If your phone ever gets stolen, or your sim card goes missing, be scared!
Ok guys, let’s talk USSD!
It is one of the fastest growing means of making bank transactions in Nigeria yet it isn’t as secure as your bank wants you to believe (close to 50% of the security architecture does not depend on them) and truth be told, only a thin line separates an adversary and the money in your USSD-linked bank account.
I will make a sketchy note.
Pardon the icons, but yea, this is how USSD works:
- You call a session with your bank code, say *966# for Zenith bank (Just because I know none of you uses Zenith )
- A packet is sent to your network provider, say 9Mobile which is in turn sent to your Bank
- You browse the menu and try to send money to her, (maintaining the session)
- You enter her account number, amount and your pin (a random 4-digits, or the last 4 numbers of your BVN or Debit Card by default)
- You confirm and, voila; your transaction is done.
But here is the catch:
A. USSD is based on GSM Technology, which means that your session uses a relatively weak encryption
B. It really doesn’t matter what packet leaves your phone during a session, it is what gets to the network provider, and your bank, that matters. (Know what this means?)
C. Between your phone and the network provider, a malicious person can sniff the packets sent with a tool like Burp Suite- if you are connected to an unsecured Wireless Network
D. Between your network provider and your bank, an insider can trap or sniff the packets of your session with a tool like Packet Analyser
E. The packet contains everything you enter in a session: account number, amount to transfer, your pin.
F. Your bank and network provider DO NOT know you! They only know your phone number and your pin.
G. Only your sim card and pin stand between you and the money in your bank account.
H. It is difficult but possible to reset your password if your phone is stolen.
Can we make sense of this?
What do you think of USSD?