Mobile Money V100R003 Security Description 01

Mobile Money
V100R003
Security Description
Issue 01
Date 2017-07-28
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2017-07-28) Huawei Proprietary and Confidential i

Copyright © Huawei
Technologies Co., Ltd.
Mobile Money
Security Description About This Document
About This Document
Purpose
This document details the securities of the system, thus helping you to understand the security
solution of Mobile Money.
Intended Audience
This document is intended for:
 Technical support engineers
 Maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
S D
y e
m s
b c
o ri
l p
ti
o
n
I
n
d
ic
at
e
s
a
n
i
m
m
Issue 01 (2017-07-28) Huawei Proprietary and Confidential ii

Copyright © Huawei
Mobile Money
S D
y e
m s
b c
o ri
l p
ti
o
n
i
n
e
n
tl
y
h
a
z
a
r
d
o
u
s
si
t
u
at
i
o
n
w
h
ic
h,
if
n
o
t
a
v
o
i
d
e
d,
w
il
l
r
e
s
u
Issue 01 (2017-07-28) Huawei Proprietary and Confidential iii

Copyright © Huawei
Mobile Money
S D
y e
m s
b c
o ri
l p
ti
o
n
lt
i
n
d
e
at
h
o
r
s
e
ri
o
u
s
i
n
j
u
r
y.
I
n
d
ic
at
e
s
a
p
o
te
n
ti
al
l
y
h
a
z
a
r
d
o
Issue 01 (2017-07-28) Huawei Proprietary and Confidential iv

Copyright © Huawei
Mobile Money
S D
y e
m s
b c
o ri
l p
ti
o
n
u
s
si
t
u
at
i
o
n
w
h
ic
h,
if
n
o
t
a
v
o
i
d
e
d,
c
o
u
l
d
r
e
s
u
lt
i
n
d
e
at
h
o
r
s
e
Issue 01 (2017-07-28) Huawei Proprietary and Confidential v

Copyright © Huawei
Mobile Money
S D
y e
m s
b c
o ri
l p
ti
o
n
ri
o
u
s
i
n
j
u
r
y.
I
n
d
ic
at
e
s
a
p
o
te
n
ti
al
l
y
h
a
z
a
r
d
o
u
s
si
t
u
at
i
o
n
w
h
Issue 01 (2017-07-28) Huawei Proprietary and Confidential vi

Copyright © Huawei
Mobile Money
S D
y e
m s
b c
o ri
l p
ti
o
n
ic
h,
if
n
o
t
a
v
o
i
d
e
d,
m
a
y
r
e
s
u
lt
i
n
m
i
n
o
r
o
r
m
o
d
e
r
at
e
i
n
j
u
r
y.
Issue 01 (2017-07-28) Huawei Proprietary and Confidential vii

Copyright © Huawei
Mobile Money
S D
y e
m s
b c
o ri
l p
ti
o
n
I
n
d
ic
at
e
s
a
p
o
te
n
ti
al
l
y
h
a
z
a
r
d
o
u
s
si
t
u
at
i
o
n
w
h
ic
h,
if
n
o
t
a
v
o
i
Issue 01 (2017-07-28) Huawei Proprietary and Confidential viii

Copyright © Huawei
Mobile Money
S D
y e
m s
b c
o ri
l p
ti
o
n
d
e
d,
c
o
u
l
d
r
e
s
u
lt
i
n
e
q
u
i
p
m
e
n
t
d
a
m
a
g
e,
d
at
a
l
o
s
s,
p
e
rf
o
r
m
a
Issue 01 (2017-07-28) Huawei Proprietary and Confidential ix

Copyright © Huawei
Mobile Money
S D
y e
m s
b c
o ri
l p
ti
o
n
n
c
e
d
et
e
ri
o
r
at
i
o
n,
o
r
u
n
a
n
ti
ci
p
at
e
d
r
e
s
u
lt
s.
N
O
T
I
C
E
is
u
s
e
d
t
o
Issue 01 (2017-07-28) Huawei Proprietary and Confidential x

Copyright © Huawei
Mobile Money
S D
y e
m s
b c
o ri
l p
ti
o
n
a
d
d
r
e
s
s
p
r
a
ct
ic
e
s
n
o
t
r
el
at
e
d
t
o
p
e
rs
o
n
al
i
n
j
u
r
y.
C
al
ls
at
te
n
ti
o
Issue 01 (2017-07-28) Huawei Proprietary and Confidential xi

Copyright © Huawei
Mobile Money
S D
y e
m s
b c
o ri
l p
ti
o
n
n
t
o
i
m
p
o
rt
a
n
t
i
n
f
o
r
m
at
i
o
n,
b
e
st
p
r
a
ct
ic
e
s
a
n
d
ti
p
s.
N
O
T
E
is
u
s
Issue 01 (2017-07-28) Huawei Proprietary and Confidential xii

Copyright © Huawei
Mobile Money
S D
y e
m s
b c
o ri
l p
ti
o
n
e
d
t
o
a
d
d
r
e
s
s
i
n
f
o
r
m
at
i
o
n
n
o
t
r
el
at
e
d
t
o
p
e
rs
o
n
al
i
n
j
u
r
y,
e
Issue 01 (2017-07-28) Huawei Proprietary and Confidential xiii

Copyright © Huawei
Mobile Money
S D
y e
m s
b c
o ri
l p
ti
o
n
q
u
i
p
m
e
n
t
d
a
m
a
g
e,
a
n
d
e
n
v
ir
o
n
m
e
n
t
d
et
e
ri
o
r
at
i
o
n.
Issue 01 (2017-07-28) Huawei Proprietary and Confidential xiv

Copyright © Huawei
Mobile Money
Change History
Changes between document versions are cumulative. Therefore, the latest document issue
contains all changes made in previous issues.
Issue 01 (2017-07-28)
This issue is the first releases.
Issue 01 (2017-07-28) Huawei Proprietary and Confidential xv

Copyright © Huawei
Mobile Money
Security Description 1 Overview
1 Overview
About This Chapter

1.1 Mobile Money Product Overview
1.2 Security Threats to the Mobile Money Product
1.1 Mobile Money Product Overview

Today, most people use cash or bank card (debit or credit card) to make payments. It is not
convenient for people to carry around large amounts of cash or multiple bank cards in their
daily life, especially for small-amount payment.
With the development of mobile networks, more and more people communicate with each
other using mobile phones.
The Mobile Money (MM) system is developed based on mobile network development. It
enables people to make payments conveniently using mobile devices. People can use mobile
devices such as mobile phones instead of cash and bank cards to pay for daily bills, such as air
tickets, call fees, parking fees, and utility bills. Mobile Money also facilitates remittance and
commercial campaigns. Dealers can contact their customers and prompt products and services
anytime anywhere.
As a network-based solution, the Mobile Money system consists of a server and clients.
Clients are used to receive service requests from customers, while the server processes these
requests. Mobile Money clients provide various payment channels for customers, such as
WEB&API, USSD, IVR, and STK. The Mobile Money server is the payment platform and
the kernel of the Mobile Money system.
Figure 1-1 shows the position of the Mobile Money in the network.
Issue 01 (2017-07-28) Huawei Proprietary and Confidential 1

Copyright © Huawei
Mobile Money
Figure 1.1 The position of the Mobile Money in network
1.2 Security Threats to the Mobile Money Product

1.2.1 Security Threats
Security Threats at the Application Layer
 Input validation
Buffer overflow, cross-site scripting, and structured query language (SQL) injection.
 Authentication
Network eavesdropping, brute force attacks, dictionary attacks, cookie replay, and
credential theft.
 Authorization
Illegal elevation of privilege, disclosure of confidential data, data tampering, and luring
attacks.
 Configuration management
Unauthorized access to administration interfaces, unauthorized access to configuration
stores, retrieval of clear text configuration data, lack of individual accountability, and
over-privileged process and service accounts.
 Sensitive data
Access to sensitive data in storage, network eavesdropping, and data tampering.
 Session management
Session hijacking, session replay, and man-in-the-middle attack.
 Cryptography
Poor key generation or management, and weak or custom encryption.
 Parameter manipulation
Query string manipulation, form field manipulation, cookie manipulation, and Hypertext
Transfer Protocol (HTTP) header manipulation.
 Exception management
Information disclosure and denial of service.
 Auditing and logging

Copyright © Huawei
Mobile Money
Users denying operations, attackers exploiting applications without trace, and attackers
covering their tracks.
Security Threats at the System Layer

 Viruses, worms, and Trojan horses
Malicious code comes in several varieties, including:
− Viruses: indicate programs that are designed to perform malicious acts and cause
disruption to an operating system or applications.
− Worms: indicate programs that are self-replicating and self-sustaining. Worms also
increase traffic and take up bandwidth by using networks to spread copies of
themselves to other computers.
− Trojan horses: indicate programs that appear to be useful but are actually harmful.
In many cases, malicious code is unnoticed until it consumes system resources and
slows down or halts the execution of other programs. For example, the Code Red
worm was one of the most notorious to afflict Internet information services (IISs),
and it relied upon a buffer overflow vulnerability in an Internet server application
programming interface (ISAPI) filter.
 Profiling
Profiling, or host enumeration, is an exploratory process used to gather information
about your server. An attacker uses this information to attack known weak points.
 Brute force attacks
A brute force attack is the act of trying every possible account and password until the
attacker finds the right one.
 Denial of service
Denial of service occurs when your server is overwhelmed by service requests. The
threat is that your Web server will be too overwhelmed to respond to legitimate client
requests.
 Arbitrary code execution
Code execution attacks occur when an attacker runs malicious code on your server either
to compromise server resources or to mount additional attacks against downstream
systems.
 Unauthorized access
Unauthorized access occurs when a user without correct permissions gains access to
restricted information or performs a restricted operation.
Security Threats at the Network Layer

 Information gathering
Information gathering can reveal detailed information about network topology, system
configuration, and network devices. An attacker uses this information to mount pointed
attacks at the discovered vulnerability.
 Sniffing
Sniffing, also called eavesdropping, is the act of monitoring network traffic for data,
such as clear-text passwords or configuration information. With a simple packet sniffer,
all plain text traffic can be read easily. In addition, lightweight hashing algorithms can be
cracked and the payload that was thought to be safe can be deciphered.
 Spoofing

Copyright © Huawei
Mobile Money
Spoofing, also called identity obfuscation, is a means to hide one's true identity on the
network. A fake source address is used that does not represent the actual packet
originator's address. Spoofing can be used to hide the original source of an attack or to
work around network access control lists (ACLs) that are in place to limit host access
based on source address rules.
 Session hijacking
With session hijacking, also known as man-in-the-middle attacks, an attacker uses an
application that masquerades as either a client or a server. This results in either the server
or client being tricked into thinking that the upstream host is the legitimate host.
However, the upstream host is actually the attacker's host that is manipulating the
network so that it appears to be the desired destination. Session hijacking can be used to
obtain login information that can then be used to gain access to a system or to
confidential information.
 Denial of service
A denial of service attack is the act of denying legitimate users access to a server or
services. Network-layer denial of service attacks usually tries to deny service by flooding
the network with traffic, which consumes the available bandwidth and resources.
Security Threats at the Management Layer

 There is lack of security management regulations, or the regulations are not strictly
complied with.
 Associated personnel lack security awareness.
 Security patches are not installed for systems and applications in a timely manner, which
brings security vulnerability.
 Multiple persons share an account, and events are not retrospective.
 Incomplete security documentation fails to provide sufficient guidance for production
security.
1.2.2 New Security Challenges

Security Mobile Money system transactions: transfers, payment transactions.
May exist in terms of information security supervision, personal data protection, privacy
protection laws and standards compliance risks.
At the same time, mobile payment brings about new security challenges:
 New Security Challenges for Web Applications
Currently, the payment platform industry face enormous security challenges from the
internet, such as injection, overflow, and script attacks, so does the Mobile Money
system.
 API Security Threat
The Mobile Money system provides APIs to interconnect with third-party systems. It is
crucial to ensure authentication and authorization security and guard against threats from
the third-party systems.
 Authentication and Permission Management
For mobile payments, identity security authentication and permission management are
crucial. The traditional design pattern must be altered to ensure system reliability and
security and prevent the threats of overstepping, counterfeiting, and intrusion.
 Sensitive Data Storage Security

Copyright © Huawei
Mobile Money
Security credentials and other sensitive data must be stored securely. Balances must be
protected against tampering. Bills transfer confidentiality and integrity must be ensured.
 Transaction Security
The payment system must provide security mechanism for transactions such as transfer
and payment.
 Law and Standard Compliance
Information security monitoring, personal data protection, and privacy protection must
follow the relevant laws and standards.

Copyright © Huawei
Mobile Money
Security Description 1 Mobile Money Security Solution
2 Mobile Money Security Solution
About This Chapter

2.1 Security Solution Overview
2.2 Security Architecture
2.3 Basic Security Polices
2.4 Mobile Money Security
2.1 Security Solution Overview

The Mobile Money security solution is designed based on certain standards and suggestions
such as Trusted Computer System Evaluation Criteria (TCSEC), Information Technical
Security Evaluation Criteria (ITSEC), International Organization for Standardization (ISO)
15408, and International Telecommunication Union (ITU) X.805, and based on the business
requirements of carriers.
The security solution comprises four layers:
 Application layer security, which includes account security, data security, permission
security, and coding security and provides configurable security policies to protect
applications developed by Huawei.
 System layer security, which aims to protect the operating system, database, and
middleware containers used by applications.
 Network layer security, which aims to protect network devices and communication.
 Management layer security, which provides security procedures and suggestions for
system maintenance and operation to ensure long-term security.
Security mechanisms at all layers coordinate with each other to enable Mobile Money to
provide carriers with secure, reliable, and stable Mobile Money services, protecting carries'
assets and customer interests.

Copyright © Huawei
Mobile Money
2.2 Security Architecture

Mobile Money uses a layered security solution, as shown in Figure 2-1.
Figure 1.1 Layered Mobile Money security solutions
The Mobile Money security design is based on Huawei security baseline, and business
analysis of Mobile Money. Mobile Money provides end-to-end security solutions from the
network, system, application, management, and legal compliance aspects.
2.2.1 Application Layer

 Security techniques at the application layer include password security, authentication
security, access control and authorization, session management, input verification, output
encoding, interface protocol security, file download and upload restrictions, sensitive
data security, and so on.
 Sensitive customer data, business data, short messages, and email data are securely
protected.
 A secure architecture is provided for the data security and data interfaces of financial
systems.
2.2.2 System Layer

 A reliable and stable operating system release is hardened to provide a secure
environment for applications. For example, Linux operating system,
 Web container vulnerabilities and configurations are hardened to prevent web risks and
provide a secure application environment.
 A reliable and stable database release is hardened to provide a secure environment for the
database. For example, Oracle database.
 Business systems all use hardened Linux operating systems to ensure security.

Copyright © Huawei
Mobile Money
2.2.3 Network Layer

 To secure the operation of the network devices, security hardening measures are taken.
 To provide a secure operation environment for services, unrelated services are isolated
from each other by an optimized virtual local area network (VLAN) structure.
 To achieve access control to the service network, the network is divided into security
areas with firewalls deployed and an optimized access policy.
 The transmission channels for the management plane and service data plane are
separated. Services will not be affected even if the management plane is attacked. When
the service plane is attacked, devices are still manageable.
 To achieve encrypted transmission of management data streams between the
management layer, the local maintenance terminal, and the network management
terminal, suitable secure transmission protocol (for example, Secure Shell (SSH),
Transport Layer Security (TLS), or Internet Protocol Security (IPsec)) and secure
management protocol (for example, SNMPv3) are used.
2.2.4 Management Layer

 Scrutinize system accounts and manage accounts by following a strict procedure.
 Logs are centrally stored and audited. Alarms are provided for ongoing suspicious
operations and the logs can be audited.
 A complete set of security documents is provided to facilitate security maintenance and
operations.
 Business maintenance terminals use Windows operating systems with the latest ant-virus
software to prevent attacks from network viruses.
2.3 Basic Security Polices

Mobile Money security includes the design and realization of the application layer security;
operating system, database, middleware, and network equipment security configurations; and
security-related configurations, maintenance instructions, and the establishment of production
safety and maintenance procedures, and relevant maintenance activities. These measures help
ensure operational business continuity. They also help maintenance personnel to correctly and
effectively manage and use equipment and systems, ensuring the long-term security of the
equipment and systems.
The following describes basic Mobile Money security policies for operating systems,
databases, application systems. Mobile Money-applicable security policies include but are not
limited to the following:
2.3.1 Security Credential Management

Security credential policies are configurable. Strong credential policies are used by default
and credential changing policies are configurable. Key credential policies are as follows:
 The lengths of passwords are configurable.
 The validity period of a security credential is configurable.
 The types of characters contained in a security credential is configurable, for example,
uppercase and lowercase letters, digits, and special characters.

Copyright © Huawei
Mobile Money
 Blacklists can be configured for security credentials in multiple languages following

international standards.
 Prevention against password reuse: The previous N (configurable) passwords cannot be
reused.
Security credential changing policies include:
 The system provides a function for changing security credentials.
 During credential change, the old credential, new credential, and confirmation of the new
credential are required.
 A security credential must be changed after expiration.
Security credentials are securely stored and the access to security credential is limited.
Security credentials are not permitted to display, transfer, store in plaintext mode.
2.3.2 Authentication and Session Control

Access to Mobile Money must be authenticated by multiple factors (for example, by user
name, password, digital certificate, and necessary session control must be used).
IP addresses and passwords can be used to restrict, authenticate, and authorize service
messages for sensitive transactions. For Internet-related transactions, peer systems must be
authenticated and restricted.
During critical transactions in web-based applications, a one-off web verification code is used
to authenticate user login.
2.3.3 Secure Encryption Algorithms

Sensitive data such as security credential and personal identification numbers (PINs) are
encrypted before being transmitted or stored. Acknowledged secure encryption algorithms are
used. For example, algorithms requiring more than 128 digits of keys are used for reversible
encryption, and one-way function is used for irreversible encryption. A hardware security
module (HSM) is also used during encryption to ensure the security of sensitive data.
Appropriate integrity protection solutions are used to verify the validity, integrity, and security
of sensitive system data (such as account balances and bills) and prevent against authorized
tampering.
2.3.4 Secure Interaction Protocols

Interactions between system components are protected by secure interaction protocols. It is
recommended that you use secure interaction protocols, such as HTTPS for sensitive web-
based operations, Secure Shell (SSH) for login operations, and SFTP for file transfer
operations. Virtual private networks (VPNs) can be used for communication with third-party
systems.
2.3.5 Authorization Management

The role-based authorization model is used and minimized authorization rule is enabled for
accounts and roles. A role is assigned necessary operation permissions and an account is
assigned necessary roles. The system design provides the role and account planning features.
The features help you effectively control the operating systems, databases, and application
systems and separate management, maintenance, and service operation activities.

Copyright © Huawei
Mobile Money
2.3.6 File and Data Protection

Permissions for accessing operating systems, databases, and applications are configured to
prevent unauthorized accesses to critical system and application files.
For databases, system tables, application data, and application-created data files, unauthorized
access and tampering are not allowed. This prevents the disclosure of private customer
information.
Permission on operating systems, databases, and application system log files is strictly
controlled to prevent tampering.
Different types of files are stored in directories with different permission control based on file
importance. This facilitates file management and backup and ensures the security of files and
directories.
2.3.7 Security Logs

All user activities and operation commands must be logged for follow-up audit. Logs must
contain. user ID, user name, identity type, time for signed on, online duration. Permission on
logs must be controlled. Only administrators with log management permission are allowed to
delete logs. Security credentials, bank accounts, and other sensitive information will not be
logged. Sensitive information is anonymized or masked as asterisks (*) before being
displayed on the GUI.
Configurations can be made to transfer security logs to a centralized external log server for
further processing, analysis, and audit.
2.3.8 Auditable Accounts

Roles and accounts for operating systems, databases, and applications are planned to permit
one account per user. User activities can be audited. In application layer, different auditing
policies can be applied to different roles and accounts and are configured to enable logging
without deteriorating performance.
2.4 Mobile Money Security

2.4.1 Application Layer Security
Mobile Money provides permission and user management, supports a role-based authorization
model, and adopts the minimum authorization rule. Operators and interconnected systems are
authenticated before accessing the system. Operators are authenticated using user names,
passwords, and digital certificates. Strong password policies are used. For interconnected
systems, data is encrypted at the application and transmission layers. Application system
apply access control over files and data (including customer data) and encrypt sensitive data.
Operations are logged and application data is audited to identify abnormal business activities
and illegal tampering.
Identity and Access

Mobile Money supports multi-factor authentications. For example, when an operator logs in
through web or initiates a request through an API, a digital certificate is associated with the
operation. An identity cannot log in using a non-associated certificate.

Copyright © Huawei
Mobile Money
Table 1.1 Authentication mapping table

C A A
h c u
a c t
n e h
n s e
e s n
l G ti
a c
t a
e ti
w o
a n
y F
a
c
t
o
r
s
S P U
P o s
/ rt e
O a r
r l N
g a
a m
n e
i +
z P
a a
ti s
o s
n w
P o
o r
rt d
a +
l P
e
rs
o
n
al
C
e
rt
if
ic
at
e
U U M

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s e
e s n
l G ti
a c
t a
e ti
w o
a n
y F
a
c
t
o
r
s
S S S
S S I
D D S
D
a N
c +
c P
e I
s N
s
g
a
t
e
w
a
y
S S M
T T S
K K I
S
a D
c N
c +
e P
s I
s N
g
a
t
e
w
a

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s e
e s n
l G ti
a c
t a
e ti
w o
a n
y F
a
c
t
o
r
s
y
I A M
V P S
R I I
a S
c D
c N
e +
s P
s I
g N
a
t
e
w
a
y
A A O
T P n
M I e
a ti
c m
c e
e v
s o
s u
g c
a h
t e
e r
w c
a o
y d

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s e
e s n
l G ti
a c
t a
e ti
w o
a n
y F
a
c
t
o
r
s
/I e
S +
O P
- I
8 N
5 +
8 O
3 t
g h
a e
t r
e K
w Y
a C
y d
et
ai
ls
P A T
O P o
S I b
a e
c d
c e
e fi
s n
s e
g d
a la
t te
e r.
w T
a h

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s e
e s n
l G ti
a c
t a
e ti
w o
a n
y F
a
c
t
o
r
s
y e
s
e
c
u
ri
t
y
a
u
t
h
e
n
ti
c
at
i
o
n
f
o
r
A
P
I
w
il
l
b
e
u
s
e

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s e
e s n
l G ti
a c
t a
e ti
w o
a n
y F
a
c
t
o
r
s
d
a
s
le
a
st
.
A A C
P P r
I I e
a d
c e
c n
e ti
s al
s i
g n
a A
t P
e I
w m
a e
y s
s
a
g
e
+
T
h
ir
d
-

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s e
e s n
l G ti
a c
t a
e ti
w o
a n
y F
a
c
t
o
r
s
p
a
rt
y
c
e
rt
if
ic
at
e

Copyright © Huawei
Mobile Money
Table 1.2 Authorization mapping table

C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
S PP
P eo
/ rrt
O ma
r l
is
g si
a o
n n
i a
z n
a d
ti r
o o
n le
P m
o a
rt n
a a
l g
e
U U m
S S e
S S n
D D t:
A
a n
c y
c o
e p
s e
s r
g at
a i
t o
e

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
w n
a o
y r
m
S S e
T T n
K K u
o
a n
c a
c w
e e
s b
s p
g o
a rt
t al
e c
w a
a n
y b
e
I A
d
V P
e
R I
fi
a
n
c
e
c
d
e
a
s
s
s
a
g
p
a
e
t
r
e
m
w
is
a

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
y si
o
A A n
T P it
M I e
a m
c .
c A
e ll
s p
s e
g r
a m
t is
e si
w o
a n
y it
/I e
S m
O s
- c
8 a
5 n
8 b
3 e
g g
a r
t o
e u
w p
a e
y d
a
P A
s
O P
d
S I

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
a
if
c
f
c
e
e
r
s
e
s
n
g
t
a
r
t
o
e
le
w
s
a
t
y
o
b
A A e
P P a
I I s
a si
c g
c n
e e
s d
s t
g o
a o
t p
e e
w r
a at
y o
rs
o
r
c
u
st

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
o
m
e
rs
.
P
r
o
d
u
ct
a
n
d
s
e
r
v
ic
e
a
s
si
g
n
m
e
n
t
m
a
n
a
g
e
m

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
e
n
t:
P
r
o
d
u
ct
s
a
n
d
s
e
r
v
ic
e
s
a
r
e
a
s
si
g
n
e
d
t
o
r
e
g
is

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
te
r
e
d
i
d
e
n
ti
ti
e
s
i
n
t
h
e
M
o
b
il
e
M
o
n
e
y
s
y
st
e
m
.
M
o
b

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
il
e
M
o
n
e
y
c
o
n
tr
o
ls
p
r
o
d
u
ct
s
a
n
d
s
e
r
v
ic
e
s
a
v
ai
la
b
le

Copyright © Huawei
Mobile Money
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
t
o
i
d
e
n
ti
ti
e
s
b
a
s
e
d
o
n
t
h
e
a
s
si
g
n
m
e
n
t.
Identity Management
 Identity in the system must be unique.
 An administrator can create, delete, modify, lock, and unlock identities in the system.

Copyright © Huawei
Mobile Money
 If the name of an identity to be created is the same as that of a deleted identity, the new
identity cannot inherit any information (such as personal, authentication, and
authorization information) of the deleted identity.
 An identity has multiple states. An identity administrator can maintain the status of an
identity.
 An operator can be automatically locked if it has not been used for a specified number of
days (0-999). It is recommended that the default setting of 60 days be used. If the period
is set to 0, the automatic locking feature is disabled. A locked identity can be manually
unlocked only by an authority identity administrator.
Authentication
Application account authentication mechanisms are as follows:
 The system provides GUIs for login authentication and logout.
 Multiple authentication factors are supported, for example, user name, password, and
digital certificate. Digital certificates can be associated with users to implement
bidirectional authorization.
 For web application account authentication, web verification codes that support
background interference and character distortion are used to enhance the security.
 Strong password policies must be used for the user name plus password authentication
mode.
 When a user applies to access restricted resources or perform an operation that requires
authentication, the system authenticates and authorizes the user at first.
 User authentication is performed on the application server to ensure the authentication
validity.
 Service log cannot be bypassed. If a user fails to be authenticated, the user cannot
perform any operation.
 The automatic login and password remembering functions are disabled for the web
application management portal.
 To prevent server information leakage, the system does not prompt the detailed failure
cause if authentication fails.
 Re-authentication is required for key management and business transactions to prevent
customer loss due to session hijacking and cross-site counterfeiting.
 An identity will be locked if the number of failed login attempts reaches N in a specified
time period. During the N-1 login attempt, the system prompts the identity that the
identity will be locked after one more unsuccessful login attempt.
 The number of consecutive failed login attempts before being locked can be set to a
value between 0 and 99. The value 0 indicates that this feature is disabled. The default
value is 5.
 If the number of consecutive login failures reaches a certain threshold, the system will
lock the password of the operator who attempts to login. A locked password can be
automatically unlocked by the system after a specified time period, or manually
unlocked by an administrator. An administrator can also change the status of a common
user.
Digital Certificate
When an operator logs in to Mobile Money from a web GUI, Mobile Money authenticates the
operator by user name, password, and certificate (SN).

Copyright © Huawei
Mobile Money
 An operator can apply for a certificate from Certificate Authority (CA) system and email
it to an administrator who has the permission to manage the certificate CA will be
responsible for this.
 After being transmitted to an administrator, an operator certificate can be associated with
the operator in the operator creation procedure. When an operator is created, the
certificate serial number must be verified, collected, and stored in Mobile Money.
SNs can be added to Mobile Moneymanually or read from an input file.

 When an operator logs in to Mobile Money from a web GUI, Mobile Money verifies the
operator's user name, password, and digital certificate SN which is obtained through
SSL.
 The administrator can manage the certificate on the Mobile Money GUI, for example,
changing the status of an operator's certificate to active or suspended, update a
certificate, and revoke a certificate.
Password Policies
The following password polices are supported for application accounts:
 The length of a password is configurable and ranges from 0 to 32 characters. The
minimum and maximum password lengths are configurable. A password must contain at
least eight characters by default.
 A password must contain at least two of the following types of characters:
− One lowercase letter
− One uppercase letter
− One digit
− One special character: `~!@#$%^&*()-_=+\|[{}];:'",<.>/?, and space
 If a password does not meet the requirement, the password setting fails, and the system
displays the error information.
 The number of historic passwords that cannot be reused is configurable. The value must
be greater than 0. The default value 5 is recommended.
 A validity period must be configured for passwords. The minimum validity period ranges
from 0 to 9999 minutes. The recommended validity period is 90 days. The maximum
validity period ranges from 0 to 999 days. If the validity period is set to 0 for a password,
the password will be effective permanently. The default setting is 90 days (about three
months).
 If an operator's password is about to expire, the system can prompt the operator N
(configurable) days in advance when the operator logs in. The value of N ranges from 0
to 99. If N is set to 0, no advance expiration prompt will be displayed. The default setting
is 7 days.
 When an operator changes the password, the old password is required. An operator
except an administrator can change only the operator's own password.
 A system administrator can reset the passwords of other users without being restricted by
the minimum password validity period.
 An initial password can be provided for an operator or end user by default or by a system
administrator. When an operator or end user attempts to log in to the system, the system
requires the operator or end user to change the initial password and allows the login only
after the initial password is successfully changed.

Copyright © Huawei
Mobile Money
 Passwords must not be displayed in plaintext on the GUI, on terminals, or in logs. When
being entered on the GUI, passwords can be masked as asterisks (*) or not displayed.
Plaintext passwords stored in the memory (for example, during the login process) must
be erased immediately after being used.
 Values of password fields cannot be copied.
 Passwords must not be stored as plaintext in the system.
 Access control can be implemented on password files. Common users cannot read or
copy the files.
 A user can change the password only after being authenticated.
 During the password changing process, a user must enter the new password twice to
confirm the new password.
 In web applications, accounts whose passwords are to be changed can be obtained only
from server sessions and cannot be specified by clients.
 A password cannot be the same as the account ID or the inverted account ID.
 Complexity rules can be configured for default passwords of built-in accounts.
 A weak password dictionary can be configured.
 If an operator forgets the password, the operator can answer security questions to reset
the password. The system sends the new password to the operator by email or short
message if the operator has correctly answered all security questions.
Authorization Management
Application authorization management is described as follows:
 The system uses a role-based account management model.
 When an account is created, no role is assigned or the role with the minimum permission
is assigned by default.
 The account used to run applications is an operating system account with the minimum
permission.
 The account used to access the database system is a database account with the minimum
permission.
 For each web page access or Servlet request that requires authorization, the system
verifies users' permission and the validity the users' session flags to prevent uniform
resource locator (URL) overstepping.
 A user cannot access sensitive data of other users without permission
 Authorization data and user permission data are stored on a server instead of on a client.
Authentication is also executed on the server.
 Only minimum permission is assigned on system directories and files, including
temporary directories and files generated during system running.
 Functions are provided for updating digital certificate status and managing association
relationships of digital certificates.
Session Management
 Session cookies are used to maintain sessions. The cookie of a session is released after
the session ends.
 After a user name and password are authenticated, the session flag is changed to avoid
the session fixation vulnerability.

Copyright © Huawei
Mobile Money
 Information that cannot be modified during a session is stored and maintained as part of
the session on the server.
 An exit or logout button or menu is provided on all pages that can be accessed only after
login.
 When a user logs out, the user's session information is cleared.
 Process security control is implemented on the server to ensure that processes are
executed and authentication steps are performed in the correct sequence.
 If a user does not perform any operation in a specified period, the system automatically
logs off the user, or clears the user's session information.
Sensitive Data Protection

Sensitive data in Mobile Money include users' PINs, passwords, voucher codes, secret words,
bank accounts, security credential short messages, and so on.
 An access control mechanism is provided for sensitive data to prevent unauthorized
access or copy.
 Program code cannot contain plaintext sensitive data such as account IDs, passwords,
and so on.
 Sensitive data is encrypted before being stored and must not be stored in plaintext in the
database or files.
 Logs must not contain plaintext sensitive data.
 Alarm information must not contain plaintext sensitive data.
 Web application cookies must not contain plaintext sensitive data.
 In web applications, sensitive data is submitted using the HTTP-POST method to
prevent information leakage.
 Sensitive data (such as passwords and bank account IDs) is encrypted or transferred
through secure channels if the data transfer network is a non-trusted network.
 When a user logs in to a web application, the user name and passwords are transmitted to
the server using the HTTPS protocol (SSL with server certificate).
 Web application URLs must not contain session IDs, such as jessionid.
 Information that must not be displayed for users will not be transmitted to clients.
 Service short messages that contain sensitive data such as passwords and bank account
IDs are stored in ciphertext.
 Mechanisms are provided to verify the integrity of sensitive data and guard against data
tampering.
Encryption and Decryption

 No private encryption algorithms are used in Mobile Money. All encryption algorithms
used in Mobile Money are secure and public algorithms.
 Encryption algorithms used in Mobile Money are secure. No algorithm that has been
proven unsecure is used.
 Security credentials are processed using one-way functions and converted using complex
rules before being stored.
 Algorithms that use HSM for encryption and decryption are used.
 Encryption keys used during sensitive data transmission are stored in HSM mode instead
of being hard coded in the program.

Copyright © Huawei
Mobile Money
Security Logs
 All management activities and operation commands must be logged.
 Logs must support follow-up audits and contain user IDs, time, event types, names of
resources that are accessed, access results, and so on.
User activities to be logged include:
− Logging in and logging out
− Adding, deleting, and modifying user attributes, such as accounts, passwords, and
validity periods
− Locking, unlocking, suspending, and resuming users
− Changing permission of a role
− Changing system security configurations, such as security log content
configurations.
− Changing key resources, such as deleting and modifying critical files
Operation commands to be logged include the commands for:
− Modifying system parameters
− Loading and unloading services
− Upgrading software locally or remotely
− Creating, deleting and modifying critical service data, especially finance-related
data, such as card IDs, balances, charge rates, fees, orders, vouchers, and bills.
− Executing command lines using accounts
 An access control mechanism must be provided for logs to prevent unauthorized access,
deletion, and modification.
Privacy Protection
 Private data to be exported out of the carrier network for error location must be filtered
and anonymized.
 The system provides security protection mechanisms (such as authentication, permission
control, and logging) for personal data collection and processing.
 Logs must not contain security credentials, bank account IDs, or service short messages.
 Sensitive data is customizable based on market requirements and can be flagged using
labels in audit logs.
Interface Security
 The system does not support functions for accessing the system or data by bypassing
security mechanisms such as authentication, permission control, and logging.
 The system does not support secret access channels, including hidden accounts,
passwords, unauthenticated commands or parameters, combination keys, protocols,
ports, services, production commands or ports, commissioning commands or ports, and
operations (except the query operation) that are not logged.
 The system does not support unmanageable authentication or access modes, such as
unmanageable account IDs, man-machine interfaces, hard-coded commands of remote
machine-machine interfaces, and interfaces that can access the system without
authentication.
 All WebService interfaces are authenticated before being invoked.
 Encrypted channels are used to transmit sensitive data through WebService interfaces.

Copyright © Huawei
Mobile Money
 Parameters submitted through WebService interfaces are verified to prevent injection

attacks.
Web Verification Code Security

 Web verification codes are presented on images in the Joint Photographic Experts Group
(JPEG), Portable Network Graphics (PNG), or Graphics Interchange Format (GIF)
formats.
 Web verification codes are generated randomly.
 Web verification codes are not associated with any information submitted by a client.
 Random web verification codes generated by the web verification code module are not
displayed in the source code of static client pages.
 A web verification code expires immediately after being used. New web verification
codes are generated for new requests.
 A web verification code and authentication information (such as user name and
password) must be sent to the server at the same time. The system verifies the
authentication information only when the web verification code is correct.
 The web verification code module supports background interference and character
distortion to prevent against decoding.
System Operation Security and Protocol Security

 Mechanisms are provided to prevent service resources misuse, such as the misuse of user
registration, emails, and buddy reference.
 Appropriate secure protocols such as SSH v2, TLS1.0, SSL3.0, IPSec, SFTP, and
SNMPv3 are used, and insecure protocols such as FTP and Telnet can be disabled.
 Management and service functions can be deployed separately.
 All communication links to external systems are necessary for system operation and
maintenance. Unnecessary ports can be disabled.
 Access authentication mechanisms are provided for all communication ports and
protocols used to manage the system.
 All vulnerable protocols that interact with end users and interconnect with non-trusted
networks are guarded against malformed packet attacks.
 Access authentication mechanisms are provided for all physical ports used by external
devices (such as HSM and load balancer) to manage the system.
Web Coding Security

 All user inputs are verified. If a user enters an invalid value, the system displays an error
message and instructs the user to enter a valid value.
 All input values generated by the server are verified. If an input value is found invalid,
the session can be disabled, and an alarm log will be generated.
 Plaintext information in an HTTP header cannot be used as a security credential.
 Final authentication is performed by program code on the server instead of on clients.
 If a value is verified on a client but fails to be authenticated on the server by the same
rules, the server terminates the session and generates an alarm log.
 The length of an input value can be verified.
 The range of an input value can be verified.

Copyright © Huawei
Mobile Money
 Parameter values used for redirection must not contain any carriage return or line break
characters because these characters can be used in HTTP response split attacks.
 Precompiled prepared statements can be used to replace SQL statements that are directly
executed, preventing the risk of SQL injection attacks.
Transaction Consistency
 Account balances can be updated only during normal services when the balance in one
account is increased and the balance in another account is decreased.
 Accounts are reconciled inside Mobile Money and with bank systems to ensure account
balance security.
2.4.2 System Level Security

Components at the system level include operating systems, databases, middleware, web
servers, and so on.
Mobile Money uses the Oracle database, which is customized during installation and
hardened to ensure database security.
Security configurations are made for other middleware and web servers to ensure that a secure
system platform environment is provided for application running and maintenance.
The Windows system is used as the operation environment for configuration and service
management clients. Antivirus software is installed and security configurations are made to
ensure the security of the Windows operating system.
Operating System Security

 Operating system installation: unnecessary components are removed and the latest
verified patches are installed. Secure versions (V2 or later) of integration software such
as SSH are installed.
 System logs: Configurations are made so that the system logs important operations, such
as su operations, local and remote login operations. Logs are also generated for failed
operations, account and permission maintenance operations, and file transfer operations.
 Minimized network services: Unnecessary standard services such as rexec, rlogin, rsh,
telnet, ftp, and tftp are disabled.
 Minimized startup services: Services that are not used or recommended to be disabled
are disabled, such as NIS, NFS, printer, GUI login, email, Web, and RPC services.
 Service security configurations: Services such as SNMP and NTP are configured based
on industry security recommendations.
 Log audit: Mobile Money logs subscriber login and switch operations and Internet
connection activities. The system logs are protected against tampering.
 Directory and file protection: Important system directories and files (such as password
files, group files, system configuration files, and system logs) are protected against
unauthorized access and modification through permission control.
 System access, authentication, and authorization: Login through a serial port or
dedicated FTP account is prohibited. Remote login as the root user or login through
important production accounts are restricted. Unnecessary FTP permission is revoked.
Insecure authorization modes such as trusted host are disabled.
 Accounts and operation environment: Unnecessary system accounts are disabled or the
login permission of system accounts can be revoked. The configuration, login, and
operation environment of active accounts is adjusted to ensure that passwords are not

Copyright © Huawei
Mobile Money
empty and that the permission configurations for home directories and configuration files
are secure. Default mask codes are changed to prevent unauthorized access to files. If a
user does not perform any operation in a specified time period after logging using a
maintenance account, the system automatically terminates the login session.
 Password policy: Strong password polices are used and password life cycle management
is enabled. If a user enters incorrect passwords for a specified number of times when
logging in to the system, the system locks the user's account. When a user logs in to the
system using a password configured or reset by an administrator, the system requires the
user to change the password, and allows the user to log in only when the password is
successfully changed.
 Login prompt: Internal system information is hidden and security alarms are configured
for SHELL and FTP login operations.
Database Security
 Installation: Only required components and the latest verified patches are installed.
 Operating system access: Only Oracle users and DBA groups are allowed to access
Oracle files. For the Oracle database, the default mask is set to 022 to prevent
replacement and modification on Oracle files.
 Account management: Unused default accounts are locked and set to the Expired state.
Default passwords for these accounts are changed.
 Password policies: Strong password policies are used to restrict the length and
composition (uppercase letters, lowercase letters, and digits) of passwords. Life cycle
control is applied over passwords. Historical passwords cannot be reused. For example, a
password must be changed after being used for a specified time period.
 Permission control: Database user accounts must be verified. Data dictionaries and
system tables are protected against unnecessary access from common accounts. The
Public group is disabled and the permission of the Public group is revoked. The
administrator group, application work group, application maintenance group, backup
group, and log access group are set up and their database access permissions are
restricted. A user account is assigned only the predefined role with the minimum
permission required for work.
 Network access: A firewall is used to restrict access to the database. Only port 1521
(configurable) can be used for access by default. Client IP addresses can also be
restricted to prevent unauthorized access. A listener is prevented from reading and
writing database files to prevent attacks to the database through a listener.
 Auditing and log recording: All security events are logged and the audit function is
enabled for all data definition language (DDL) operations. For maintenance accounts, all
operations are audited. Activities of application running accounts can also be audited if
necessary. A special log access account is created for the centralized log server to
retrieve logs to be audited.
Web Server Security

The security of a web server is hardened as follows:
 Operation policies: User permission is restricted. The default console is deleted or the
security of the administrator password is enhanced.
 Basic configuration polices: Parameters in configuration files are properly configured to
avoid risks caused by incorrect configuration.
 Permission on file directories is restricted.
 Complete log auditing is supported.

Copyright © Huawei
Mobile Money
2.4.3 Network Layer Security

Architecture of Huawei Mobile Money
Figure 1.1 Architecture of Huawei Mobile Money
 Transaction Point - TP
The TP is the core node of the Mobile Money system. The node includes the following
components:
− Transaction Center (TC): The TC processes transaction and action services and
handles accounting. The TC mainly consists of the account subsystem and
Transaction Execution Framework (TEF). The account subsystem provides the
capabilities to manage account entities, move funds (accounting), and update
account statements. The TEF controls the transaction execution process and ensure
that the account subsystem moves the funds between debit and credit accounts
successfully.
The TC is deployed in a load balanced cluster, which can be scaled out linearly.
− Identity Center (IC): The IC focuses on identity information management, identity
entity operation, and identity data provisioning.
The IC is deployed in a load balanced cluster, which can be scaled out linearly.
− Notification Center (NC): The NC is a bidirectional communication component
providing the capabilities to format and send notifications. It can send messages and
receive responses such as the SMS delivery confirmation from external systems.
The NC is deployed in a load balanced cluster, which can be scaled out linearly.
 Business Supporting Point - BSP
The BSP runs all components supporting functions for core business services other than
real-time business logic. It includes the following components:
− Bulk Center (BC): The BC actually is a central point of the periodic task scheduling
in the Mobile Money system. The BC schedules tasks, delivers task items, handles
task item execution results, and allocates task data quota. The task is actually
executed in the relevant application component.

Copyright © Huawei
Mobile Money
The BC is deployed in a two-node cluster in active-standby mode.

− Unified Configuration Center (UCC): The UCC is a central point for managing
configurations, controlling versions, and sending notifications on configuration
changes. Logically, it manages all business configurations and system
configurations with version control if required. The UCC functions as a data
provisioning center for the Mobile Money system to drive different application
components to work.
The UCC is deployed in a load balanced cluster, which can be scaled out linearly.
− Unified Menu Center (UMC): The UMC manages USSD and STK menu
configurations and generation, for example, rendering menu prompts step by step
and delivering new STK menus.
The UMC is deployed in a load balanced cluster, which can be scaled out linearly.
− Messaging Queue (MQ): The MQ responds to delivery requests received by the
Mobile Money system and sends responses to external systems efficiently and
reliably. The MQ connects to the Access Gateway and TP components.
The MQ is deployed in a two-node cluster in active-standby mode.
 Portal
There are two types of web portals: SP portal and organization portal. The SP portal is
provided for SP operators and the organization portal is provided for organization
operators.
The SP portal enables SP operators to configure, manage, and monitor all aspects of the
Mobile Money system.
The organization portal enables organization operators to manage their accounts and
initiate and query transactions.
The Portal is deployed in a load balanced cluster, which can be scaled out linearly.
 Access Gateway - AG
The AG has two layers: foundation layer and access layer.
The foundation layer provides common low-level capabilities for the access layer. The
low-level capabilities include the pluggable framework, common capabilities, and
transport end-point. All capabilities in the foundation layer can be reused by different
access gateway components.
The access layer receives external requests, parses messages from communication
protocols, converts original external messages into internal messages, looks up internal
services, and then dispatches the internal messages to back-end applications for
processing.
The AG is deployed in a load balanced cluster, which can be scaled out linearly.
 I2000
The I2000 provides the management capabilities at the Network Element (NE) level. The
main capabilities include configuration management, performance management,
topology management, fault management, security management, and system
management.
The I2000 can be deployed either in a single-node system or in a two-node cluster based
on the budget.
 Reporting
A strong report system is a basic requirement for efficiently managing services in the
Mobile Money system. Huawei provides an advanced report subsystem.
Features of the Report subsystem are as follows:

Copyright © Huawei
Mobile Money
− Report management: Report management is similar to file management and aims at

managing report template files, report files, and relevant data files.
− Data source management: The administrator needs to configure architecture
information of the service database to be dealt into the data source. Then, the
administrator can design the report template files based on these data source
definitions.
− User management: The administrator can create or modify users or user groups for
the report subsystem and maintain the user relationships of the subsystem.
Big Data Integration (BDI): The core capability of the BDI is to handle data with a
normal ETL flow so that the data can be extracted, transformed, and loaded from the
original data source to the target one. The data processing components for extracting,
transforming, and loading data are designed to be configurable and pluggable to meet
various customization requirements on data processing.
 Database
Transactions, wallets, customer and agent data, and audit logs are stored in the Oracle
database.
There are two types of databases: online database and short-term database (optional).
All active wallet, customer, and agent data and transactions in completed or pending
state in the last half a year are stored in the online database. Online transaction
processing is running in the online database.
Data in the online database is replicated to the short-term database (also named the query
database) in real time. The short-term database can store data for one or more years
based on the storage capacity. All query requests are running in the short-term database.
The database is deployed in a two-node cluster in active-standby mode.
 Software Load Balancer - SLB
The SLB is a load balancer component which distributes incoming and outgoing
messages in a reasonable manner to balance the load of background components. In
addition, the SLB is sitting in front of the AG and deployed in the DMZ, functioning as
the interface between external systems and background applications. The SLB is
deployed in a two-node cluster in active-standby mode.
 SFTP Server
All extracts, bank statements, and reconciliation reports are transferred to the SFTP
server, which functions as a file exchange point between external systems and the
Mobile Money system.
The SFTP server is deployed in a two-node cluster in active-standby mode.
The service maintenance terminal runs the Windows operating system. You can install
the latest anti-virus software in the operating system to prevent it from being attacked by
network virus.
Network Layer Security

The Mobile Money network can be divided into five layers: service network, maintenance
network, management network, backup network, and disaster recovery network.
 Service network: used to run products and services, interconnect with external product
systems, and process access requests from the Internet.
 Maintenance network: used to deploy clients such as I2000 to remotely commission and
configure hardware and software for hosts, storage systems, network devices, and
products.

Copyright © Huawei
Mobile Money
 Management zone: includes the I2000 server or iTrace used to collect logs and alarm
information for the system and network devices.
 Backup network: used to back up service data and operating system data from key
service running hosts. Only one switch is used in the backup network. A two-node cluster
can be configured based on customer requirements.
 Disaster recovery network: used to transmit data between the production center and
disaster recovery center. Two switches working in active/standby mode are used in the
disaster recovery network to connect to remote networks. If the carrier has no
requirement on disaster recovery, the disaster recovery network can also be omitted. In
the Mobile Money networking, the disaster recovery data cable runs through the ATAE
backplane to ensure high data rate without occupying bandwidth of the switch board.
Network Security Zone Division

 Network security zones are divided based on service types of hosts, security
requirements, and security levels, such as core zone, management layer (MT), DMZ
zone, MO zone (intranet access zone), and data domain.
 Hosts that provide services to the Internet are placed in the DMZ zone.
 Hosts that provide services for customers' office networks (such as the I2000 network
management system) are placed in the MT zone.
 The system design prohibits users from accessing management interfaces after logging in
to the user portal.
 Non-trusted hosts of internal access systems (such as I2000 clients) are placed in the
internal access domain (MO zone).
 Network elements that contain key customer data are placed in the core zone.
 Key transaction data generated by core network elements and user data are stored in the
data zone.
Border Control for Security Zones

Access relationships in the Mobile Money system are described as follows:
 Internet users and users in the external access zone (except maintenance users) can
access only the access gateway.
 A user accesses the web server in the DMZ zone through the access gateway to use web
services provided by the web server.
 The web server accesses the core service and the data zone server through a firewall.
 The core service and data zone server connect the payment gateway.
 The payment gateway connects bank systems and third-party payment systems through a
firewall to execute payment operations.
Security protection between the Internet access zone and external access zone:
 A DDOS prevention device is deployed at the Internet border to prevent DOS attacks
from the Internet.
 IP address and port filtering policies are configured in firewall A. IP address filtering
policies are configured to filter source IP addresses of remote access networks and
organization networks, and all destination addresses to be connected are set to gateway
addresses allowed to access. Port filtering policies are configured to filter requests
through non-MM service ports from the Internet.
 The IPS intrusion detection system is used to prevent intrusion from the Internet.

Copyright © Huawei
Mobile Money
Security protection between the external access zone and DMZ zone:
 The IPS intrusion detection system is deployed to prevent intrusion from the external
access zone.
 IP address and port filtering policies are configured in firewall B. IP address filtering
policies are configured to prevent users in an external access zone from directly
accessing core services and the data zone. Users in an external access zone are allowed
to access only web server addresses in the DMZ zone. Port filtering policies are
configured to filter requests through non-MM service ports from external users.
 The DMZ zone can access external zones through a firewall without destination address
restrictions.
Security protection between the external access zone and core service and data zone:
Policies are configured in firewall B so that servers in the DMZ zone can access only the core
internal service and data zone through specified communication ports.
Network Protocol Security

In the Mobile Money system, encrypted protocols are used to replace plaintext protocols.
Maintenance personnel may need to remotely access servers and databases. Encrypted remote
connection protocols are used to replace plaintext remote connection protocols. The following
protocols are recommended:
 SSH is used to replace Telnet.
 SFTP is used to replace FTP.
 HTTPS is used to replace HTTP.
 SNMP V3 is used to replace SNMPV1/V2.
It is recommended that maintenance personnel access the core service and data zone through a
VPN during remote maintenance. The VPN service can be enabled on the firewall. The VPN
type is set to IPSec VPN and a VPN client address pool can be configured on the firewall so
that only addresses in the address pool can remotely connect to servers through the firewall.
The VPN service allocates client IP addresses to maintenance personnel, and filtering policies
are configured in the firewall.
Network Transmission Encryption

User access to the management system must be encrypted, for example, by using SSH,
HTTPS, IPSec, SFTP, and SNMPv3.
Network Device Security

Security configurations must be made for network devices added to the Mobile Money
system. For example, risky ports such as ports 135 and 139 must be disabled, SSH must be
used to replace Telnet, security configurations must be made for routing protocols, strong
passwords must be configured, the vty line must be controlled, and access restrictions must be
configured for AAA users.
Security configurations of new devices are to be made by device providers. Huawei provides
a communication matrix to provide information on communication ports that need to be
enabled during minimized service port configuration for network devices.

Copyright © Huawei
Mobile Money
Time Synchronization
The IP address of a time synchronization server can be configured in devices in the network
so that the time of devices can be synchronized to the server time.
2.4.4 Management Layer Security

Carriers must set up security teams and procedures to ensure the long-term security of
services.
Huawei provides security support procedures for carriers to draw out security-related
procedures to ensure production system security and service continuity.
Organization and Procedure

Carriers must set up a security management team, release maintenance and management
procedures, and empower the security management team to monitor the Mobile Money
system. The security management team must include personnel that can maintain the system
and handle emergencies. Recommended personnel include security administrator, system
administrator, system operator, and report operator.
 Security administrator: responsible for the system security and manages important
accounts and passwords. Anyone who wants to access system devices (such as hosts,
database servers, and network equipment) must be approved by the security
administrator beforehand.
 System administrator: first owner of system management and responsible for periodic
maintenance.
 System operator: responsible for routine operations, such as system backup.
 Report operator: responsible for periodically checking and generating system reports.
 All personnel must have the awareness of attack prevention.
Log Checking and Audit

The Mobile Money generates operation and system logs. These logs should be periodically
backed up to a secure place and securely stored, for example, a remote server or tape. If there
is no automatic backup mechanism, routine log and log storage space audits are crucial.
Log verification is key to identifying abnormal operations.
 Mobile Money Operation Log Backup
Mobile Money operation logs must be stored for a period as required by the management
policies and local government regulations. Logs must be backed up to a different storage
media using a dedicated log server. Only the system administrator or another properly
authorized user can back up and view the logs. No one is allowed to modify the logs.
 Unix System Log Backup
For a multi-user Unix operating system, the system logs subscriber login and su
command operations. The logs can be viewed using a command. In most cases, the
operating system does not log all operations. Login logs must be periodically backed up.
The log files, paths, and usage rules vary according to operating system versions. A Unix
host provides a special console for maintenance and can be logged in through internal
communication (for example, through a serial port). Therefore, specific rules must be
defined to control the communication.
 Log Audit

Copyright © Huawei
Mobile Money
A log audit procedure must be established. An administrator must periodically audit

operation and recharge logs to identify possible exceptions. Log audit includes but are
not limited to the following activities:
− Check the audit logs of the operating system and databases.
− Check the operation logs of application systems.
Software Package Virus Scan

Before officially releasing a Mobile Money software package, Huawei engineers scan for
virus. In case an alarm is generated, corresponding annotation is provided. The scanning
records (including antivirus software name and version, virus library version, scanning time,
and scanning results) are archived and released together with the software package (including
patches).
Software Integrity Protection

Mobile Money provides a digital signature mechanism for document integrity verification
during installation and upgrade.

Copyright © Huawei
Mobile Money
Security Description 2 Security Assurance
3 Security Assurance
About This Chapter

3.1 Security Statements and Qualification
3.2 Security Assurance Procedures
3.1 Security Statements and Qualification

We have established and implemented an end-to-end global cyber security assurance system.
We emphasize that our commitment to cyber security will never be outweighed by the
consideration of commercial interests. It is our primary responsibility and guiding principle to
ensure the stable and secure operation of our customers' network and business (especially in
times of natural disasters such as earthquakes and tsunamis and other emergencies); we
understand that cyber security concerns of the industry and society are increasing.
Huawei is committed to providing best-in-class (as defined by our customers and government
stakeholders) products and services to meet the needs of our customers. We take cyber
security seriously and have invested substantial resources into our efforts to promote and
improve the ability of our company, our peers and others to provide the best-possible security
assurance and ensure a safer and more secure cyber world for all.
Huawei has already been certified to BS7799-2/ISO27001 accreditation since 2004.
3.2 Security Assurance Procedures

In addressing the requirements of cyber security, we have built into all of our standard
processes, baselines, policies and standards the best practice that is required. In this way,
cyber security is not something that is an afterthought. Instead, it becomes a standard part of
the way we do our daily business it has become part of our Deoxyribonucleic acid (DNA).

Copyright © Huawei
Mobile Money
Figure 1.1 The security assurance procedures in Huawei's IPD
The design and development of Huawei's hardware/software/functionality complies with the

Integrated Product Development (IPD) processes. Combining the leading practices of the
industry and our own as-is status, Huawei embeds security activities into each phase of the
IPD process. Through product security threat analysis, security design, code security scan,
security tests and some other activities, Huawei continuously improves the security of its
products and reduces security threats.
Complying with the IPD processes, the hardware/software/functionality of Huawei's products
is strictly tested before they are released, especially security aspects. Security tests include not
only security baseline tests, but also some special security tests, such as Coverity and Fortify
code static scanning, NMAP port scanning, Nessus vulnerability scanning, Ngssquirrel
database scanning, APPSCAN application level web scanning, Codenomicon protocol
robustness testing, and more.
We have our own security technology teams that analyze best practices in the industry,
explore root causes for product issues, update the security baseline for each R&D team, and
communicate the baseline to the research and development (R&D) teams through fixed
processes. All issues found in our products will be tracked and closed in the defect trace
system (DTS). Our QAs will regularly identify product issues (including security issues) and
report them to the product lines where root causes are analyzed and future versions are made
better. We will also train our employees to avoid introducing similar issues to their
development processes. Moreover, we also publish design cases regularly to promote the
product teams' awareness of product security and share good experiences.
Internally: The construction of a security testing laboratory which is independent of products
is underway. The laboratory will conduct security tests for the products, including source code
analysis for software.
Externally: Huawei has established a Cyber Security Evaluation Center (CSEC) in the UK to
analyze the source code of the products which will be deployed in the UK. In addition,
Huawei cooperates with other third party companies such as Electronic Warfare Associates for
product source code sharing.

Copyright © Huawei
Mobile Money
However, we accept that just because you have a process that does not mean that it is a good
process, or that anyone actually executes the process. To address these issues, we have taken
the following actions:
1. Huawei has established standardized business processes globally and has identified
Global Process Owners (GPOs) for each process and Key Control Points (KCPs). In
addition, Huawei has established a Global Process Control Manual and a Segregation of
Duties Matrix that are applicable to all subsidiaries and business units. The GPOs are
responsible for ensuring the overall internal control effectiveness, in light of changes in
operational environment and risk exposures.
2. From a governance perspective, there is a standing Board Committee dedicated to cyber
security chaired by a Deputy Chairman. On this Board sits the main Board Members and
Global Process Owners who have a role in ensuring that cyber security requirements are
imbedded in processes, policies and standards and that they are executed effectively. If
there is any conflict, or resource issue in cyber security, this committee has the power,
remit and seniority to make decisions and change the business without reference to
anyone else.
3. Huawei auditors use the Key Control Points and the Global Process Control manual to
ensure processes are executed and that they are effective. Audits, external inspections
and third-party reviews all validate what is happening against what should happen.
Individual personal accountability and liability (the rules and regulations) are built into
Huawei's Business Conduct Guidelines and business processes that specify how we must
behave in our daily operations. Knowledge is updated through online exams every year
to keep knowledge current, and this forms part of our Internal Compliance Program.
At Huawei, because we have built cyber security requirements into our processes, each
executive, manager and individual has personal accountability and ownership of their
responsibilities. This level of responsibility implies several underlying factors, including
continuous training, getting the balance right between incentive and personal liability, and
continuous loop-back processes to enhance our capabilities and validate our assurance level.
This is the Huawei way of meeting the challenges of cyber security.

Copyright © Huawei

Mobile Money V100R003 Security Description 01

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Mobile Money V100R003 Security Description 01

Hochgeladen von

Copyright:

Verfügbare Formate

Mobile Money

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2017-07-28) Huawei Proprietary and Confidential i

About This Document

Issue 01 (2017-07-28) Huawei Proprietary and Confidential ii

Issue 01 (2017-07-28) Huawei Proprietary and Confidential iii

Issue 01 (2017-07-28) Huawei Proprietary and Confidential iv

Issue 01 (2017-07-28) Huawei Proprietary and Confidential v

Issue 01 (2017-07-28) Huawei Proprietary and Confidential vi

Issue 01 (2017-07-28) Huawei Proprietary and Confidential vii

Issue 01 (2017-07-28) Huawei Proprietary and Confidential viii

Issue 01 (2017-07-28) Huawei Proprietary and Confidential ix

Issue 01 (2017-07-28) Huawei Proprietary and Confidential x

Issue 01 (2017-07-28) Huawei Proprietary and Confidential xi

Issue 01 (2017-07-28) Huawei Proprietary and Confidential xii

Issue 01 (2017-07-28) Huawei Proprietary and Confidential xiii

Issue 01 (2017-07-28) Huawei Proprietary and Confidential xiv

Issue 01 (2017-07-28) Huawei Proprietary and Confidential xv

About This Chapter

1.1 Mobile Money Product Overview

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 1

Figure 1.1 The position of the Mobile Money in network

1.2 Security Threats to the Mobile Money Product

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 2

Security Threats at the System Layer

Security Threats at the Network Layer

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 3

Security Threats at the Management Layer

1.2.2 New Security Challenges

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 4

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 5

2 Mobile Money Security Solution

About This Chapter

2.1 Security Solution Overview

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 6

2.2 Security Architecture

Figure 1.1 Layered Mobile Money security solutions

2.2.1 Application Layer

2.2.2 System Layer

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 7

2.2.3 Network Layer

2.2.4 Management Layer

2.3 Basic Security Polices

2.3.1 Security Credential Management

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 8

 Blacklists can be configured for security credentials in multiple languages following

2.3.2 Authentication and Session Control

2.3.3 Secure Encryption Algorithms

2.3.4 Secure Interaction Protocols

2.3.5 Authorization Management

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 9

2.3.6 File and Data Protection

2.3.7 Security Logs

2.3.8 Auditable Accounts

2.4 Mobile Money Security

Identity and Access

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 10

Table 1.1 Authentication mapping table

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 11

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 12

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 13

Issue 01 (2017-07-28) Huawei Proprietary and Confidential 14