Unstructured Supplementary Service Data
Another type of digital payment method, *99#, can be used to car-ry out mobile transactions without downloading any app. These types of payments can also be made with no mobile data facility. This facility is backed by the USSD along with the National Payments Corporation of India (NPCI). The main aim of this type of digital payment service is to create an environment of inclusion among the underserved sections of society and integrate them into mainstream banking. This service can be used to initiate fund transfers, get a look at bank statements and make balance queries. Another advantage of this type of payment system is that it is also available in Hindi. However, this payment meth-od can be used only for small value transactions up to Rs 5000 as per RBI guidelines.
In USSD, direct communication between sender and recipients is es-tablished and this promotes faster data transmission. USSD commu-nication is session-oriented and it is easily implementable while being more user-friendly. The developer community prefers USSD channels for development of mobile payment application because of these pow-erful features.
How to use USSD ?
- Provide KYC (Know Your Customer) information to open a new account
- Mobile no. should be linked with bank a/c
- Register for USSD/Mobile Banking
- Get MMID (Mobile Money Identifier)
- Get MPIN (Mobile PIN)
The various services offered are Balance enquiry, Mini Statement, Funds transfer, MMID,A/c no., Aadhaar, Know MMID, Change M-PIN, Generate OTP
How to use USSD ?
- This service can be used by dialling *99#, after which the customer can interact with an interactive voice menu through their mobile screen.
- To use the service the mobile number of the customer should be the same as the one linked to the bank accountRegister for USSD/Mobile Banking
- The next step is to register for USSD, MMID (Mobile Number Identifier) and MPIN
- NIL by system
- Rs. 0.50 charged to customer
Threats to USSD
As previously mentioned, each bank has a unique short-code, but this is also backed by unique infrastructure. In fact, nearly all mobile finan-cial service providers (banks, mobile money operators and payment service suppliers, etc.) operate unique applica-tions in providing USSD ser-vices to customers. There-fore, it is possible that the risk exposure of USSD trans-actions increases because each financial service provid-er uses its own technology, meaning there is no universal standard for all channels.
More importantly, messages over USSD channels are not encrypted, leaving them vul-nerable to being hacked.
USSD Commands Re-quest/Response Tamper-ing A malicious user can tam-per with USSD command requests and responses. This may cause confusion for the legitimate user and can also lead to fraudu-lent transactions. This re-quest and response tam-pering is possible through hardware and software in-terceptors. Weak encrypt-ed request and response messages are prime con-cerns in such threat vec-tors.
USSD Request/Response Message Replay Attacks When a phone is lost, an adversary may perform fraudulent transactions through an installed USSD application. An applica-tion must authenticate USSD request originator (authentication through combination of MSISDN, IMEI, PIN and unique Mes-sage Tracking ID). If this USSD application server or application is unable to authenticate the USSD request originator, then it can perform fraudulent transactions.
USSD Server Response Tests The USSD application server should respond properly upon valid re-quests generated by an authenticated user. Weak encrypted response mes-sage, response delay and response exception han-dling (in case of buffer overrun, delivery notifica-tion) are the prime con-cerns in USSD application server response mecha-nism.USSD Content Error Tests Improper USSD content error-handling may re-veal sensitive informa-tion about customer data, USSD application and the service provider’s sensi-tive data.
USSD Response Time Tests Improper USSD response time implementation may result in delay or tamper-ing delivery notifications, transaction success mes-sages and alerts.
Verify Strong Cryp-tographic Implementation Weak cryptography implementation for critical data (customer number, card numbers, PIN, ben-eficiary details – account numbers, balance sum-mary) can be tampered with, leading to fraudulent transactions.
Improper Session Man-agement In this case, an adversary gets physical access to a victim’s phone which has a USSD application in-stalled on it. The adver-sary may perform any ma-licious activity on financial transaction modules (e.g. send money) due to im-proper session time-out implementation. It is also applicable to all financial transactions modules.
Best practices for users to remain safe
Avoid the following for a safe and successful USSD banking :
- Do not reveal your PIN or BVN to a third party.
- Do not repeat a transaction delayed or interrupted by the network.This is because the transaction might have been processed. If you re-peat such transaction your account might be debited twice. All you need do is to wait for an hour or more for a notification on such transaction.
- Your phone should be charged to avoid loss of power in the midst of the transaction.
- Double-check the receiv-er’s account number when transferring funds or pay-ing bill. You must wait for the confirmation text from the bank that the transac-tion is successful.
- In absence of such confir-mation and your account is debited, contact your bank immediately to resolve the transaction.
- In case of transfer, call the receiver to confirm receipt of the fund. If the response is no and your account has been debited, contact your bank to resolve it immedi-ately