Page 9 - Security testing for USSD and STK based Digital Financial Services applications Security, Infrastructure and Trust Working Group
P. 9

Security testing for USSD and STK based



                          Digital Financial Services applications










            1  INTRODUCTION

            Digital Financial Services providers have increasing-  The uptake and use of USSD and STK have mainly
            ly utilized the Unstructured Supplementary Service   hinged on:
            Data (USSD) and Sim Tool Kit channels to enhance
            the growth and adoption of Digital Financial Services   1.  Mobile device-agnostic: USSD and STK based
            (DFS), primarily in the developing world. The GSMA   DFS solutions are device-independent. They can
            estimated that in Africa, over 90 percent of mobile   be used on smartphones, feature phones, and
            money transactions are driven by USSD . Sever-       basic mobile  phones,  thereby guaranteeing  ser-
                                                  1
            al  large  scale  DFS  operators  bKash  in  Bangladesh;   vice and smooth adoption without changing the
            Wing in Cambodia, Easy Paisa in Pakistan, Tigo and   mobile device.
            M-Pesa in Tanzania and Kenya,  EcoCash in Zimba-   2.  USSD is fast and responsive, giving the much-need-
            bwe, MTN Mobile Money in Africa and the Middle       ed real-time capability for digital financial services.
            Eastern countries, Airtel money in Africa and Asia,   3.  Cost and efficiency: Deploying the DFS services
            etc. use USSD and as their primary mechanism for     over STK and USSD uses existing network proto-
            communication between customers and their digital    cols.  The DFS provider or mobile network opera-
            financial services platforms.                        tor can make use of the already existing USSD GW
               This document highlights security threats and vul-  without requiring any upgrades on the network to
            nerabilities to DFS services based on USSD and STK.   roll out digital financial services.
            It proposes best practices for DFS providers, Mobile   4. Interactive: USSD and STK are session-based and
            Network Operators, and DFS Users that are using      can enable user-friendly menu-driven applica-
            these environments.                                  tions that are vital for the digital financial services
               Among the services provided using the USSD and    product catalog.
            STK channels include account opening, money trans-  5.  USSD messages are routed via subscriber's home
            fer,  bill  payment,  balance  inquiries,  etc.  Traditional   network; USSD services available to the subscrib-
            banks can now also extend their branches using the   er remain available while in roaming without any
            USSD and STK channels through their agent banking    extra charges
            networks.                                          6.  The USSD and STK protocols do not store any
                                                                 confidential information on the Mobile set






                                                 Security testing for USSD and STK based Digital Financial Services applications  7
   4   5   6   7   8   9   10   11   12   13   14