USSD Banking: A Ticking Time Bomb?


Can you share like a link to an article on this attack? Thanks!


This is really insightful. Internet banking is the future!


Wow! This is really insightful. This problem seems to be out of our hands as consumers/customers. As long as the banks continue to ignore this security problem, i’ll avoid ussd banking


Thank you for the answer…I’m still scared of using USSD though in case my phone is stolen.


Thanks for the information. Is it advisable then to continually change passwords or pin or best to stick to a really difficult one you will always remember?


To be true, USSD is probably safer -if we assume the worst in both cases. And no, this is not to dissuade you, this is to arm you, really.


You don’t have to be. Ensure you use a strong pin and welcome back your line ASAP!


Generally it is advisable to change passwords/pins periodically. So yea, it’s a good practice.


Thank you @Handerous for this awesome piece.

So i have always had a few concerns about USSD banking.
And Oh let me mention that i have exploited one of the vulnerabilities of USSD just once in my life (Pinky swear:raised_hand_with_fingers_splayed:) to move some serious cash. NB: I had legal authorization to do this. Lets not go into the details :grinning:.

So the issues, there is actually a regulatory framework document on USSD from CBN. This document has identified some vulnerabilities and stated its mitigation. CBN USSD framework

But guess what as this is Nigeria and we are who we are, it is not being obeyed and CBN is doing nothing about this.

As earlier stated here, with respect to encryption system, there is none being implemented at the moment that i am aware of (See Item 4.3 and 4.5 in the document)

See Item 4.4, I know for UBA and GTB they do not implement the masked pin entry. This has always been a concern to me.

Another rule of thumb with respect to USSD banking, its either you dont link you phone number with your bank account (which is not a wise decision as you dont get to receive sms alerts) OR
You register your mobile number for USSD banking and and change the pin from the default.

Lets paint a scenario, someone picks up your bad that has your phone and ATM and your super careful self didnt register your mobile number for USSD banking, so the enlightened guy decides to register on your behalf and he has your ATM card, the default pin is the last 4 digits of your card number. Waawu all your cah is gone. Remember you dont have your phone so you can’t call your bank.


Just search for SS7 exploit and read what comes up. I can’t remember the source.


Lol. Funny scenario.
I do want to know about your bank heist though, legal or not. Tell us!
Thumbs up for that file link


Great article @Handerous I generally think people adopt new technologies too quickly and not smartly. Although ‘tech’ is good, it should be adopted with sense. Lol. I always advise: get some basic information before jumping unto any new technology, be it new social media platform or new banking technology. is a good resource for information.


walehg, this is possible and has been done.


This is quite inaccurate.

The architecture for USSD banking, and banking generally is not as straight forward as you have simply documented. There are various level device based security for USSD and internet transactions that has been integrated into the entire transaction flow.

Also, telcos do not connect to banks directly. there is a middleware (agreegator) that acquires this transactions first, then sends to a system where the phone number and account identify of the customer is mapped, which then builds the real transaction messages to the back for authorization. The level of encryption, PCI/DSS compliance, and also security between this system makes it really difficult to carry out a hack, except it is done internally.

By all standard, i make boast that the Finance technology in Nigeria is one of the strongest in the world. You have to work in both industries to know what i mean.

Thank you.