The popularity of USSD in financial transactions means it has become a target for hackers and bad-faith actors. Over the last few years, Nigeria, Ghana, Kenya, and Rwanda have reported increasing cases of fraud linked to mobile money and USSD transactions.
Like every other technology, USSD can be hacked. In fact, security is a well-known limitation of the USSD protocol. Since it is an older kind of technology, it is prone to cyber-attacks from black-hat hackers. Couple this with the rise in bad-faith actors looking to make a quick buck, it is easy to see why there has been a rise in fraud-related USSD cases in most African countries.
There are two kinds of security risks that USSD users face:
- The first is a result of the security limitations of the technology. Unfortunately, these kinds of risks cannot be mitigated by the users. We have to rely on the mobile network operators to plug these gaps.
- The second kind of security risk is user-generated. This is how most USSD hacks happen. The hackers get access to the user’s mobile money or USSD account and then use it to access their funds.
Victory, a 26-year-old Nigerian, was a victim of these USSD hackers in 2021. She was on her way to work one early morning when she realized her phone was missing. Within an hour, the culprits had wiped her account clean of the N60,000 she had been saving to take a professional course. “The moment I couldn’t find my phone, the first thing on my mind was that I had to block my account. Unfortunately, it was linked to the stolen phone. Before I could get to the bank, they had bought airtime with all the money in my account to clear it out. I was devastated.
In an article by Stears, an apprehended hacker shared how he did his work. After obtaining the victim’s phone, he would take out the SIM and transfer it to another phone. Once transferred to the new phone, he would use a special USSD code to check the victim’s BVN which is linked to the phone number. The BVN (Bank Verification Number) is a unique combination of numbers that every banked Nigerian has. Using the BVN, the hacker checked the banks attached to the phone number. Then he used the USSD option to buy a recharge card on the SIM to confirm the bank balance. After that, he proceeded to clear out the account.
The crooks in Victory’s case took advantage of a similar gap in the local Nigerian banking system. The USSD banking protocol does not require a pin when recharging the phone number attached to the account, making it easy for hackers to use it as a conduit for moving money out of people’s accounts.
So, how do you protect yourself from hackers like these?
Use a difficult to hack transaction pin
When creating a USSD or mobile money account, you’re typically required to create a 4 or 6 digit pin to authorize transactions. Many people usually resort to using the combination of numbers that is most easy to remember. The danger with this is that those numbers may also be easy for hackers to guess. Avoid using common codes like 1234 or repeating numbers like 1111, as they are usually the first guesses of hackers trying to break into accounts.
It is also important to avoid using important dates like your birthday, as hackers might use social engineering to figure out those dates.
Finally, if given the chance between choosing a 4-digit or 6-digit pin, go for the 6-digit pin. The longer the pin, the harder it is for someone to hack it.
Never disclose your USSD or mobile money pin to third-parties
Keeping your transaction pin secret is the most basic step you can take to secure your account. Anyone in possession of the pin registered to a mobile money account can legally transact with the pin. In such a case, it can be very difficult to prove to your bank and the authorities that you were actually hacked. Avoid sharing the pin with anyone you don’t trust.
In addition, only download verified and safe applications from your phone’s application store. Malicious applications may contain keyloggers that can store vital information that you type including your pin.
Create a PIN for your SIM card
The central point of failure for most USSD-related scams is the SIM card. Most people know to put passwords on their phones but they don’t do the same for their SIM cards.
To create a pin for your SIM card for your phone, take the following steps:
- Open your phone’s setting’s
- Go to Security and search for SIM lock
- Click on lock SIM
- Enter the default pin to lock the sim card
It is, however, advisable to change the pin from the default as hackers will be aware of it, and it will be their first guess.
Know your financial institution’s kill switch
This tip is a last resort that you can apply if you’ve lost your mobile phone or fear that it has been hacked. Following the rise of USSD-related fraud, many financial institutions have created kill switches that allow you to stop USSD transactions on a mobile number.
These kill switches are also USSD codes that you can dial on other numbers to block any number attached to a bank account from transacting using USSD. Check with your financial institution to know the kill switch for their USSD transactions. That way, if you’re ever hacked, or you lose your device, you can use the code to prevent your account from being accessed.