DFS provider controls to address DFS vulnerabilities due to SS7
PreviousMNO controls to address DFS vulnerabilities due to SS7NextITU-T Technical standards for MNO's to address SS7 Vulnerabilities
Last updated
Last updated
DFS operators should consider adopting the following controls to mitigate SS7 risks.
Session time out: use session timeout for USSD and STK to reduce success man in the middle attacks, OTP messages for DFS should also have a session time out.
Transaction limits for insecure channels: Set transaction limits for customer withdrawals and transfers through insecure channels like USSD.
User education: DFS users should be educated on how to engage securely with digital financial services including impacts of using rooted devices, connecting to public Wi-Fi, installing unverified applications etc.
Bidirectional OTP SMS flow: The DFS provider should make the authentication flow bidirectional, that is receive the OTP from the user, not send it.
Detecting and mitigating social engineering attacks with MT-USSD and interception of USSD by verifying using secureOTP, location validation, IMSI and IMEI validation