Are USSD codes safe? Yes — when the platform behind them is built with the right security controls. Without those controls, USSD sessions are exposed to SIM swap fraud, session hijacking, and social engineering attacks that cost African businesses and their customers billions of dollars every year.
This guide breaks down the five most common USSD security threats, gives you an enterprise security checklist to secure USSD transactions, and covers the regulatory developments reshaping mobile transaction protection across Africa.
Why USSD Security Matters: Africa’s Mobile Money Ecosystem at Risk
According to GSMA, mobile money surpassed two billion registered accounts and over half a billion monthly active users globally in 2024. Africa is the epicentre of that growth. As reported by Ecofin Agency, citing the GSMA State of the Industry Report on Mobile Money 2025, Africa processed 65% of global mobile money transaction value in 2024, totalling $1.1 trillion.
USSD is the backbone of much of this activity. It works on every phone — including feature phones that cannot run mobile apps — requires zero data, and powers everything from mobile banking to airtime purchases. But that reach also makes it a high-value target for fraud.
Mobile money fraud losses across Africa run into billions of dollars annually. Identity theft remains the leading category of digital financial crime on the continent. For any business deploying USSD financial services, mobile money security in Africa starts with USSD security — it is the foundation.
What Are the Main Security Threats to USSD Transactions?
Five threat categories account for the vast majority of USSD-related fraud. Here is how each one works and what USSD fraud protection requires for each.
| Threat Type | How It Works | Severity | Key Mitigation |
|---|---|---|---|
| SIM Swap Fraud | Attacker convinces the carrier to transfer your number to a new SIM, then intercepts USSD sessions and OTPs | Critical | Real-time SIM status checks, multi-factor confirmation |
| Session Hijacking | Attacker exploits an active USSD session through malware or a compromised device to take over the interaction mid-flow | High | Strict session timeouts, encrypted session tokens |
| SS7/Signaling Vulnerabilities | Attacker exploits weaknesses in the SS7 signaling protocol to intercept or redirect USSD messages between the handset and the network | High | VPN/HTTPS gateway communication, carrier-level SS7 firewalls |
| Social Engineering | Attacker impersonates a bank, telco, or agent to trick the user into revealing PINs, OTPs, or account details | High | User education, transaction confirmation prompts |
| Man-in-the-Middle (MITM) | Attacker intercepts communication between the user’s device and the USSD gateway, capturing session data in transit | Medium | End-to-end backend encryption (AES/RSA), secure gateway protocols |
How Does SIM Swap Fraud Target USSD Banking?
SIM swap is the single biggest threat to USSD-based financial services in Africa. The attack is straightforward: a fraudster persuades (or bribes) a mobile network agent to transfer the victim’s number to a new SIM card. Once the swap completes, every USSD session, OTP, and mobile money notification goes to the attacker’s device.
According to TechTrends Africa, citing Nigeria Inter-Bank Settlement System data, Nigerian banks reported a 300% increase in SIM swap-related fraud cases between 2022 and 2024.
Security researchers have documented organised SIM swap operations involving telecom insiders across multiple African countries. These are not opportunistic crimes. They are structured operations that exploit the weakest link in the chain: human access to carrier systems.
The defence starts at the platform level. Banks and fintechs deploying USSD services need real-time SIM status verification — checking whether a SIM was recently swapped before authorising a transaction. Integrating phone number verification into your USSD flow adds an additional layer of USSD fraud protection. Nigeria’s new TIRMS system (covered in the regulatory section below) directly addresses this gap.
8 Security Measures Every USSD Platform Must Have
If you are building or procuring a USSD service, these eight controls form the USSD security baseline. Each one addresses a specific attack vector from the threat table above.
- Session timeouts — Terminate inactive USSD sessions after a short window (typically 60-120 seconds). Prevents session hijacking on unattended devices.
- PIN management and lockout — Enforce strong PIN requirements and lock accounts after consecutive failed attempts. Blocks brute-force attacks.
- Backend encryption (AES/RSA) — Encrypt all data in transit between the USSD gateway and your application server. Neutralises MITM interception.
- HTTPS/VPN gateway communication — Secure the link between your application and the carrier’s USSD gateway with HTTPS or a dedicated VPN tunnel. Closes SS7 exposure at the application layer.
- Transaction velocity limits — Cap the number and value of transactions within a time window. Limits damage if an account is compromised.
- SIM swap detection integration — Query the carrier’s SIM status API (or regulatory portals like Nigeria’s TIRMS) before authorising high-value transactions. The most direct defence against SIM swap fraud.
- Audit logging and real-time monitoring — Log every session, input, and transaction with timestamps. Trigger alerts on anomalous patterns (unusual location, rapid-fire requests, large transfers).
- Two-factor confirmation for high-value transactions — Require a second confirmation step (callback, SMS OTP to a registered alternate number, or in-app approval) before processing transactions above a defined threshold.
For guidance on building secure USSD menu flows that incorporate these controls, see our design best practices guide. Building a USSD application? Arkesel’s platform includes session management, PIN security, and enterprise-grade encryption. Explore Arkesel USSD Solutions.
How to Protect Your USSD Transactions as a User
The majority of mobile money fraud relies on social engineering — phishing calls, fake SMS messages, and impersonation of bank or telco agents. Your behaviour is your first line of defence when it comes to secure USSD transactions.
- Never share your USSD PIN or OTP with anyone, including someone claiming to be from your bank or network provider. Legitimate institutions will never ask for these.
- Register for SIM swap alerts with your mobile carrier. If your SIM is swapped without your knowledge, you will receive an immediate notification on your registered email or alternate number.
- Set a SIM lock PIN on your device. This prevents unauthorised SIM removal and reuse.
- Review transaction alerts immediately. If you receive a confirmation for a transaction you did not initiate, contact your bank and carrier without delay.
- Avoid initiating USSD sessions on shared or public devices. If you must, close the session fully before stepping away.
- Report suspicious calls or messages to your carrier and bank. Agent-assisted fraud represents a significant share of mobile money theft — early reporting disrupts the chain.
Regulatory Developments Strengthening USSD Security in Africa
African regulators are moving to close the systemic gaps that fraudsters exploit. Three developments stand out for mobile money security in Africa.
Nigeria: TIRMS Portal (April 2026)
According to Nairametrics, Nigeria’s Central Bank (CBN) and Nigerian Communications Commission (NCC) launched the Telecom Identity Risk Management System (TIRMS) portal in April 2026, enabling banks to verify mobile number status in real time before authorising transactions. This is the most direct regulatory response to SIM swap fraud anywhere on the continent. Banks can now query whether a number has been recently ported, swapped, or flagged — before a USSD transaction completes.
Ghana: Biometric SIM Registration
Ghana’s National Communications Authority (NCA) mandated biometric SIM re-registration, linking every active SIM to its owner’s biometric data. This makes it significantly harder for fraudsters to obtain SIMs under false identities — a prerequisite for most SIM swap schemes. If you are deploying USSD services in Ghana, our guide on how to get a USSD shortcode in Ghana covers the compliance requirements.
Kenya: Enhanced Mobile Money Oversight
Kenya’s Communications Authority has tightened mobile money supervision requirements, including stricter identity verification and transaction monitoring obligations for service providers.
These regulatory frameworks create the infrastructure for the platform-level USSD security defences described above. If you are deploying USSD services across multiple African markets, build compliance with these requirements into your USSD application architecture from day one.
How Arkesel Secures Your USSD Service
Arkesel is ISO 27001 certified with a 99.9% uptime SLA — the security and reliability baseline your USSD service needs. Read the full Arkesel information security statement for details on our security posture.
Related Articles
- How to Get a USSD Shortcode for Your Business in Ghana
- USSD vs Mobile App in Africa: Which Channel Wins?
- USSD Financial Services in Africa: Mobile Money Guide
- USSD Menu Design: 10 Best Practices for Higher Completion Rates
- How to Build a USSD Application: Developer Guide for Africa
- USSD vs SMS vs WhatsApp: Which Channel Wins in Africa?
- USSD Healthcare in Africa: 5 Patient Services, No App
- USSD Shortcode Provider Ghana: Buyer’s Checklist (2026)
The Arkesel USSD platform delivers zero data cost for end customers and works on any mobile device, including feature phones. It includes session management and a multi-level menu API that lets you build secure, interactive USSD flows programmatically.
For businesses building USSD for interactive customer experiences across Africa, Arkesel’s enterprise-grade infrastructure means your service runs on direct network connections with built-in session controls — not a bolted-on afterthought. Whether you choose USSD, SMS, or WhatsApp as your primary channel, Arkesel’s USSD security controls ensure mobile transactions stay protected. Organisations deploying USSD healthcare services or financial services benefit from the same enterprise-grade USSD security foundation.
Ready to deploy a secure USSD service? Get started with Arkesel or view pricing.
FAQ
Are USSD codes safe for mobile banking?
USSD codes are safe when the platform enforces session timeouts, PIN lockout, backend encryption, and SIM swap detection. Without these controls, the session-based architecture is vulnerable to interception and fraud.
What is USSD session hijacking and how do you prevent it?
Session hijacking occurs when an attacker takes control of an active USSD session — typically through malware on the device or by exploiting a session that was not properly terminated. Prevent it with strict session timeouts, encrypted session tokens, and automatic session termination on inactivity.
What security features should a USSD platform have?
At minimum: session timeouts, PIN management with lockout, backend encryption (AES/RSA), HTTPS or VPN gateway communication, transaction velocity limits, SIM swap detection, audit logging, and two-factor confirmation for high-value transactions.
How does SIM swap fraud work?
A fraudster convinces a mobile carrier — through social engineering or insider collusion — to transfer your phone number to a new SIM card. Once the swap is done, the attacker receives all your USSD sessions, OTPs, and mobile money notifications.
How can I protect my mobile money from fraud?
Never share your PIN or OTP. Register for SIM swap alerts. Set a SIM lock on your device. Review transaction alerts immediately and report anything suspicious to your bank and carrier.
What are the latest USSD security regulations in Africa?
Nigeria launched the TIRMS portal in April 2026 for real-time SIM status verification. Ghana mandated biometric SIM registration. Kenya tightened mobile money oversight with stricter identity verification requirements.
