 So the security assurance framework is an initiative that we've put together in the security infrastructure and trust working group. And what this framework does is it provides a comprehensive overview of threats and vulnerabilities to the digital financial services ecosystem. From the perspective of a number of different stakeholders throughout the DFS ecosystem from the standpoint, for example, of users, mobile network operators, third party providers, etc. So what is important about this framework and what makes it particularly useful is that by providing this comprehensive overview of threats and vulnerabilities from the perspective of the different stakeholders, we have a very expansive overview of the potential threats and vulnerabilities to the system. So the digital security assurance framework itself categorizes the threats to the DFS ecosystem. And as part of this framework, we have developed controls that are designed to mitigate the threats that we've discussed. And the threats themselves come from a wide variety of sources, external documentation, other ITU documents, etc. So that we have a complete overview of these threats. And we've developed over 100 controls that we've identified through this examination of the threats and potential vulnerabilities to the different stakeholders. So this is a very comprehensive look at how threats can occur within the ecosystem and how to address those threats through security controls. Now the audit guidelines are developed with, particularly with regulators and providers in mind. And what we do with those audit guidelines is that we take the security controls which themselves are actionable ways by which one can address the threats that have been disclosed or threats that are potentially found within the ecosystem. And the controls themselves provide ways of mitigating those threats and the auditing guidelines themselves provide a way of examining whether those controls have been applied. So we've actually developed the audit guidelines as a checklist that an auditor can use through a series of yes-no questions to determine whether the controls have been put in place to address the particular threats that we've identified. Additionally, the auditing guidelines themselves link to policy documents that auditors can use to look so that they have some ideas where to look within a corporate environment or provider's environment in order to ensure that they've got the documentation to correlate the auditing guidelines with internal controls. The security assurance framework and the corresponding audit guidelines in particular are important for DFS regulators and providers. Regulators can use the framework to assess the security of the ecosystem in which their digital financial services are being deployed. And the auditing framework provides a means of assessing for providers and operators whether the controls are being adhered to and whether best practices are being put into place. From the standpoint of providers, this is also a very valuable document because providers can use these controls to assure that they've demonstrated security in their own environment. Moreover, these guidelines and the auditing framework can provide them with the tools to help them find potential weaknesses in their system. And that's an important thing because vulnerabilities can be very costly to a provider if they are exploited. So by having the ability to assess these guidelines and using the auditing framework to assess their own security, they can themselves provide stronger assessment of their own capabilities and potentially find weaknesses that could end up costing them real money. So USSD and STK are two valuable means by which DFS services can be deployed, but they provide different vulnerability landscapes. With USSD, USSD runs where the application runs on the provider side and the client with their mobile phone connects to the application over the air. The air interface itself is potentially a weakness if depending on the level of encryption that's used in the over-the-air communications between the mobile device and the base station. If that interface is being protected by a weaker encryption cipher, then an adversary can potentially eavesdrop on that information or potentially inject their own malicious information. Moreover, with USSD there is no end-to-end security from the mobile device to the USSD gateway. There is not a single uninterrupted end-to-end encrypted communication. When communication gets to the base station, it is then decrypted and it is sent through the mobile network. And unless mechanisms are used to ensure the security of that information, then it can be potentially exposed. So this is potentially valuable personal information about consumers and their payment information. Moreover, remote attacks are possible in the USSD environment, particularly through, for example, the SS7 control channel. Additionally, devices such as smartphones can be compromised if they are already rooted and that can be a means by which USSD communication can be compromised as well. Now STK has a different profile in that STK has the benefit of being end-to-end encrypted. However, there are other issues that need to be addressed with STK applications. Apps can't be updated without bringing a phone to a provider. So that means that it's very difficult to provide things like security updates. Moreover, there are physical attacks that are possible against the SIM card that are used in STK or SIM toolkit applications. Physical attacks can be performed if, for example, overlay SIMs are placed on top of the SIM, leading to so-called man-in-the-middle attacks. Additionally, SIM swaps are a major issue that need to be considered. A SIM swap is the means by which a SIM card is maliciously changed out. For example, I call a provider. I say that I've lost my SIM, but I'm actually an adversary. And this would cause the deactivation of the victim's real SIM card, allowing me to use my SIM card in their place. So if that happens, then I have a means by which I could potentially attack a system. There's also issues such as the recycling of numbers. So if those numbers contain a DFS information and that's linked to a particular SIM card identity, then if that number is recycled, then I could potentially as an adversary get access to that information. So the threats are different in some ways, and each has their own benefits and drawbacks. And one needs to be careful about the deployment environment, depending on which technology they're planning to deploy within their particular ecosystem. So the best thing that can be done in these environments to ensure the security of consumers using these technologies, whether it be their USSD or SIM toolkit, are first and foremost using a strong radio encryption algorithms over the air interface. So as I mentioned, between the mobile device and the base station, if that air interface encryption algorithm is weak, then it can be potentially compromised. So ensuring that one is using strong encryption algorithms there is going to be important to ensuring the security of that interface. The use of standardized strong encryption algorithms within provider networks, in particular the Transport Layer Security TLS, at least version 1.2 or 1.3, if that's been deployed in your environment. That's an important way by which the network itself can be hardened. It's also important that strong internal controls are in place. For example, especially in USSD environments where data can be unencrypted at the base station, making sure that anywhere where there's a transfer of information or where it's potentially revealed in plain text, that data is there's a limit of access as to who can get to that information to ensure that malicious insiders can't get access to that information. Strong internal controls are important for both SDK and USSD environments. Finally, it's important to monitor sessions of users to be able to detect anonymous activity. For example, long timeouts followed by new interactions coming from a different location could be evidence of a sim swap occurring. So strong internal controls, use of standardized strong algorithms and strong mechanisms to ensure monitoring of the network are all means by which the threats to the DFS ecosystem through USSD and SDK can be mitigated.