Committed to connecting the world



​​​​​​​​​​​​​​​​​​​​​​​​​​FIGI Security Clinic: Securing the infrastructure and applications for digital financial services ​ 
Geneva Switzerland, 4-5 December 2019


Wednesday, 4 December 2019, (Popov)

08:00 - 09:30 Registration
09:30 - 10:00 Welcome and Opening Remarks
10:00 - 10:15 ​FIGI Security, Infrastructure and Trust (SIT) Working Group Overview and Outcomes
10:15 - 10:40Coffee Break + Group Photo
10:40 - 12:20

INFRASTRUCTURE SECURITY: Securing the DFS Applications and Infrastructure

SS7 vulnerabilities can be exploited by an intruder to intercept calls and SMSs, bypass billing, steal money from mobile accounts, or affect mobile network operations. In addition, vulnerabilities in DFS applications can also lead to hackers being able to obtain unauthorized access to consumer data if not properly addressed. This session will present the main findings of the Security, Infrastructure and Trust Working Group on securing the vulnerabilities and threats to the DFS Infrastructure (i.e. SS7 Vulnerabilities) and the work that is taking place in ITU-T Study Group 11 and other industry consortia to address this issue.

Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions: Download

Moderator: Leon Perlman,  Head of DFS Observatory, Columbia University [ Biography ]


12:20 - 12:50

Aadhaar began with an investment by the Indian government eight years ago and today there are one billion Indian residents and citizens who have an Aadhaar number with key identifiable pieces of information. The government then began linking Aadhaar with the banking system and enlisted fintech firms to begin extending microloans to individuals and SMEs. Aadhaar helps to solve the biggest issue with lending, KYC, by using a retina scan or biometric signature to verify the user. During this session we will examine some of the security features provided by Aadhaar and the new security features that were included recently.

Moderator: Leon Perlman, Head of DFS Observatory, Columbia University [ Biography ]
12:50 - 14:00 Lunch Break
14:00 - 15:30 AUTHENTICATION: Strong authentication frameworks for seamless user experience in DFS

Strong consumer authentication frameworks are becoming the norm for financial services. This session will consider the various authentication frameworks as well as emerging ones based on decentralized identifiers to leverage digital ID infrastructure and provide a seamless user experience (i.e. out needing to remember passwords). The session will consider authentication frameworks based on FIDO, Mobile Connect and Decentralised identifiers with examples for financial inclusion.

Technical report on Secure Authentication Technologies for Digital Financial Services: Download

Moderator: Vijay Mauree, Programme Coordinator, TSB, ITU [ Biography ]

15:30 - 15:45​
Coffee Break 
15:45 - 17:15 DLT SECURITY: Security of Distributed Ledger Technologies for Digital Financial Services

Distributed Ledger Technologies (DLTs) could be a game changer in financial services. This session will consider the research of the Security, Infrastructure and Trust WG on the security of distributed ledger technologies and will provide a deep dive on the security of public permissioned and private blockchains, security of smart contracts, how DLTs can protect integrity of the information and privacy of consumer data and the measures for mitigating the impact of the security risks.

Technical report on
Security Aspects of Distributed Ledger Technologies: Download

Moderator: Jamie Zimmerman, Senior Program Officer, Financial Services for the Poor​, Bill & Melinda Gates Foundation [ Biography ]

17:15 - 18:30 SECURITY ASSURANCE FRAMEWORK: Managing Risks in Digital Financial Services 

DFS providers should put in place adequate measures to address the security threats and vulnerabilities and demonstrate compliance against regulatory measures. This session will consider the various threats and vulnerabilities that can impact the confidentiality, integrity and availability of digital financial services from a value chain perspective. The session will also highlight mitigation measures that DFS providers can implement to reduce the impact of these risks and discuss a framework that can be implemented by DFS providers to better manage the risks and show compliance.

Digital Financial Services Security Assurance Framework:Download

Moderator: Amy Ulrich, Info Security Advisor, CVSHealth [ Biography​ ]

18:30Closing Session
18:45 Networking Reception

 *To be confirmed

 Thursday, ​5 December 2019

​Day 2-Security Clinics

08:30 ​​-​ 09:30     Registration​
09:30 - 10:45
Room: H1
Deploying Decentralized ID ​Authentication in DFS

Part I: Introduction

This session covers the limitations of centralized identity systems and lay down the principles of decentralized identity and its role for enabling DFS systems. The session will review distributed ledger technology and its role in trust frameworks establishment.

Speakers: ​​
Room: L1
Tracking Crypto Ponzi Schemes

Part I:  Introduction

Participants will learn and receive tools to investigate Ponzi schemes that use crypto-currency. The tools that will be provided in this bootcamp will enable the participants to track the crypto deposits made to the Ponzi and plot their course until they are converted to fiat and exfiltrated out through an exchange, where forfeiture of funds can be performed. Tracking the money to its endpoint will enable regulators and law enforcement to potentially de-anonymize the operators of the Ponzi. The goal of this session is that every participant will have successfully used the tools to track a Ponzi scheme and find its endpoints.


Room: H2
App. Security Framework for DFS

Part I: What is an App. Security Framework 
This session aims to facilitate common knowledge and understanding, the issues related to the security of mobile payment applications. 
The protection of sensitive data, such as user credentials and private information, is a key focus in mobile payment security. Mobile devices can be lost or stolen more easily compared to other types of devices. In that case, additional protection can be implemented to make retrieving the sensitive data more difficult. The session will discuss the best practices that developers need to observe when developing mobile payment apps and also discuss a template for an app security policy framework that can be adopted by DFS providers and financial service providers.


Room: L2
Fast Identity Online (FIDO):

Part I: Why Multi Factor Authentication is not enough 
This session looks at the security issues facing current identity management systems that relay on the use of passwords and   multi-factor authentication. The session will look at various security threats and methods that can be used to enhance the security that are based on FIDO alliance technology. The session will also include an overview of FIDO and how it works.



10:45 - 11:00  Coffee Break
11:00- 13:00
Deploying Decentralized ID Authentication in DFS

Part II: Standard Based Component of Decentralized Identity System and relation to DFS

Decentralized identity is being standardized in many bodies in order in order to enable a consistent and interoperable implementation. This session provides an overview of the essential core technology which will enable a secure and interoperable decentralized identity solution that work well with DFS. The session will cover Verifiable claims, Distributed Ledgers, Decentralized identifiers and zero knoweldge proof.


​Tracking Crypto Ponzi Schemes

Part II: Know your block explorer, how to use and how to analyze transactions

In this session, the participants will learn how to use block explores (on line tools) and will receive a tutorial on how to track a crypto ponzi using these tools.


App. Security Framework for DFS (continued)

Part 2: Application Security Testing


This session will discuss how the security of applications can be assessed. We examine tools and software frameworks that can be used for performing analysis of application code and interfaces, including a walkthrough of how such an assessment of a smartphone application can occur in practice, as well as a discussion of vulnerabilities seen in practice.​


Fast Identity Online (FIDO)

Part II: FIDO 2 Overview and use cases

This session is provide an overview of FIDO2 and gow it works. It details use cases and support for FIDO 2 in the industry. The use of FIDO 2 with varying identity assurance schemes in support of Digital Financial transsactions (DFS) systems will be discussed.  
13:00 - 14:00  Lunch​ Break
14:00 - 16:00

Deploying Decentralised ID Authentication in DFS

Part III: Sovrin Trust Network

This session will provide an overview of the Sovrin Network and how it can be used to enable establish trust systems that are essential for developing a DFS for secure financial transaction. This sesssion will provide a summary of basic tools and software projects that can be utilized for DFS based systems to empower users and financial industries. The discussion will focus on the emerging new identity stack and how to secure it including mobile wallets.



Tracking Crypto Ponzi Schemes

Part III: Case study: example on how to follow the money of a crypto ponzi

This session is a frontal example of how to use block explorers to follow the money of a Ponzi scheme. 

Homomorphic encryption application in digital finance

Privacy-conscious data sharing for financial services

This session will discuss advanced privacy enhancing technologies for enabling financial data sharing scenarios. We briefly go through the main privacy and confidentiality challenges that usually constrain or prevent outsourced and distributed financial data sharing and processing, and explore the link with health data sharing scenarios. We then examine the main privacy enhancing technologies that can address these challenges, and hence fundamentally improve applications such as fraud detection and personal finance advice. The session has a special focus on homomorphic encryption and the recent standardization initiatives for this essential technology, called to support a more collaborative financial environment that benefits both financial institutions and their customers.


Fast Identity Online (FIDO):

Part III: Public Private Sector Adoption of FIDO

In this session the need for adopting FIDO 2 as an industry requirement by regulators will be discussed. The session will include information on how FIDO certification and the push for better industry definition of strong authentication is needed to help regulators adapt to security challenges facing identity-based systems.



16:00 - 16:15 ​ Coffee Break
16:15 - 17:30
Deploying Decentralised ID Authentication in DFS

Part IV: Use Case

This session will showcase how decentralized identity can be developed and provide a hands on session using Mobile ID wallets. Examples of identity proofing and verifiable claims will be demonstrated using mobile payments.


Tracking Crypto Ponzi Schemes

Part IV: Law enforcemenet and international collaboration

This session will explore how law enforcement authorities investigate digital Ponzi schemes and the mechanism for collaboration and information sharing about such incidents.


​Fast Identity Online (FIDO):

Part IV: FIDO Developer Resources  

This session will provide an insight in the FIDO developer resources available at ITU and the FIDO demo application on Android and IOS. The use of FIDO SDK for user enrolment, authentication and de-registration  will be explained.