USSD Banking: A Ticking Time Bomb?

CyberHero · 2018-03-21 13:48:11 UTC

A greater part of adding security i think will have to be from the end of the banks offering USSD service who shall among other things, put in place a proper message authentication mechanism to validate that request/responses are generated through authenticated users and also use secure USSD communication channels with a strong encryption mechanism.

walehg · 2018-03-21 13:48:44 UTC

Ha!USSD.
I think banks should find a way to make USSD transactions better secure.

Instead of a pin, what if a call is initiated by the service provider during the session and the user is asked to repeat a word.The user’s voice which is unique to him is then verified by the system and the transaction is processed.
unlike a password or pin,each person’s voice is as unique as a fingerprint I suppose.

walehg · 2018-03-21 13:50:26 UTC

I don’t know if this is a viable solution but I think it is worth pondering

walehg · 2018-03-21 13:51:41 UTC

This is insightful!I try to avoid USSD beht…the internet situation ehn!

Handerous · 2018-03-21 13:53:01 UTC

Great question.
Here’s what I would advise (since a large part of the security issue isn’t really yours to deal with)

Check the permissions you grant apps before you download them!
Many harmless-looking apps like games or dictionary actually do more underneath. So if an app like this is requesting access to your location or settings, be wary! (What does a dictionary need access to your settings for?)
Ensure you are not making transactions while connected to a public wifi. As much as possible, avoid public wifi.
Don’t use birth year, BVN or the last four digit of your Debit card as pins. Find a different, harder-to-guess string of numbers
Have a close interaction with your bank (and maybe this is most important). If you only transfer money with USSD to some specific account numbers, why not talk with your bank about the possibility of limiting your transfers to those numbers?
It is possible.
Finally, if you have a phone that is not internet-enabled (like a Nokia 3310?) use your USSD line on it and do your transactions there. They are more secured.

Handerous · 2018-03-21 13:55:41 UTC

Lol. We hope it doesn’t blow though, but our times are not for the telling.
Banks do all they can to check on their infrastructures and employees to stay secure but they can’t deal with the operator in a Mobile Switching Centre. And this is a weakness

CyberHero · 2018-03-21 14:01:49 UTC

I think that’s one of the challenges banks are facing as regards adding more security because the ease of use and hassle free transactions are what brought about the USSD codes in the first place. Security Triangle
If the banks add more complex security then that would move the ease of use further from USSD transactions.

walehg · 2018-03-21 14:03:23 UTC

Ease of use,that is true…

annessca · 2018-03-21 14:15:08 UTC

Have you considered the fact that USSD does not have a store-and-forward capability? I am thinking this should give a little more credit to it’s security robustness.

G3M · 2018-03-21 14:42:46 UTC

Let’s not forget that hackers are becoming more sophisticated in their act. Therefore the idea of cloning a sim card could be prevalent thereby increasing fraud through ussd drastically.

G3M · 2018-03-21 14:51:19 UTC

Just like it was said in the article, an example of exploiting ussd service was seen last year when hackers explored SS7 protocol over several months to intercept 2-factor authentication codes sent to online banking customers, thereby gaining access to their account and draining them of their funds.

P. S SS7 means signalling system 7.

Handerous · 2018-03-21 15:05:35 UTC

Lol. Code? Not sure there is. Just keep your pin as close to yourself as possible

Handerous · 2018-03-21 15:09:23 UTC

Hmm…good thoughts. But store and forward increases the risks associated with phone theft. It is actually the advantage that USSD has over sms (in terms of security), the fact that it is session-based and therefore this sensitive data are not stored on the user’s phone/cache

Handerous · 2018-03-21 15:10:19 UTC

Can you share like a link to an article on this attack? Thanks!

Iyanu54 · 2018-03-21 15:11:14 UTC

This is really insightful. Internet banking is the future!

addie · 2018-03-21 15:31:51 UTC

Wow! This is really insightful. This problem seems to be out of our hands as consumers/customers. As long as the banks continue to ignore this security problem, i’ll avoid ussd banking

misheleuba · 2018-03-21 15:33:03 UTC

Thank you for the answer…I’m still scared of using USSD though in case my phone is stolen.

freddie20 · 2018-03-21 16:03:10 UTC

Thanks for the information. Is it advisable then to continually change passwords or pin or best to stick to a really difficult one you will always remember?

Handerous · 2018-03-21 16:43:10 UTC

To be true, USSD is probably safer -if we assume the worst in both cases. And no, this is not to dissuade you, this is to arm you, really.

Handerous · 2018-03-21 16:44:27 UTC

You don’t have to be. Ensure you use a strong pin and welcome back your line ASAP!