Thanks James for sharing an updated link that works now and for providing the valuable knowledge and context on the sector from your years of experience working directly with both institutions as well as regulators.
Thank you for imparting practical advice and knowledge to our existing set of users and recommendations on what to implement in Fineract/Fineract-CN. Just this morning Avik was discussing Timeout OTPs on a call I was having with him and I"ll let him share more of that on-list. I will try to gather some of the top individuals in our community focused on security so they can bring back additional thoughts and recommendations to the community on list. Ed On Wed, Dec 19, 2018 at 9:44 AM James Dailey <[email protected]> wrote: > Thanks Ed and Kevin... The link I found which works now is > https://www.serianu.com/downloads/SaccoCyberSecurityReport2018.pdf . Good > intro article in cybersecurity risks for small financial institutions of > all kinds. > > Yes, SACCOS and SHGs (Self Help Groups) mostly predate the microfinance > movement, and have been generally slower to become digital. Many still > operate on paper systems. Some are using Mifos. The report is not wrong to > say that most orgs of this size and sophistication remain mostly ignorant > or barely aware of their cybersecurity vulnerabilities. They also note that > many (Kenyan) banks are not much better. > > Broadly speaking there is a growing cybersecurity threat directly > proportional to the number of users and scope of use of the mifos/fineract > systems. While other banking systems remain a much richer target for funds > transfer exploits, our community of user-institutions are definitely not > immune. > > I think the important take away for the fineract project is to make sure we > are supporting encryption of data "at rest" and "in motion" (e.g. SSL), > secure key-storage, One-Time-Passwords (better is Timeout OTP), as well as > architecture that assumes it will be hacked and there is a way to > *monitor*, > *detect* (e.g. key logs characteristics are visible to admin and specific > issues raise a flag), and subsequently *react* to any intrusion via such > functionality as "holding suspicious transactions" or "review exceptional > transactions reports". When things are "to be implemented by the devops > teams according to best practices" then that should be spelled out in > guides. This probably deserves more discussion. > > There are also probably several areas of non-functional system features > which could be interesting for a developer to work on. > > Please report technical security issues to [email protected] . > > @Jdailey67 > > > > > On Tue, Dec 18, 2018 at 10:04 AM Kevin A. McGrail <[email protected]> > wrote: > > > I had to look up SACCO. Surprised the document didn't spell it out > > either. It's Savings and Credit Cooperative Organizations for others :-) > > -- > > Kevin A. McGrail > > VP Fundraising, Apache Software Foundation > > Chair Emeritus Apache SpamAssassin Project > > https://www.linkedin.com/in/kmcgrail - 703.798.0171 <(703)%20798-0171> > > > > > > On Tue, Dec 18, 2018 at 12:52 PM Ed Cable <[email protected]> wrote: > > > > > Hi community, > > > > > > I thought this would be a valuable read for everyone - SACCOs are > become > > a > > > lucrative target for cyber attacks and as one would expect most are > > > under-estimating in cybersecurity. > > > > > > We as a community and partners in supporting individual institutions > > should > > > take into account what measures we can take as we deliver them > solutions > > in > > > the cloud and help them with digital transformation. > > > > > > You can download and read the report from Seriano at > > > > > > > > > https://media.licdn.com/dms/document/C4E1FAQHLuCFQsIiO7w/feedshare-document-pdf-analyzed/0?e=1545232378&v=beta&t=oo0Iyz-B5UJVgfLtCpFApxT8wAmyQrHKSV6_QqLOkLo > > > > > > > > > > > > -- > > > *Ed Cable* > > > President/CEO, Mifos Initiative > > > [email protected] | Skype: edcable | Mobile: +1.484.477.8649 > > <(484)%20477-8649> > > > > > > *Collectively Creating a World of 3 Billion Maries | *http://mifos.org > > > <http://facebook.com/mifos> <http://www.twitter.com/mifos> > > > > > > -- *Ed Cable* President/CEO, Mifos Initiative [email protected] | Skype: edcable | Mobile: +1.484.477.8649 *Collectively Creating a World of 3 Billion Maries | *http://mifos.org <http://facebook.com/mifos> <http://www.twitter.com/mifos>
