USSD Security.
Ok, seems like there is a lack of info on USSD security. With a growth of interest in mobile payment and banking, we really have to clear this one out. If you are not familiar with USSD, read basic facts about it here.
There are two ways for villains to sniff the data – in the air and when it is stored on servers. The thing is USSD signal itself is not encrypted when it is transferred over the air. People seem to talk a lot about it being a big security hole. But the GSM channel that carries the signal has built-in encryption, authentication, authorization and accounting protocols. It’s not like an easy thing to hack. It will cost a copious amount of cash to buy equipment which can do it. And then villains have to chase you wherever you go to trace the signal. And then you make a ten dollars transaction.
Aghh, too much hassle, right?
Imagine that bad guys had no success with your ten bucks. Then your signal arrives to operator, where data is decrypted within network. No need to panic, as operators have their own system of security. If you need you can ask for end-to-end encryption, when data is encrypted from the user to your service all the way through. Though, governments usually don’t allow operators to do it, as they are quite curious.
Now, all the aforementioned stuff applies to SMS as well. So USSD is, at least, as secure as SMS. Which is the most popular format for mobile commerce. But unlike SMS, USSD is not stored on servers for months and years to come, and it doesn’t leave traces on your mobile phone, as it is session-based.
Nobody really questions SMS, as nobody really questions security of credit cards. Well, maybe someone, but the cards are still widely used. This month a San Francisco man was sentenced to 13 years in federal prison for stealing 1.8 million bank and credit card numbers. Guess what? Banks are still there and credit cards are alive and well. It is instilled in people’s minds that they are safe, so they continue to use them. Thus finding holes in USSD is not the best idea – there are plenty of popular types of money transactions which are often hacked but still widely used.
The point is – it is useless to discuss the security of USSD out of service context. Firstly you need to define what your service is, what money is transferred. With default settings, USSD may not be secure for one million dollar transaction, hence you will have to adjust the channel for your particular needs. Remember also, that scenario for a service can provide high level of security by itself.
Follow these steps, if you are thinking of using USSD:
1. Specify the sum of money.
The level of security depends on the quantity of money involved. If your service is using micro/small payments, then standard GSM security is enough. For bigger transactions you would probably want to install additional encryption. Remember, though, better locks cost more, so count your money too.
2. Analyze network infrastructure.
Look at the whole network and see what parts of it don’t meet your security requirements. This may be the part where a signal goes from the mobile user to the operator’s server and then to your server. In this case, you can encourage users to install java applications to enhance the level of security.
If you are concerned about potential insecurity within the operator’s network, negotiate your needs with the operator. Keep in mind, that in many countries encryption/decryption of data within an operator is regulated by the government.
Finally, don’t forget about protecting your own service.
3. User experience is numero uno.
You can bury your business if clients have to go through numerous steps to install protection, such as going to different offices, buying a new SIM card, etc. Keep the balance between security and user experience. People want it simple.
4. Tell everybody how safe you are.
Make people trust your service by executing a marketing campaign, giving them guarantees, etc.
Don’t put security on the top, look at USSD from the point of business opportunity. It certainly can provide you with one.
We’ll certainly come back to this topic again later.
Nikita, interesting point of view. Just one additional point though…when talking about man-in-the-middle attacks, they’re not just restricted to people who might sniff the data over-the-air. I agree that it would be insane for someone to invest in doing that! The bigger threat comes from within. Even if it’s not a store and forward, the USSD gateway needs to route all the information to the back-ends. While it might send the information to the banking system through a secure link, it cannot prevent someone from taking a dump of the USSD, and replicating a command to the back-end. This process isn’t expensive at all! =)
Regarding SMS, totally agreed that it’s almost the same as USSD. However, the clear winner could be an encrypted SMS, which (even if sniffed in the middle) can ensure that no information is decrypted till it reaches the banking server.
Good point. It is best to encrypt the information, end to end.