USSD Banking: A Ticking Time Bomb?

Handerous · 2018-03-21 12:47:29 UTC

If your phone ever gets stolen, or your sim card goes missing, be scared!

Ok guys, let’s talk USSD!
It is one of the fastest growing means of making bank transactions in Nigeria yet it isn’t as secure as your bank wants you to believe (close to 50% of the security architecture does not depend on them) and truth be told, only a thin line separates an adversary and the money in your USSD-linked bank account.

I will make a sketchy note.

Pardon the icons, but yea, this is how USSD works:

You call a session with your bank code, say *966# for Zenith bank (Just because I know none of you uses Zenith )
A packet is sent to your network provider, say 9Mobile which is in turn sent to your Bank
You browse the menu and try to send money to her, (maintaining the session)
You enter her account number, amount and your pin (a random 4-digits, or the last 4 numbers of your BVN or Debit Card by default)
You confirm and, voila; your transaction is done.

But here is the catch:
A. USSD is based on GSM Technology, which means that your session uses a relatively weak encryption

B. It really doesn’t matter what packet leaves your phone during a session, it is what gets to the network provider, and your bank, that matters. (Know what this means?)

C. Between your phone and the network provider, a malicious person can sniff the packets sent with a tool like Burp Suite- if you are connected to an unsecured Wireless Network

D. Between your network provider and your bank, an insider can trap or sniff the packets of your session with a tool like Packet Analyser

E. The packet contains everything you enter in a session: account number, amount to transfer, your pin.

F. Your bank and network provider DO NOT know you! They only know your phone number and your pin.

G. Only your sim card and pin stand between you and the money in your bank account.

H. It is difficult but possible to reset your password if your phone is stolen.

Can we make sense of this?
What do you think of USSD?

misheleuba · 2018-03-21 13:26:04 UTC

Is there any special protection code for USSD

Loro · 2018-03-21 13:27:37 UTC

So what steps am I meant to take to be more secure? Is there any safeguard in place? The solution cannot be to stop using USSD codes because I don’t like going to the bank. Apart from keeping my phone safe, what can I do?

d4v1d · 2018-03-21 13:28:47 UTC

i feel so scared using ussd now

for point C: are we connected to an unsecured Wireless Network when we communicate with our mobile phones i.e say sms or phone calls

can our conversations be heard also?

CyberHero · 2018-03-21 13:30:59 UTC

Rightly said
Unstructured Supplementary Service Data (USSD) is not really secure and a one-stop security solution won’t be possible because the whole process goes through at least 3 points i.e. the user, the telecommunication provider and the bank. The BVN and ATM digits used to secure this transactions are what a determined malicious person can easily get through social engineering and voila he has access to your
Also what’s the assurance from the telecommunication provider that their operators do not snoop on people’s communication to get transaction details because this is something they can easily do.
The question on my mind is when this ticking time bomb will blow.

d4v1d · 2018-03-21 13:34:23 UTC

is the bank mobile app safer than ussd codes?

wande · 2018-03-21 13:42:29 UTC

So, are you dissuading us from using USSD?..So our mobile apps are the safest means of transactions?

CyberHero · 2018-03-21 13:48:11 UTC

A greater part of adding security i think will have to be from the end of the banks offering USSD service who shall among other things, put in place a proper message authentication mechanism to validate that request/responses are generated through authenticated users and also use secure USSD communication channels with a strong encryption mechanism.

walehg · 2018-03-21 13:48:44 UTC

Ha!USSD.
I think banks should find a way to make USSD transactions better secure.

Instead of a pin, what if a call is initiated by the service provider during the session and the user is asked to repeat a word.The user’s voice which is unique to him is then verified by the system and the transaction is processed.
unlike a password or pin,each person’s voice is as unique as a fingerprint I suppose.

walehg · 2018-03-21 13:50:26 UTC

I don’t know if this is a viable solution but I think it is worth pondering

walehg · 2018-03-21 13:51:41 UTC

This is insightful!I try to avoid USSD beht…the internet situation ehn!

Handerous · 2018-03-21 13:53:01 UTC

Great question.
Here’s what I would advise (since a large part of the security issue isn’t really yours to deal with)

Check the permissions you grant apps before you download them!
Many harmless-looking apps like games or dictionary actually do more underneath. So if an app like this is requesting access to your location or settings, be wary! (What does a dictionary need access to your settings for?)
Ensure you are not making transactions while connected to a public wifi. As much as possible, avoid public wifi.
Don’t use birth year, BVN or the last four digit of your Debit card as pins. Find a different, harder-to-guess string of numbers
Have a close interaction with your bank (and maybe this is most important). If you only transfer money with USSD to some specific account numbers, why not talk with your bank about the possibility of limiting your transfers to those numbers?
It is possible.
Finally, if you have a phone that is not internet-enabled (like a Nokia 3310?) use your USSD line on it and do your transactions there. They are more secured.

Handerous · 2018-03-21 13:55:41 UTC

Lol. We hope it doesn’t blow though, but our times are not for the telling.
Banks do all they can to check on their infrastructures and employees to stay secure but they can’t deal with the operator in a Mobile Switching Centre. And this is a weakness

CyberHero · 2018-03-21 14:01:49 UTC

I think that’s one of the challenges banks are facing as regards adding more security because the ease of use and hassle free transactions are what brought about the USSD codes in the first place. Security Triangle
If the banks add more complex security then that would move the ease of use further from USSD transactions.

walehg · 2018-03-21 14:03:23 UTC

Ease of use,that is true…

annessca · 2018-03-21 14:15:08 UTC

Have you considered the fact that USSD does not have a store-and-forward capability? I am thinking this should give a little more credit to it’s security robustness.

G3M · 2018-03-21 14:42:46 UTC

Let’s not forget that hackers are becoming more sophisticated in their act. Therefore the idea of cloning a sim card could be prevalent thereby increasing fraud through ussd drastically.

G3M · 2018-03-21 14:51:19 UTC

Just like it was said in the article, an example of exploiting ussd service was seen last year when hackers explored SS7 protocol over several months to intercept 2-factor authentication codes sent to online banking customers, thereby gaining access to their account and draining them of their funds.

P. S SS7 means signalling system 7.

Handerous · 2018-03-21 15:05:35 UTC

Lol. Code? Not sure there is. Just keep your pin as close to yourself as possible

Handerous · 2018-03-21 15:09:23 UTC

Hmm…good thoughts. But store and forward increases the risks associated with phone theft. It is actually the advantage that USSD has over sms (in terms of security), the fact that it is session-based and therefore this sensitive data are not stored on the user’s phone/cache