# Attacks against systems and platforms

We characterize these attacks as those that a remote adversary can carry out to spy on or modify information without insider credentials or other privileged access.

### Affected entity: Mobile user

#### **Risk:** Spying and credentials stealing from user devices

* **Vulnerability:** Unverified malicious binary SMS SIM updates (SD: authentication)
  * [ ] **Control 3.1:** *Provide the mobile user with the ability to trust or distrust individual binary-based SMS messages. Doing so could prevent malicious updates to the SIM card*
* **Vulnerability:** Insecure transfer of customer credentials (SD: access control)
  * [ ] **Control 3.2:** *DFS providers should transmit the user authentication credentials securely over a different channel (out of band).*

#### **Risk:** Account access, compromise and denial of service

* **Vulnerability:** Exposure of internal network to external adversaries (SD: access control)
  * [ ] **Control 3.3:** *Use Network Address Translation to limit external exposure of DFS IP address and routing information.*

### Affected entity: DFS Provider

#### **Risk:** Account access, compromise, and denial of service

* **Vulnerability:** Insufficient protection of internal systems against external adversaries (SD: access control
  * [ ] **Control 3.4:** *Avoid direct access by external systems to the DFS backend systems by setting up a DMZ that logically separates the DFS system from all other internal and external systems.*