Mabinu Oyeleke (Not real names), who owns an account with First Bank Nigeria, had in June 2020 noticed some mysterious USSD transfer activities on her account.
Someone had breached her account using her USSD to make seven transfers until it remained N233. She had tried to stop the perpetrator(s) by deactivating her former line which was registered and used for the USSD transfers, but this did not yield any fruit as the account was not deactivated.
She and her uncle reported the unapproved transactions to the Abuja branch of the bank where she was promised an investigation of the incident and feedback in two weeks.
Oyeleke’s case is not an isolated case, as many more people live through this experience almost on a daily basis.
In 2019, the Nigerian Communications Commission (NCC) had acknowledged that illegal Subscriber Identification Module (SIM) swaps and Unstructured Supplementary Service Data (USSD) frauds ranked among the most serious cyber threats in the telecommunications industry.
“Fraudsters conduct illegal SIM swap of targeted individuals and then, conduct USSD-based transactions which cost the victims huge losses,” Adeleke Adewolu, Executive Commissioner, Stakeholder Management (ECSM) of the NCC had said.
Also in 2019, fraud claims accounted for a major share of N3.093 billion Nigerian banks paid to customers. Other claims included excess and unauthorised charges; guarantees; dispense errors and funds transfers.
How USSD works
USSD is a service that runs on GSM networks, not on the internet like a traditional website. Websites operate based on a protocol called Internet Protocol (IP).
USSD offers a connection between a phone and an application connected to the mobile network in real-time. Thus, USSD does not require internet access to function. This is why it is projected as a critical tool in driving financial inclusion in Nigeria and across Africa.
It is much faster than SMS because it is session-based. On completion of a USSD session, no message is stored on the mobile network or on the user’s device. It’s almost like the session never happened. Unlike ‘noisy’ SMS which moves messages round the mobile network and also stores copies of messages on the sender and receiver’s device. This makes USSD cheaper to implement, moreso a lot of telcos do not charge for it.
USSD transactions by bank customers grew by 35 percent to reach N261.7 billion in 2018 from N92.4 million the previous year, according to a report from Nigeria Interbank Settlement Scheme (NIBSS).
USSD fraud explained
While many businesses including banks have experts that understand how the internet protocol works, their knowledge, however, does not help in understanding how GSM networks operate, says a USSD expert who spoke to BusinessDay on condition of anonymity.
According to the expert, GSM networks operate on a separate protocol called SS7, which is very different from IP, and few teams have personnel that understands how GSM Networks function.
Signalling System No 7 (SS7) refers to a system that connects one mobile phone network to another. It is a set of protocols that allows phone networks to exchange information needed for passing calls and text messages between each other and to ensure correct billing. SS7 also allows users on one network to roam on another network, like when they are traveling in a foreign country. It is used by over 800 global telecommunication companies including those in Nigeria.
A hacker who is able to break into the SS7 system can easily access the same amount of information and snooping capabilities as security services which leave any owner of the mobile phone vulnerable. Access to SS7 is the easiest way to bypass two-factor authentication.
A solution for USSD fraud?
According to GSMA’s SS7 Vulnerability and Attack Exposure Report 2018, all the networks are prone to vulnerabilities caused by occasional incorrect setup of equipment or faults in SS7 network architecture that cannot be eliminated using existing tools.
“Only a comprehensive approach that combines security analysis, network setup maintenance, regular monitoring of signaling traffic, and timely detection of illegitimate activities can
ensure a higher level of protection against criminals,” the report noted.
One Nigerian startup, Ptrikey has developed a framework that serves as a guideline to teams developing USSD applications, to ensure best coding practices are followed, preventing software bugs.
“Initially, Many Telecom companies thought SS7 attack as a low-level risk, but some unknown hackers have already proved them wrong by exploiting the flaws in it. So, It is always advised to stay safe and secured with your digital data,” said Vasanth Vanan, an information security expert.