 Welcome to the ITU studio in Geneva where we are joined in the studio today by Asaf Klinger who is the head of R&D for Volto and here as co-chair of the Security Workstream for Fiji Security Infrastructure and Trust Working Group as well for ITU. Asaf, welcome to the studio. Thank you very much. I'm happy to be here. Now I'd like to perhaps talk to you a little bit about security and we are looking at some of the main security issues for DFS providers with regards to SS7 vulnerability. So a couple of acronyms there perhaps you can tell us DFS digital financial services providers and SS7 perhaps you could tell us a little bit about what SS7 is and why it's vulnerable. SS7 is basically acronyms for signalling system number 7 which is communication protocols that were standardized by the ITU in the late 70s which is used for communication between switches and it evolved and was used in cellular communications and it evolved over the years from second generation up until third and now even into fifth generation version of SS7 is still exists today because of backwards compatibility. So why is that important for DFS? Because DFS in developing countries is mostly infrastructureed on cellular and mobile money, what you call mobile money and cellular networks in the developing world is usually second generation networks still or maybe third. The deployment of fourth or fifth generation networks or internet access is relatively low in the rural areas of developing countries which is the focus of the Fiji security and infrastructure work stream. So that means SS7 is extremely important to the security of DFS in the developing countries and why is it important to the security because SS7 is highly vulnerable to attacks. It was standardized and was designed in the late 70s. It was implemented in the 80s. Nobody thought about security back then. Nobody had in mind about security or hacking or hackers at that era. The network was designed to be a walled garden which is that because it was thought to be closed off and regulated by each country's telecom regulator the entry to the SS7 network was highly regulated so they assumed they don't need any security mechanisms inside because everybody who is inside is automatically trusted because of the walled garden approach. But today this approach is completely untrue because today a lot of actors and even a lot of bad actors are connected to the SS7 network for location based advertising for SMS. I'm sure you've gotten a lot of SMS spam spoofed calls for all sorts of kinds and this is why the SS7 network is no longer the walled garden it was thought to be and because there is no security mechanisms implemented inside of it it is a high risk for DFS in developing countries. So what are the main findings of the Fiji security infrastructure and trust working group report on this issue? The main finding is awareness. We did a survey among telecom regulators and among telecos and among DFS providers in those regions of the world and on those countries and explained to them saying are you aware that your network is vulnerable? Have you taken any measures to safeguard it to deploy some countermeasures of some kind? Have you ever tested to see how vulnerable is the network and in the most cases the answers we got is I have no idea. The answer we got from regulators says I have no idea SS7 was vulnerable. I had no idea that using SS7 I can hack bank accounts or DFS accounts and I had no idea that countermeasures were available. So I think the main finding of the report is that there is a complete lack of awareness of the vulnerability and the impact of those vulnerabilities on the DFS. The second one is the lack of adoption for countermeasures. There are countermeasures already available both commercial products and also guidelines that were published by GSMA for operators in order to safeguard the networks against these SS7 vulnerabilities. The implementation rate of those guidelines or of those countermeasures is close to zero and the problem is money. That's the second finding saying there's a conflict of interest between the financial regulator and the telecom regulator because if you have a bank account and you are hacked then the person in charge or the body in charge of emendifying the damage is the DFS provider which is not the telecom regulator but the hack came from the telecom and the telecom operator is responsible to close the breach but the telecom regulator does not enforce any regulation because there's no damage to the telecom industry from those vulnerabilities there's damage to the financial industry and telecom regulators and financial regulators seldom talk to each other and that's the second problem we identified a huge regulatory gap between financial and telecom regulators in the world. Should we be doing our banking transactions using our telephones at all then? You can do it using your telephones but don't do it over second generation networks using SMS or USSD. If you're doing it over the internet that's perfectly fine you know today's banking applications are secured with modern security protocols that go over the internet the mobile internet and that's good but the problem is that in the developing countries where those advanced networks third, fourth and perhaps even fifth generation networks are not available and only second generation networks are available there's no internet there's no mobile internet so the only medium for those DFS providers to authenticate users is by sending them SMS messages with one-time passwords which are easily intercepted and then used to gain by hackers to gain unlawful access to accounts and steal money. So what role can ITU play to help address the SS7 vulnerability in digital financial services? ITU is playing two roles two major roles first role is standardization I'm a member also of study group 11 in question 2 and we promote and write recommendations and standard for security protocols in order to add an additional security layer on top of SS7 which does not exist today which will enable a partial mitigation of those vulnerabilities once again depending on deployment and depending on adoption so standardization is key also recommendation is key working with the regulators in order to implement recommendations in how to structure networks in more secure fashion. The second role is an educator which is giving a floor and speaking and reaching out to those telecom regulators and also Fiji is also through the World Bank reaching out to those financial regulators and getting them to talk to each other I'll give you an example in Kenya there was a round table of the financial regulator and the telecom regulator and a result of that round table marvelous things happened implementations of countermeasures went up proper regulation was legislated locally in the country and I think that's a solution so ITU has two roles in here one is to standardize and add more security features to the existing legacy networks and the second one is to educate and and promote the round table discussions between the telecom and the financial regulators. I'm sure there can be some very interesting discussions over the next couple of days here but thank you very much for joining us in the studio and hopefully we will catch up with you again some change in the near future and get some more valuable insights from you. Thank you for having me Max. Thank you. Have a good day. Bye.