I have a question about USSD and security in this channel.
As you know today mobile banking and many payments using USSD, I want to know is USSD safe?
If USSD transactions using a5/1 for encryption,its totally broke few years a go and now can be captured by usrp (or HackRF board) and decoded by rainbow tables created for a5/1.
I think this transactions is not really safe,but I want to know more about this protocol and encryption using at this transactions. I dont know USSD codes encoded with a5/1 or GSM-7... so my question is:
Thanks all.
Although USSD based financial transactions are more secure and better than SMS, there is still scope for enhancement of specific security requirements namely Authentication, Confidentiality, Authorization and Data integrity to make it the best.
Unstructured Supplementary Service Data (USSD) allows users without a smartphone or data/internet connection to use mobile banking through the *99# code. USSD-based mobile banking can be used for fund transfers, checking account balance, generating bank statement, among other uses.
One of the reasons is that it doesn't require an internet connection. You see, even though a mobile network is opened during a USSD session, that network is not an internet connection. Instead, it is an internal network connection between your telcos computers and your device.
Unlike an SMS message, during a USSD session, a USSD message creates a real-time connection. This means USSD enables two-way communication of information, as long as the communication line stays open. As such, queries and answers are nearly instantaneous.
In general there are two level of security in Mobile networks (in this case GSM)
For the AirInterface (Radio Interface between MS and BTS) it can be encrypted or unencrypted (depend on network setting)
https://en.wikipedia.org/wiki/A5/1
https://en.wikipedia.org/wiki/A5/2
As you can see both current encryption methods are so weak specially for financial transaction (compare to acceptable encryption methods for online banking).
The real problem for USSD messages are their MAP/SS7(Sigtran) related message in the core network. Unfortunately all USSD messages in GSM network transfer as a plain text (as a part of MAP message) and all E1 links are easily monitor-able.
Using USSD as a transmission layer (in the lack of Data connection(GPRS-3G-LTE)on network) is possible but an encryption layer is require ( and it can be implemented on Android or IOS App)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With