The structural vulnerabilities of USSD
Unlike API-driven mobile apps protected by TLS, Unstructured Supplementary Service Data (USSD) was designed for basic telecom signaling, not secure financial transactions. When a user dials a code like `*123#`, the session travels unencrypted over the GSM network to the Mobile Network Operator (MNO), which then forwards the payload via API to your fintech backend.
Unencrypted Air Interface
The communication between the mobile device and the cell tower is largely unencrypted. Attackers with hardware like IMSI catchers can intercept the session data, including PINs entered during the session.
SIM Swap Dependency
Because the MSISDN (phone number) is the primary identifier, USSD applications are acutely vulnerable to SIM swap fraud. If an attacker controls the number, they control the account.
Session State Exploitation
USSD relies on strict session states. Poorly managed state handling on the backend can allow attackers to bypass menus, replay steps, or manipulate transaction logic.
Attack vectors specific to USSD
USSD push fraud
Attackers initiate a transaction on a web platform and then trigger a USSD push to the victim's phone. If the victim is confused and enters their PIN, the attacker's transaction is authorized. This social engineering tactic relies on the immediacy and intrusive nature of USSD prompts.
Menu traversal and state manipulation
During an API security assessment, we test the backend endpoints processing the USSD payloads. We manipulate the session parameters (e.g., `sessionId`, `serviceCode`, `text`) to see if we can skip the PIN verification step or access hidden administrative menus that the developer forgot to disable in production.
Session timeout exploitation
CBN guidelines and best practices dictate that USSD sessions must time out quickly (typically within 2 minutes) to prevent unauthorized access if the device is stolen while a session is active. We test the enforcement of these timeouts on the backend to ensure a stale session ID cannot be reused.
Operating a USSD service for your mobile money platform?
Book a USSD Security TestMitigation and defense strategies
Because you cannot secure the air interface, defense must be concentrated at the API and application logic layers.
- IMSI checking: Integrate with the MNO's API to check the International Mobile Subscriber Identity (IMSI). If the IMSI associated with the phone number has changed recently, block high-value USSD transactions. This is the most effective defense against SIM swap fraud.
- Strict input validation: The USSD `text` payload is user input. It must be strictly validated and sanitized on the backend to prevent injection attacks (SQLi, Command Injection) targeting the database.
- Transaction limits and velocity checks: Enforce strict daily limits and velocity checks on USSD channels. Anomalous activity should trigger an automatic block and require in-app or physical branch verification.
- Second-factor logic: Do not rely solely on the USSD PIN for critical actions like password resets or adding new beneficiaries. Require out-of-band verification.
CBN Guidelines on USSD
The CBN's regulatory framework for USSD services explicitly requires that financial institutions implement robust end-to-end encryption between their gateway and the MNO, enforce strict session timeouts, and conduct regular vulnerability assessments of the USSD infrastructure.
Related reading
Blog: Why Nigerian Fintechs Are Targeted · Secure Your Fintech API
Services: Penetration Testing · Authentication Security
Industries: Mobile Money Operators
Frequently asked questions
{faq.q}
{faq.a}