How NCC's jurisdiction reaches fintech
NCC's primary jurisdiction is over MNOs — MTN, Airtel, Glo, and 9mobile. But NCC's regulatory reach extends to value-added service providers and to any entity that uses telecom infrastructure to deliver financial services. When a fintech delivers an OTP via SMS, it is using a regulated telecom service. When a fintech offers USSD banking through a short code licensed from an MNO, it is operating a regulated telecom product.
NCC has increasingly taken the position that when SMS OTP fraud or USSD exploitation affects Nigerian consumers, the fintech — not just the MNO — must demonstrate that it implemented adequate security controls in its use of the telecom channel. An NCC inquiry following a large-scale SIM swap fraud event will ask the fintech what technical controls it had in place to detect SIM swaps and what alternative authentication it offered users. Absence of adequate controls in these answers is a regulatory finding.
1. SMS OTP security testing
We test the application-layer security of SMS OTP implementations. The common findings we target are: OTP entropy too low (6-digit numeric OTP is 1-in-1,000,000 odds, but many implementations use only 4 digits — 1-in-10,000), OTP validity window too long (OTPs that are valid for 10 minutes give attackers a large window for SIM swap exploitation — 2 minutes is the maximum for high-value authentication), no rate limiting on OTP verification attempts (allows brute-force of the OTP space), and OTP reuse after successful verification (a correctly entered OTP should be immediately invalidated — some implementations accept the same OTP multiple times within the validity window).
2. USSD session security testing
USSD banking sessions on Nigerian MNO infrastructure have several inherent security characteristics that fintechs must design around: USSD sessions are unencrypted at the radio layer, USSD strings are visible to MNO network operations staff, USSD sessions can be intercepted by sophisticated actors with access to GSM signalling infrastructure. We test USSD applications for: sensitive data exposure in USSD menus (account numbers, balances, or PINs displayed in menus that could be visible in screenshot or share scenarios), session fixation (whether a USSD session can be hijacked after initiation), and timeout enforcement (sessions that do not time out after inactivity leave a device's USSD session accessible to anyone who picks up the phone).
3. SIM swap detection and fallback authentication
We audit whether the fintech's authentication system has any detection capability for SIM swap events. The detection mechanisms available to Nigerian fintechs include: querying the MNO's SIM swap API (available through some MNOs for verified partners), checking the SIM MSISDN's SIM change timestamp before sending an OTP, and flagging authentication attempts where the device fingerprint has changed since the last successful authentication on the same account.
Beyond detection, we assess whether the fintech offers fallback authentication methods that do not rely on SMS. For high-value transactions, relying exclusively on SMS OTP is a single-point-of-failure design decision that has already resulted in significant fraud losses for Nigerian fintech users. App-based TOTP (Google Authenticator or equivalent), biometric authentication, and hardware tokens are all alternatives that are not affected by SIM swap attacks.
4. USSD short code security and session isolation
Fintechs offering USSD banking own or lease a short code from an MNO. We test whether the USSD application enforces strict session isolation — each user's session state must be completely isolated from other concurrent sessions. We also test for USSD session fixation: can an attacker initiate a USSD session and then transfer the session state to a victim who subsequently enters their PIN into what they believe is a fresh session?
USSD session did not timeout, exposing authenticated menu to next caller
During a security assessment of a Nigerian bank's USSD banking channel, we initiated a USSD session and authenticated with a valid PIN. We then abandoned the session without selecting a menu option or ending the session. We waited 15 minutes and reconnected to the same USSD short code from the same SIM. The session resumed from the authenticated main menu — without requiring re-authentication. An attacker who borrows or steals a phone after a user has used the USSD banking channel without logging out has immediate access to the authenticated session for at least 15 minutes. In Nigerian usage contexts — shared devices, brief lending of phones — this is a realistic attack scenario. Fix priority: high. Remediated by implementing a 90-second session timeout with automatic termination and requiring re-authentication for any new USSD dial-in, even if a previous session was active.
Using USSD or SMS OTP for authentication in Nigeria? Book a security assessment of your telecom channel before NCC or CBN inquiry forces a reactive review.
Book a USSD and OTP Security AuditFrequently asked questions
Is NCC regulation relevant to fintechs that only use SMS OTP from a third-party provider?
Yes. When a fintech uses Twilio, Termii, or a similar SMS provider that routes messages through MTN, Airtel, or Glo, NCC's jurisdiction extends to the quality and security of that channel. NCC has jurisdiction over the network-level delivery. The fintech is responsible for the application-level security of how the OTP is generated, delivered, validated, and expired.
What specific NCC obligations apply to USSD-based banking products?
NCC's Quality of Service regulations require that USSD sessions are terminated securely after a defined timeout, that session state is not retained on the network after termination, and that USSD applications do not expose sensitive data in session strings that could be intercepted. NCC has also issued guidelines on USSD fraud liability that create a shared responsibility framework between the fintech, the bank, and the MNO.
What is SIM swap fraud and who is responsible for it under Nigerian law?
SIM swap fraud occurs when an attacker convinces an MNO to transfer a victim's phone number to an attacker-controlled SIM card. The attacker then receives the victim's SMS OTPs. NCC has issued directives requiring MNOs to implement additional verification before processing SIM swap requests. However, fintechs that rely exclusively on SMS OTP and do not implement fallback controls (app-based TOTP, biometric verification, step-up authentication for high-value transactions) bear shared responsibility for losses when SIM swap fraud is used against their users.
Related reading
Blog: USSD session hijacking Nigeria · SIM swap defense testing · OTP fallback vulnerabilities
Services: Penetration testing · Authentication security