According to Gartner, mobile users are rapidly growing and expected to cross 3 billion in the next three years. Mobile payments and financial services are going to be among the hottest mobile technology applications. Various communication channels – including SMS, Unstructured Supplementary Service Data (USSD), and IP-based communications, have security vulnerabilities. These vulnerabilities increasingly cause major security concerns among banks, telecom companies, and service providers.
Critical threats such as fraudulent transactions, request/response manipulations, and insecure message communications are directly triggering revenue loss for mobile payment service providers.
Sensitive information disclosure due to weak cryptographic implementation, improper account management, and sensitive information modification may also cause security breaches and sensitive data loss in USSD-based mobile payment applications.
Experts believe that more security breaches will be inevitable as mobile usage grows. Deploying secure, reliable, and robust products are challenging since multiple channels provide each service.
Proper security controls must be an intrinsic part of mobile phones and mobile applications to avoid significant business impacts, including:
- Fraudulent transactions (revenue loss) through mobile applications.
- Confidentiality (Users sensitive data- credit/debit card data, PIN, user credentials).
- Revenue loss through communications services misuse.
- Brand value degradation through SIM card cloning and related attacks.
- Misuse of enterprise data through personal handheld devices.
- Fraudulent transactions through USSD and DSTK (Dynamic SIM Toolkit) applications.
Unstructured Supplementary Service Data (USSD)
The USSD communication protocol enables mobile communication services, location-based services, mapping services, recharge/booking services, and mobile payment and banking services.
USSD prevails over the SMS communication channel. In USSD, direct communication between the sender and recipient promotes faster data transmission. USSD communication is session-oriented, and it is easily implementable while being more user-friendly. The USSD application interface between the customer’s telecom provider and his bank account. The customer can transact through handheld devices and web-based applications (USSD in IP mode).
USSD Security Threats
- USSD Commands Request/Response Tampering
A malicious user can tamper with USSD command requests and responses through hardware and software interceptors leading to fraudulent transactions. Weak encrypted request and response messages are prime concerns in such threat vectors.
- USSD Request/Response Message Replay Attacks
When a phone is lost, an adversary may perform fraudulent transactions through an installed USSD application in the absence of authenticating USSD request originator (e.g., by MSISDN, IMEI, PIN, and unique Message Tracking ID).
- USSD Application Prepaid Roaming Access Test
An adversary may cause direct revenue loss for service providers by using roaming access parameters manipulation and unauthorized access to USSD application prepaid roaming services.
- Verify Strong Cryptographic Implementation
Weak cryptography implementation for critical data (customer number, card numbers, PIN, beneficiary details – account numbers, balance summary) can be tampered with, leading to fraudulent transactions.
- Improper Data Validation (USSD IP Mode Applications)
Improper data validation in the USSD IP mode application can lead to SQL injection, cross-site scripting attacks. An adversary may insert specifically crafted scripts in user input to perform malicious actions at the database or another user’s active session.
Securing USSD-based Mobile Payment Applications
A systematic approach to assessing and remediating vulnerabilities in mobile applications is critical to ensuring secure payment transactions.
The following practices can be helpful:
- Detailed and proactive security assessment helps the client ensure secure financial transactions through mobile payment client applications.
- Proactively enhance mobile client application and mobile validation layer security through the entire SDLC.
- Detailed analysis of security gaps and recommendations to ensure compliance.
- Threat modeling activity using the STRIDE/DREAD approach helps in identifying the application’s vulnerabilities.
- Mapping identified vulnerabilities to threats brings about a clear understanding of security issues in the application and how to exploit them.
- Mapping vulnerabilities to flaws at the architecture and design levels helps prepare a comprehensive remediation plan that identifies vulnerabilities in financial transactions, mobile applications, and sensitive data transmission over wireless networks that automated tools may not detect.