USSD Banking: A Ticking Time Bomb?

walehg · 2018-03-21 14:03:23 UTC

Ease of use,that is true…

annessca · 2018-03-21 14:15:08 UTC

Have you considered the fact that USSD does not have a store-and-forward capability? I am thinking this should give a little more credit to it’s security robustness.

G3M · 2018-03-21 14:42:46 UTC

Let’s not forget that hackers are becoming more sophisticated in their act. Therefore the idea of cloning a sim card could be prevalent thereby increasing fraud through ussd drastically.

G3M · 2018-03-21 14:51:19 UTC

Just like it was said in the article, an example of exploiting ussd service was seen last year when hackers explored SS7 protocol over several months to intercept 2-factor authentication codes sent to online banking customers, thereby gaining access to their account and draining them of their funds.

P. S SS7 means signalling system 7.

Handerous · 2018-03-21 15:05:35 UTC

Lol. Code? Not sure there is. Just keep your pin as close to yourself as possible

Handerous · 2018-03-21 15:09:23 UTC

Hmm…good thoughts. But store and forward increases the risks associated with phone theft. It is actually the advantage that USSD has over sms (in terms of security), the fact that it is session-based and therefore this sensitive data are not stored on the user’s phone/cache

Handerous · 2018-03-21 15:10:19 UTC

Can you share like a link to an article on this attack? Thanks!

Iyanu54 · 2018-03-21 15:11:14 UTC

This is really insightful. Internet banking is the future!

addie · 2018-03-21 15:31:51 UTC

Wow! This is really insightful. This problem seems to be out of our hands as consumers/customers. As long as the banks continue to ignore this security problem, i’ll avoid ussd banking

misheleuba · 2018-03-21 15:33:03 UTC

Thank you for the answer…I’m still scared of using USSD though in case my phone is stolen.

freddie20 · 2018-03-21 16:03:10 UTC

Thanks for the information. Is it advisable then to continually change passwords or pin or best to stick to a really difficult one you will always remember?

Handerous · 2018-03-21 16:43:10 UTC

To be true, USSD is probably safer -if we assume the worst in both cases. And no, this is not to dissuade you, this is to arm you, really.

Handerous · 2018-03-21 16:44:27 UTC

You don’t have to be. Ensure you use a strong pin and welcome back your line ASAP!

Handerous · 2018-03-21 16:45:56 UTC

Great!
Generally it is advisable to change passwords/pins periodically. So yea, it’s a good practice.

CyberWura · 2018-03-21 17:01:03 UTC

Thank you @Handerous for this awesome piece.

So i have always had a few concerns about USSD banking.
And Oh let me mention that i have exploited one of the vulnerabilities of USSD just once in my life (Pinky swear:raised_hand_with_fingers_splayed:) to move some serious cash. NB: I had legal authorization to do this. Lets not go into the details .

So the issues, there is actually a regulatory framework document on USSD from CBN. This document has identified some vulnerabilities and stated its mitigation. CBN USSD framework

But guess what as this is Nigeria and we are who we are, it is not being obeyed and CBN is doing nothing about this.

As earlier stated here, with respect to encryption system, there is none being implemented at the moment that i am aware of (See Item 4.3 and 4.5 in the document)

See Item 4.4, I know for UBA and GTB they do not implement the masked pin entry. This has always been a concern to me.

Another rule of thumb with respect to USSD banking, its either you dont link you phone number with your bank account (which is not a wise decision as you dont get to receive sms alerts) OR
You register your mobile number for USSD banking and and change the pin from the default.

Lets paint a scenario, someone picks up your bad that has your phone and ATM and your super careful self didnt register your mobile number for USSD banking, so the enlightened guy decides to register on your behalf and he has your ATM card, the default pin is the last 4 digits of your card number. Waawu all your cah is gone. Remember you dont have your phone so you can’t call your bank.

G3M · 2018-03-22 08:34:53 UTC

Just search for SS7 exploit and read what comes up. I can’t remember the source.

Handerous · 2018-03-22 09:30:54 UTC

Lol. Funny scenario.
I do want to know about your bank heist though, legal or not. Tell us!
Thumbs up for that file link

emmanuel · 2018-03-23 09:44:51 UTC

Great article @Handerous I generally think people adopt new technologies too quickly and not smartly. Although ‘tech’ is good, it should be adopted with sense. Lol. I always advise: get some basic information before jumping unto any new technology, be it new social media platform or new banking technology. www.safeonline.ng is a good resource for information.

DiGiTman · 2018-05-08 13:19:17 UTC

walehg, this is possible and has been done.

adetiwaa · 2019-07-30 08:09:30 UTC

This is quite inaccurate.

The architecture for USSD banking, and banking generally is not as straight forward as you have simply documented. There are various level device based security for USSD and internet transactions that has been integrated into the entire transaction flow.

Also, telcos do not connect to banks directly. there is a middleware (agreegator) that acquires this transactions first, then sends to a system where the phone number and account identify of the customer is mapped, which then builds the real transaction messages to the back for authorization. The level of encryption, PCI/DSS compliance, and also security between this system makes it really difficult to carry out a hack, except it is done internally.

By all standard, i make boast that the Finance technology in Nigeria is one of the strongest in the world. You have to work in both industries to know what i mean.

Thank you.