Post

How To Protect Yourself From USSD Fraud

USSD Fraud

Money has been stolen from users’ accounts, and the Nigeria Electronic Fraud Forum’s 2017 fraud report reveals a growing trend in mobile fraud. Banks pioneered the use of a mobile phone for transactions, and other financial organizations, such as mortgage and microfinance banks, have followed suit.

What is USSD?

USSD – unstructured supplementary service data. It sounds a bit complicated and can get technical very quickly, but for the purposes of financial inclusion, there are two key things to understand. First, when you dial a number that starts with * and ends with #, you are using USSD. Second, USSD is currently the best available communications technology to deliver mobile financial services to low-income customers.

How does USSD work?

USSD is a communications protocol used by GSM cellular telephones to communicate with the mobile network operators. It can be used for WAP browsing, prepaid callback service, mobile-money services, location-based content services, menu-based information services, and as part of configuring the phone on the network. USSD messages create a real-time connection during a USSD session. The connection remains open, allowing a two-way exchange of a sequence of data.

It is currently the best available communications technology to deliver mobile financial services to low-income customers and the majority of mobile financial service deployments in the developing world use USSD as their primary mechanism for communication between customers and their mobile payments platform.

Using a USSD for transactions does not require much, just a functional mobile device that is connected to the telecommunications service provider, and customers can do as much as open bank accounts, check account balance, transfer funds, pay bills, and much more.

Major USSD Vulnerabilities

SIM Swap/Chum 

The fraud exploits a mobile phone service provider’s ability to seamlessly port a phone number to a device containing a different subscriber identity module (SIM). This feature is normally used when a customer has lost their phone or is switching services to a new phone.

Read Also: Securing Your Mobile Device

Access to PIN

Two-factor Authentication is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information.

Read Also: Managing Your Passwords — The Right, Secure And Easy Way

USSD Fraud Scenarios

Nearly all USSD fraud occurs once robbers and thieves snatch a customer’s mobile phone. The phones must have a number registered to the victim’s bank account.

Scenario One:

  • Once a fraudster gets hold of a stolen phone, he/she gains access to it easily by dialing the code, *425*100# to reveal the bank account connected to the SIM card. This Code is usually related to NIBSS Mcash to recharge across various Banks.
  • Fraudsters, having discovered the banks where the users, then dial their bank’s individual codes to gain access.
  • For example, if it is an Access Bank account, the fraudster will dial *901*00# to show the user’s account balance. Other Banks have their USSD Codes.
  • The fraudster will then proceed to reset the PIN, and the bank will ask for the Account number and DOB of the account holder. Since a lot of people save their account number on their contact list, He can easily get it there.
  • Thereafter, proceed to use the account number to get the victim’s BVN, then use the BVN to get all his/her details by dialing *565*0#. 
  • With this information, the fraudster proceeds to reset the PIN, then uses the DOB to create a new PIN. Furthermore, the fraudster will be able to transfer money out of the account.

Scenario Two:

  • The Fraudster proceeds to apply for Loans using a SIM card connected to a salary account.
  • The Fraudster does it so efficiently that the main owner of the account will receive no alert on any transactions done.
  • The fraudster applies for loans and moves funds to unsuspecting accounts.

Scenario Three:

  • The fraudster transfers stolen money to a “No trace Account” using another stolen SIM with its BVN to create it.
  • Law enforcement will trace the owner of the stolen SIM card, while the fraudster is in the wild.
  • In the absence of a SIM card, he can use a BVN to open new accounts and receive funds
  • Additionally, they use stolen SIM cards to buy airtime via USSD

Banks are generally liable for fraud on USSD because of the lack of proper implementation of USSD Banking in Nigeria

Customer accounts need to be blocked immediately if they believe their USSD PINs have been compromised. In the same case if their phones have been stolen. They can achieve this by visiting the nearest Bank branch, failing emergency codes, or calling their Banks Hotline.

In a case of number inactivity for a period of more than 3 months, Customers should visit their banks and change their numbers.

Oluwatobi Olowu
Latest posts by Oluwatobi Olowu (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

Share

Related Posts

Subscribe to Cyberverdict to Get Newest Update

It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout.