# DFS provider controls to address DFS vulnerabilities due to SS7

DFS operators should consider adopting the following controls to mitigate SS7 risks**.**

1. **Session time out:** use session timeout for USSD and STK to reduce success man in the middle attacks, OTP messages for DFS should also have a session time out.
2. **Transaction limits for insecure channels:** Set transaction limits for customer withdrawals and transfers through insecure channels like USSD.
3. **User education:** DFS users should be educated on how to engage securely with digital financial services including impacts of using rooted devices, connecting to public Wi-Fi, installing unverified applications etc.
4. **Bidirectional OTP SMS flow**: The DFS provider should make the authentication flow bidirectional, that is receive the OTP from the user, not send it.

   <figure><img src="https://1955718654-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FcnsOnTCXo2vfN9lER4QB%2Fuploads%2FLaFwIBJOSRboIzY3rRkQ%2Fimage.png?alt=media&#x26;token=e8f783b2-6999-42db-a5e1-e8e1405bd2d9" alt=""><figcaption><p>Detection and mitigation of SMS interception with bidirectional OTP SMS flow</p></figcaption></figure>
5. **Detecting and mitigating social engineering attacks with MT-USSD and interception of USSD** by verifying using secureOTP, location validation, IMSI and IMEI validation