By Bilel Jamoussi, Chief, Study Groups Department, ITU Telecommunication Standardization Bureau
The transformations we are seeing in numerous fields – from energy and mobility to health care, agriculture, and financial services – all hinge on digital technologies, along with an array of associated business ecosystems. All these technologies and systems must be reliable, secure and deserving of our trust.
The Financial Inclusion Global Initiative (FIGI) is an open framework for collaboration led by the International Telecommunication Union (ITU), the World Bank Group, and the Committee on Payments and Market Infrastructures (CPMI).
Our partnership brings together the expertise to accelerate digital financial inclusion. With the support of the Bill & Melinda Gates Foundation, we have brought together the full range of stakeholders set to benefit from this expertise.
The World Bank Group and CPMI have helped to build a strong understanding of the policy considerations surrounding digital identity and incentivizing the use of electronic of payments.
ITU’s work has focused on security, infrastructure and trust – secure financial applications and services, reliable digital infrastructure, and the resulting consumer trust that our money and digital identities are safe.
Considering the prevalence of data breaches, the need for strong authentication is clear, with discussions in the industry often noting that “there are no secrets anymore.”
New ITU standards for a universal authenticator framework (X.1277) and client-to-authenticator protocol (X.1278) are helping overcome the security limitations of the “shared secret” approach, the basis for the widely familiar username-password model of authentication.
Users can now authenticate locally to their device using biometrics, with the device then authenticating the user online with public key cryptography. With the new standards, users are asked to authenticate locally to their device only once, and their biometric data never leaves the device. This model avoids susceptibility to phishing, man-in-the-middle attacks, or other forms of attack targeting user credentials.
FIGI engagement helped to usher these specifications, first developed by the FIDO (Fast Identity Online) Alliance, into the ITU standardization process to stimulate their adoption globally. Authentication options consistent with X.1277 and X.1278 are now supported by most devices and browsers on the market.
In developing countries, digital financial services are often provided over Signalling System No.7 (SS7), a legacy network protocol standardized by ITU in the late 1970s. SS7 enables all network operators to interconnect and looks sure to remain in use for years to come.
But security was not considered in its design. SS7 was designed as a walled garden. Entry to the SS7 network was intended to be highly regulated, with only trusted network operators being granted access. But malicious actors have since found various ways to get hold of the keys, especially since some of the initial design and deployment assumptions were no longer valid with the introduction of deregulation, voice over IP, and mobile networks.
FIGI has worked to raise awareness about SS7’s security vulnerabilities and associated mitigation techniques. As the need to mitigate these vulnerabilities increases, network operators can look to ITU’s new Q.3057 standard outlining signalling requirements and architecture for interconnection between trustable network entities. This is another standard rooted in FIGI discussions.
Trust in digital financial services is also acutely affected by the reliability and availability of connectivity. Network downtime and transaction failures resulting from dropped connections can erode the trust of consumers and merchants in digital financial services.
Investment in digital infrastructure must continue, with the industry adopting meaningful, widely accepted benchmarks for service quality. ITU standards specify the route towards reliable, interoperable network infrastructure, and they provide a wide range of tools to assess the performance and quality of the services running over this infrastructure.
FIGI highlighted the demand for service quality indicators specific to digital financial services. With the expertise on hand at ITU, we have delivered new standards describing key quality considerations for digital financial services (ITU G.1033) and a methodology to assess the quality of user experience (ITU P.1052).
Security across the value chain
Every industry player involved in providing digital financial services has to be concerned about security risks. Security is only as strong as its weakest link, and innovation in digital finance continues to extend the length and increase the complexity of the underlying value chain.
Secure digital finance calls for coordinated defences that are attuned to evolving security threats. A key FIGI report outlines the security assurance framework needed to achieve this for each actor in the digital finance value chain.
The best practices suggested by the framework could form the basis for a safer business ecosystem. They reflect the needs of everyone involved, from customers to network operators and digital finance providers, right through to third-party providers interfacing with the financial system.
ITU’s new Security Lab for Digital Financial Services offers tests addressing the security of mobile payment applications running over legacy as well as cutting-edge network infrastructure. It is certain to provide valuable support to regulators and industry players, both in bringing greater consistency to personal data protection and in ensuring the integrity and confidentiality of our transactions.
Other FIGI reports address topics from the security dimensions of blockchain to the privacy implications of the growing use of machine learning to automate credit decisions based on alternative data, such as your airtime purchases and mobile money transactions.
Digital technologies promise to become the key unifying force for banking systems worldwide. But advances in technology must be matched with sound policy and interoperable technical standards. Only then can the digital transformation in finance make life better for everyone around the world.