using USSD to send a fraudulent message to the user   For example, to phish these credentials, the
            spoofing the identity of the financial service provider,   attacker sends a phishing USSD message: Such as in
            luring the user to divulge sensitive information such   Figure 12 below
            as account number and PIN code.

            Figure 12 - Using USSD to engineer the user socially













































            An attacker with access to the SS7 network can send   3�8  SIM clone attack
            USSD messages to any network.                      The goal of this test is to assess whether an attacker
               Since there is no identification in the USSD mes-  who can clone a SIM card can successfully authenti-
            sage, and the user is used to having these messag-  cate the cloned SIM to the mobile money service and
            es from the network, trust is achieved, and the user   make fraudulent transactions. This attack may only
            divulges their account number and PIN. From there   be possible on SIM cards, which support the obsolete
            on, the attacker logs into the account and transfers   algorithm – COMP128v1. 
            the funds out.                                       SIM cloning can be simulated using the open-
                                                               source pySIM .
                                                                          12

            4  BEST PRACTICES TO MITIGATE USSD AND STK THREATS

            This section outlines the best practices that DFS
            providers and mobile network operators can deploy
            to avert the threats and attacks to USSD and STK
            based DFS implementations



                                                 Security testing for USSD and STK based Digital Financial Services applications  19