Summary

The website content outlines the top 10 security risks associated with USSD (Unstructured Supplementary Service Data) in mobile payment systems and provides recommendations to mitigate these risks.

Abstract

The article "USSD Top 10 Security Risks For Mobile Payments" emphasizes the critical importance of security in mobile money ecosystems, particularly where USSD is utilized. It details the prevalent security risks, such as insecure communication, signaling attacks, insecure authentication, and the use of technology with known vulnerabilities. The risks can lead to unauthorized access, data breaches, and financial fraud if not addressed. The article underscores the need for robust encryption, secure authentication protocols, input validation, access control, logging, monitoring, and regular updates to safeguard against these threats. It also suggests specific measures like rate-limiting of USSD requests, blocking binary SMS, enforcing strong PIN policies, and preventing transactions following SIM swaps to enhance the security of mobile payment services.

Opinions

The author advocates for the use of strong cryptographic algorithms like A5/3 or A5/4 and IPsec to protect against man-in-the-middle attacks.
There is a strong recommendation against the use of vulnerable SIM cards and SIM Tool Kit applications like S@T Browser and WIB, which are susceptible to attacks such as SimJacker.
The article suggests that all mobile money menus should require secure authentication, including the use of OTPs for two-factor authentication, to prevent unauthorized access.
It is the author's opinion that continuous software updates are essential to patch known vulnerabilities and maintain the security of mobile payment systems.
The author emphasizes the importance of data validation to prevent injection attacks and suggests that all user input should be treated as untrusted data.
There is a call for clear separation of duties between customers and agents to prevent broken access control and unauthorized resource access.
The article points out that insufficient logging and monitoring can hinder the investigation of fraudulent transactions and suggests implementing comprehensive logging and real-time monitoring systems.
The author is of the opinion that mobile operators should implement measures to detect and prevent SIM swap fraud, which can lead to unauthorized access to mobile money accounts.
The article concludes with the recommendation that mobile money solutions should ensure the security triad of confidentiality, integrity, and availability to protect against the outlined risks and vulnerabilities.

USSD Top 10 Security Risks For Mobile Payments

Mapping of USSD Top 10 Security Risks

Security should be at the heart of software systems, especially when there is money involved. In mobile money or mobile payment ecosystems which enable USSD feature are exposed to some risks can affect the credibility of the service and can be detrimental for the organization's revenue, if they are not taken into account and prevented before launching a mobile money service. Below are the most prevalent risks for mobile money payments related to USSD and the recommendations to mitigate them.

01. INSECURE COMMUNICATION

A cybercriminal can tamper with USSD command requests and responses by conducting man-in-the-middle attacks by using fake base stations and forcing the smartphone to connect to the using 2G or 3G. which are easier to decrypt the traffic and tamper it.

Recommendation:

All the traffic leaving the smartphone to the core network should be encrypted by using the A5/3 or A5/4 cryptographic algorithm and IPsec to avoid man in the middle attacks.
By all means necessary do not use A5/0 to A5/2 cryptographic algorithms.

02. SIGNALLING ATTACKS

A cybercriminal can conduct a USSD based attack by sending spoofed USSD requests from the roaming interfaces or even target SIM Cards with vulnerable SIM Tool Kit software such as S@t Browsers and WIB.

If the cybercriminal sends a well crafted binary SMS with instruction to send a USSD command, the Smartphone can send a USSD request from the victim's device and the request will appear to be legitimate and it will be processed by the mobile money solution.

Recommendation:

Apply velocity check and rate-limiting of USSD requests towards the home network for mobile money related USSD requests.
Restrict account reset via USSD request from roaming interfaces.
Block binary SMS from roaming interfaces or at the SMS center that are targeting SIM cards with S@T browser vulnerability.

03. INSECURE AUTHENTICATION

Insecure Authentication happens when authentication controls and protocols are by bypassed due to poor implementation or absence of it. For example, If the USSD menu for user authentication is not masked, an attacker can view the credentials of the end-user by conducting social engineering attacks such as shoulder surfing.

Recommendation:

All users accessing a mobile money menu should be forced to authenticate by entering an MSISDN followed by PIN or PASSWORD, if needed an OTP can be used as two-factor authentication.
Do not allow concurrent sessions.
In the usage of OTP, apply OTP rate limiting.
The input field for the password or PIN should be masked.
Mask sensitive information.

04. USING TECHNOLOGY WITH KNOWN VULNERABILITY

The usage of technology with public known vulnerabilities such as the SIM-Jacker can pose a great security risk to the apps running on the SIM Tool Kit.

Using binary SMS as stated in the previous risk, a cybercriminal can force the device to send a USSD request to the home network.

Recommendation:

· Avoid using SIM cards with the SIM-Jacker vulnerability or similar, SIM Cards with these vulnerabilities are the ones that support the S@T browser and WIB.

If these SIM cards are present in the mobile network already, request the vendor to provide an appropriate software update via OTA.
Provide software updates via OTA continuously to patch know vulnerabilities.

05. WEAK PIN

Weak pins leave the USSD based menu vulnerable to brute-forcing and guessing attacks.

Recommendation:

All the pins should have at least a minimum of 6 Digits for the sake of equilibrium between security and usability.

06. LACK OF INPUT AND DATA VALIDATION

Improper data validation in the USSD can lead to injection attacks that can leak sensitive information. An attacker may insert specifically crafted text in the user input to perform malicious actions in the back-end server.

Recommendation:

All the input inserted by the end-user in the smartphone should be considered as untrusted data and should be validated before processed by the backend server.
The above should also be applied for USSD related strings from roaming interfaces.

07. BROKEN ACCESS CONTROL

Broken access control occurs due to the lack of appropriate access control, and allows the user to access unauthorized resources, such as features and information.

Recommendation:

The agent should not send USSD strings related to the customer's features and customers should not also send USSD strings related to the agent’s features, this prevents either one of them to access unauthorized resources.
There should be a clear separation of duty and profile features between customers and agents.

08. INSUFFICIENT LOGGING AND MONITORING

Insufficient logging and monitoring in conjunction with a non-existent or insufficient incident response allow fraudulent transactions to occur and no sufficient information will available for further investigation or even to stop the ongoing attacks.

Recommendation:

Monitor all the USSD request coming from roaming interfaces.
Log all attempts of account and OTP brute force attacks.
Correlate transaction location with user location either in the home or foreign network.
Validate if a SIM SWAP occurred in less than 24 hours before processing a transaction.

09. INSECURE AUTHORIZATION

Insufficient authorization can occur when an attacker is able to conduct a successful SIM SWAP fraud and logs into a mobile money account as legitimate users if the security controls are not in place at the mobile operator stores.

Recommendation:

Prevent USSD based or any mobile money transactions(account reset and transfers) after a SIM SWAP done conducted during the last 24 hours.
Notify the end-users that a SIM SWAP was requested on their behalf via alternative contacts such as email addresses or others.

10. MISCONFIGURATION

Security Misconfiguration occurs due to a lack of alignment between system administrators, security administrators, and other non-technical staff.

Common examples of incorrect settings are:

Weak password/PIN or standard credentials that are easily guessed.
Poor error handling and error response.

Recommendation:

Force the end-user to change passwords/PIN in the USSD menu every 3 months.
Disable default passwords/PIN and force the end-user to create a new password/PIN after the first login.
Do not issue a response that gives away that the end-user is registered on the mobile money service. For example for failed login attempts, an error message should display “ Your user ID or PIN is incorrect”. This message should be available for registered and non-registered users.

CONCLUSION

It is recommended that mobile money solution should be immune to the risks, vulnerabilities, attacks that are presented in this article at the same time it is expected that it provides the triad of security, which are confidentiality, integrity, and availability.

USSD Top 10 Security Risks For Mobile Payments

01. INSECURE COMMUNICATION

02. SIGNALLING ATTACKS

03. INSECURE AUTHENTICATION

04. USING TECHNOLOGY WITH KNOWN VULNERABILITY

05. WEAK PIN

06. LACK OF INPUT AND DATA VALIDATION

07. BROKEN ACCESS CONTROL

08. INSUFFICIENT LOGGING AND MONITORING

09. INSECURE AUTHORIZATION

10. MISCONFIGURATION

CONCLUSION

REFERENCES