Deputy Director of the Financial Services for the Poor Programme at the Bill & Melinda Gates Foundation.
“We are starting to see big growth in mobile money deployment all around the world,” says Radcliffe. “It’s now a critical time to bring in the standards-setting bodies of banking, BIS [Bank for International Settlements, of which CPMI is part]; the standards setter around development policy, the World Bank; and thirdly, now, the standards setter around telecoms [ITU] which brings a much more sophisticated level of expertise around cybersecurity and fraud using the telephone.”
Watch the highlights video of the first FIGI Symposium.
A legacy of security vulnerabilities
FIGI’s three working groups look at electronic payment acceptance; the relationship between digital ID and financial inclusion; and security and trust in digital financial services.
“SS7 has a range of security vulnerabilities, which compromise the security of phone calls and SMS, but now money is also at stake,” said the co-lead of FIGI’s work stream on infrastructure and security, Leon Perlman, Head of the DFS Observatory at Columbia Business School. “Taking India as an example, 60 per cent of the country’s phones are feature phones. They use USSD for financial transactions and thus rely on SS7.”
The security shortcomings of Signalling System 7 (SS7) will form a key area of study to the working group. “We see an asymmetry in contractual power,” said Perlman. “The assumption is that losses of money are the consumer’s fault because the telco network is impenetrable. But this is just not the case.”
SS7 was designed in the 1980s. It enables all telcos to interconnect and will remain in use for years to come. “As a White Hat hacker, I like legacy systems because they are often big piles of security vulnerabilities,” said Assaf Klinger, one the security experts contributing to FIGI’s work as part of Perlman’s team.
Over-the-top (OTT) services also connect to SS7. “PayPal, WhatsApp, Telegram, the list goes on… They are all vulnerable,” said Klinger as part of a live demo in which he hacked into a PayPal account in under a minute. Klinger had exploited an SS7 vulnerability related to two-factor authentication. “This vulnerability is in all services that use two-factor authentication to verify user accounts over SS7’s USSD.”
App security: How do smartphones compare with feature phones?
“We published a study highlighting a range of vulnerabilities in DFS smartphone apps,” said another key player in FIGI’s security work, Kevin Butler, Associate Professor at the University of Florida. “We reported these problems to the apps’ developers, but when we came back to have another look – despite evidence of a lot development going on (almost 90 per cent of the code had changed) – virtually none of the security vulnerabilities had been addressed.”
There may be a role to be played by regulation, said Butler, “I don’t think that this is necessarily a self-regulating problem.”
When it comes to app security, in Butler’s view, the vulnerabilities of feature phones have not received enough attention. This is a challenge that FIGI plans to address. With apps embedded in device SIMs, “extracting the code to analyze it is extremely difficult,” explained Butler, “everything goes through the provider.” FIGI plans to establish relationships with telcos and governments to analyze end-to-end DFS security.
FIGI’s working group on ‘Infrastructure, Security and Trust’ will study quality of service, SS7 and app security, interoperable authentication, fraud prevention, consumer protection, and the security as well as policy and regulatory aspects of distributed ledger technologies such as blockchain. See a detailed breakdown of the group’s priorities.