General Musing

blaze your trail

USSD – A Mobile Payment Solution? #mobile

with one comment

Somebody send me a nice demo which Barcleys in India is implementing or has implemented using Unstructured Supplementary Service Data.

USSD is part of the GSM standard which tends more towards a real-time messaging service, unlike SMS no data is stored on the mobile or network. All the data still goes over the same channel over the GSM network, and thus is still inherently insecure, due to the fundamental flaws in the GSM encryption methodology.

One of the advantages over SMS is that nothing sits in between to store messages, so they must be answered immediately. The back end application is responsible for the message handling, as it is completely session oriented. There is both a push and pull method, which means communication is initiated from the mobile or network. IMHO this still leaves it susceptible to a man-in-the-middle attack.

Do banks consider this acceptable risk? Or do they just not know the whole truth?

Technorati technorati tags: , , , , , ,

Written by Daniël W. Crompton (webhat)

August 1, 2008 at 1:15 pm

Posted in mobile, network, risk, security

Tagged with , , , , , ,

One Response

Subscribe to comments with RSS.

  1. First National Bank in South Africa has has USSD banking running for a couple of years now. They take the approach that on the USSD interface you can only make payments to existing beneficiaries, and also view balances. They also never allow two pieces of corresponding critical data to be sent on the same message i.e. the account number and pin will never be in the same message – this makes it that more difficult for technician to intercept the data – although anyone can just “grep” for an MSISDN…

    FNB has now put their own gateways in at the networks, and maintains control over them – it is thus theoretically quite a bit safer now.


    August 4, 2008 at 5:46 am

Please Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: