USSD – A Mobile Payment Solution? #mobile
Somebody send me a nice demo which Barcleys in India is implementing or has implemented using Unstructured Supplementary Service Data.
USSD is part of the GSM standard which tends more towards a real-time messaging service, unlike SMS no data is stored on the mobile or network. All the data still goes over the same channel over the GSM network, and thus is still inherently insecure, due to the fundamental flaws in the GSM encryption methodology.
One of the advantages over SMS is that nothing sits in between to store messages, so they must be answered immediately. The back end application is responsible for the message handling, as it is completely session oriented. There is both a push and pull method, which means communication is initiated from the mobile or network. IMHO this still leaves it susceptible to a man-in-the-middle attack.
Do banks consider this acceptable risk? Or do they just not know the whole truth?
technorati tags: gsm, mobile, barcleys, ussd, security, sms, risk
First National Bank in South Africa has has USSD banking running for a couple of years now. They take the approach that on the USSD interface you can only make payments to existing beneficiaries, and also view balances. They also never allow two pieces of corresponding critical data to be sent on the same message i.e. the account number and pin will never be in the same message – this makes it that more difficult for technician to intercept the data – although anyone can just “grep” for an MSISDN…
FNB has now put their own gateways in at the networks, and maintains control over them – it is thus theoretically quite a bit safer now.
Brendan
August 4, 2008 at 5:46 am