In developing countries, people rely heavily on their cell phones to move money, from paying for goods to receiving compensation for work. The mobile digital financial systems (mDFS) supporting these daily transactions play a critical role in micro-economies across the world.
MDFS are incredibly complex, involving a multitude of factors—socioeconomical, cultural—and wide range of participants, including wireless companies, banks, government agencies, and more.
Protecting these systems is equally as complicated. MITRE Engenuity™, MITRE’s foundation directed at uniting industry for the public interest, stepped up to the challenge.
To get the job done, Cynthia Wright, Adrian Gonzalez, and Sebastian Forgues leveraged several of our cross-cutting capabilities, combining statistical analysis with cybersecurity expertise to address system security issues.
A 30,000-FOOT VIEW OF A COMPLEX CHALLENGE
Big Picture: Large swaths of the global population rely on their mobile devices to make payments and get paid. Unfortunately, the financial technology (AKA fintech) processes supporting such transactions are extremely vulnerable to fraud.
Challenge: Protecting mDFS is a multi-faceted challenge because each participant in the fintech ecosystem interacts and manages their role differently. MITRE Engenuity’s team set out to create a decision tool, or cyber risk model, to help direct industry and government toward solutions-oriented investments.
Approach: Similar to 3D glasses, the complete picture of mDFS security is unclear unless it’s viewed through both technical and non-technical lenses simultaneously.
Dual-lens complexity in action: Forgues cites an example of a woman using her phone to buy goods from a shopkeeper at a market. The transaction is text or SMS-based and not associated with or insured by a bank.
There are myriad technical touch points for something to wrong during any given transaction.
There are also numerous non-technical factors that could contribute to her text transaction going awry.
Outcome: The team used open-source research to cull technical and non-technical data inputs, like the scenario outlined above. From there, they built on MITRE’s ATT&CK® framework, which tracks cyber adversary behavior, to develop an interactive cyber risk model outlining the top 20 risks (out of several hundred) threatening digital financial systems globally. They then transformed the model into a web-based software application available for the public to run individualized risk assessments.
Layered challenge: Due to its complexity, industry and governments haven’t yet recognized the value of this open-source tool.
BRINGING A NEW VIEW TO A LONG-STANDING PROBLEM
“It’s a rising tide that can lift all boats,” Forgues says of the project’s potential impact on the mobile fintech ecosystem broadly.
The team is working on the following next steps:
The project’s risk model approach can be applied to many other sectors’ cyber threat areas, including agriculture, shipping, health information, and more.
Interested in learning more? An 87-page white paper outlines MITRE Engenuity’s process and findings in detail.