USSD Codes may not be as safe as we think

“I don’t have to go to the bank to do anything anymore. Everything I do now, I do on my phone.” 

Idrees Yusuf, an Okada rider in Lagos Island, makes about ₦2,000 a day and sends part of his earnings to his daughter, Halima, in Bauchi whenever he can. A few years ago, Idrees would have had to make a trip to his local bank branch and wait on long queues before depositing the money into Halima’s account.

Like Idrees, every Nigerian with a bank account has access to USSD (Unstructured Supplementary Service Data). Commercial banks in Nigeria started churning out USSD banking services in 2016 to offer a wide range of financial transactions beyond the banking hall. Every major commercial bank in the country has a unique shortcode, and by dialling these, customers can check their account balance, purchase airtime, or pay for services, all on their phones.

“USSD is quite relevant because it provides a real-time messaging service which makes it a good fit for transactions that require speed, instant value and no internet access”

– Abdulrahman Akinsanya, a Fintech expert

Your bank account is linked to your phone number, allowing you to make sim-related transactions on the registered number. For example, the popular *737*0# enables GTBank customers to transfer funds, pay for the Lekki Toll, and much more.  

Perhaps the most appealing aspect of USSD transactions is that they don't require an internet connection, making them ideal in a relatively poor country with unreliable data. It has democratised banking services across banks, mobile networks, and devices – whether smartphone or a regular feature phone. 

Security check

As previously mentioned, each bank has a unique shortcode, but this is also backed by unique infrastructure. In fact, nearly all mobile financial service providers (banks, mobile money operators and payment service suppliers, etc.) operate unique applications in providing USSD services to customers. Therefore, it is possible that the risk exposure of USSD transactions increases because each financial service provider uses its own technology, meaning there is no universal standard for all channels. 

More importantly, messages over USSD channels are not encrypted, leaving them vulnerable to being hacked. According to Abdulrahman Akinsanya, a FinTech expert, “This means there's no way to obscure data entered by any subscriber, it makes it easier for an intermediary to eavesdrop and pick sensitive information for malicious intent.”

The Central Bank of Nigeria realises this, and in September 2017, the apex bank released a regulatory framework that placed emphasis on end to end encryption when using USSD codes. End to end encryption essentially scrambles the message to prevent anyone (monitoring the network) from seeing the content of the message and stops even the companies that faciliate the transaction from interpreting it. 

And then the problem...

However, more elementary security risks have been exposed as USSD has been exploited by thieves to defraud Nigerians. Thieves steal phones to gain access to sim cards, which are usually connected to some bank accounts. In some cases, once they figure out the bank an individual uses, they can generate the Bank Verification Number (BVN) and use the mobile USSD of the bank to wipe the account.

“When I gain access to a user’s phone, the first thing I do is purchase a recharge card using USSD code so that I know the bank balance of the person. I don’t need to know the victim’s phone password or USSD pin to empty such a person’s account,” explains Oluwatobi, one of the perpetrators apprehended by the Ogun Police Force last year, as he tried to empty bank accounts using USSD codes.

“Most people password their phones but not sim cards. So, I take out the sim and put it in my phone and get the last digits of the person’s BVN to make a transfer. I dial the shortcode for obtaining the BVN number of any user and then make a transfer all of the money in the user’s account to mine,” Oluwatobi continues. 

Another situation that has exposed the security shortcomings of the USSD system is sim swaps. A sim swap is when a network user replaces their sim with a new sim, moving their data or existing number to a new sim. The problem with sim swaps is that someone that doesn't own the phone can go to a mobile centre for a sim swap and access the owner's data, including their bank account information. 

Dipo Fatokun, the Director of Payment and Banking systems at the CBN, says, “These fraudsters steal phones and walk to a service provider claiming to be the owner of the line. What does he do? He puts the sim in another phone and starts using the USSD to make transfers out of the person’s account connected to the phone number into his account.”

Furthermore, network carriers reassign phone numbers to new users when a sim card has been inactive for six months. If you get a reassigned sim number, the USSD code may still be linked to the previous owner's account, allowing you to carry out transactions on their account. 

This security breach is why many telcos now have more requirements – from ID cards and fingerprint verification – before issuing a sim swap.

Going forward

The CBN has tried to partner with the Nigerian Communications Commission (NCC), the banks, and the telcos to address these risks. In October 2017, the NCC and CBN organised multiple forums to sensitise customers on mobile money banking fraudsters. The forums warned users against sharing personal information (like BVN and USSD pins) and encouraged alertness about unverified messages sent to their mobile phones or email addresses.

The CBN has also implemented security standards on mobile payments in the country. These include end to end encryption, transaction authentication via PIN or BVN only, phone number verification, auditing information systems and a proxy server type of firewall.

But the current framework does little to cover these recent security breaches. While they have collaborated in the past, Telcos and banks are in the best position to refine USSD security, but neither party looks willing to take the lead. 

For instance, network providers can provide banks with basic sim information to allow them to know when a sim is issued, reissued or swapped. Doing this would empower banks to make intelligent decisions about the transactions on a sim card. So, if a sim changes owners in a six month period, the bank can restrict USSD transactions on that sim card until the new owner provides verification. 

Of course, like every new technology, user behaviour tends to be a primary problem. Regardless of how sophisticated security becomes, USSD transactions are only as secure as mobile phone users permit them to be. Given the potential of USSD transactions in Nigeria, it's to everyone's benefits that as mobile banking providers and regulators get their acts together, the users do so too. 

Follow this Journalist on Twitter @AishaSalaudeen. Subscribe to read more articles here.