Malware

Elements within the DFS being susceptible to infected by malware.

Risk: Malware attacks and inability to transact, service outages, and unauthorised access to data occur at the Merchant / DFS provider

Affected entity: Third-Party, DFS Provider

• Vulnerability: Failure to use anti-malware

  • Control 13.1: Deploy security software products on all mobile devices, including antivirus, antispyware, and software authentication products to protect systems from current and evolving malicious software threats. All software should be installed from a trusted source.

  • Control 13.2: If anti-malware software is not available, employ MAM (Mobile Application Management) or MDM solutions that can monitor, evaluate, and remove malicious software and applications from the device. Furthermore, if possible, it is ideal to deploy both anti-malware and MDM solutions (mentioned above) to protect the device from malicious software and applications.

  • Control 13.3: Disable unnecessary device functions and install only trusted software Merchants and DFS providers should disable any communication capabilities not necessary for the functioning of the payment solution. To avoid introducing new attack vectors onto a mobile device, install only allow communication with trusted software that is necessary to support business operations, and to facilitate payment.

  • Control 13.4: Merchants and DFS providers should require the following from their solution provider:

    a) The solution provider should regularly update their payment application and indicate to the merchant when updates are available and are safe to install.

    b) The solution provider should have restrictions on their payment application so that it only functions on a device running approved firmware.

    c) The solution provider should supply documentation that details any update procedures the merchant needs to follow.

    d) The DFS solution provider should communicate with the DFS provider and make them aware of newly discovered vulnerabilities in their payment-acceptance solution. Additionally, the solution provider should guide merchants when new vulnerabilities are discovered, as well as provide tested patches for any of these vulnerabilities. "

• Vulnerability: Undetected system application weaknesses (SD: Data Confidentiality)

  • Control 13.5: The merchant should work with its solution provider to ensure that any audit or logging capability is enabled. The solution provider should ensure that logging capabilities exist with enough granularity to detect abnormal events.

  • Control 13.6: The solution provider should guide the merchant on the merchant’s responsibility to review the logs. Additionally, regularly inspect system logs and reports for abnormal activity. If abnormal activity is suspected or discovered, discontinue access to the mobile device and its payment application until the issue has been resolved. Abnormal activities include, but are not limited to, unauthorized access attempts, escalated privileges, and unauthorized updates to software or firmware.

Affected entity: Third-Party, DFS Provider

• Vulnerability: Network exposure to outside attacks (SD: Availability)

  • Control 13.7: DFS Applications should be subjected to regular security penetration scans and penetration testing. In particular, applications should be designed to be robust against phishing software.

Risk: Installation of malware such as spyware and trojans

• Vulnerability: No anti-malware or anti-virus software is used or updated regularly (SD: Availability)|

  • Control 13.8: Keep mobile device OS updated regularly; do not allow installation of programs without user validation.

Risk: remote code execution

• Vulnerability: Obsolete device software

  • Control 13.9: Mobile users should be encouraged to perform regular security updates on their mobile devices used for DFS transactions and ensure they are updated with the latest security patches from device manufacturers and application providers.

• Vulnerability: No anti-malware or anti-virus software is used or updated regularly (SD: Availability)

  • Control 13.10: Install security software from trusted sources on mobile devices including antivirus, anti-spyware, and software authentication products to protect devices from current and evolving malware threats |Mobile User

• Vulnerability: User device tampering and rooting (SD: Integrity)

  • Control 13.11: Because a tampered or “rooted” device can potentially compromise the confidentiality, integrity, and privacy of user data.

  • Control 13.12: The mobile app developer should ensure that DFS applications are sandboxed, such that other untrusted applications on the mobile device should not be able to interact with the DFS application, and interaction with the operating system should be limited.

Affected entity: MNO

Risk: Inability to transact and service compromise

• Vulnerability: Network exposure to outside attacks (SD: Availability)

  • Control 13.13: Perform regular vulnerability scans and penetration tests on MNO infrastructure to check exposure to attacks that could affect system availability.

  • Control 13.14: Install and regularly update the latest anti-malware software (if available) and make this available to end-users. Consider application wrapping, which can be employed with an MDM (Mobile Device Management) solutions to prevent and remove malicious software and applications.