According to the GSMA, a global association representing over 750 mobile operators and nearly 400 companies across the mobile ecosystem, more than 850 million people in Sub-Saharan Africa use mobile phones.
USSD remains the primary digital access channel for over half of them, particularly in areas with limited internet connectivity. USSD in Cybersecurity fortifies online platforms even more
As more companies adopt this simple yet powerful channel, especially in fintech, telecom, and customer service, the need for stronger cybersecurity measures is growing.
Organizations like Arkesel, which operates across Ghana, Nigeria, South Africa, and Tanzania, are helping businesses scale their messaging services through USSD, SMS, and voice.
But with this expansion comes a responsibility: protecting users and systems from digital threats.
Benefits of USSD in cybersecurity
Initially designed for network-based communications, such as balance checks or airtime top-ups, USSD has evolved into a versatile tool for mobile banking, e-commerce, and government services across Africa.
Before addressing its security challenges, it is essential to understand why USSD remains a central component in cybersecurity for digital service delivery across Africa.
These benefits make USSD a vital link in cybersecurity for services such as mobile banking, health alerts, social welfare programs, and airtime top-ups, particularly in underserved communities.
In fact, for millions of people, USSD is not just an option but the only available method to engage with digital platforms.
As a result of this reach and impact, securing USSD is not just about protecting technology; it is about safeguarding inclusion, financial access, and trust in essential services.
USSD is widely used because it is:
- Affordable: It does not require a data plan or internet connection, making it accessible to people with limited financial resources.
- Offline-friendly: USSD operates entirely over GSM networks, which are widely available even in remote areas with limited or no internet coverage.
- Device-neutral: It runs on any mobile phone, including feature phones (also known as “small phones”), making it ideal for users who cannot afford smartphones.
Understanding the security risks of USSD in cybersecurity
USSD plays a crucial role in delivering digital services to users who lack access to smartphones or the internet.
It enables access to banking, payments, and other essential functions through simple mobile codes.
However, its simplicity also comes with several security vulnerabilities that can expose users to fraud and service providers to reputational and financial damage.
Many USSD systems were designed for basic communication, not for handling sensitive data.
As more transactions and services rely on USSD, the need to address these risks becomes more urgent.
Key concerns of USSD in cybersecurity
Unlike mobile apps, USSD was not built to support modern encryption methods like SSL/TLS, which limits the implementation of advanced security protocols.
1. No encryption: USSD messages travel over GSM networks without end-to-end encryption.
This lack of security means messages can be intercepted if an attacker gains access to the mobile operator’s systems, exposing sensitive user information such as PINs or account details.
2. SIM swap fraud: Fraudsters can perform SIM swap attacks by tricking or bribing telecom staff to transfer a user’s number to a new SIM.
Once this happens, the attacker can access USSD services linked to that number, including mobile banking and wallet systems.
3. Weak authentication: Most USSD services rely only on short PINs for verification.
These are often easy to guess, and if compromised, they give attackers direct access to a user’s accounts or transactions.
4. Phishing attacks: Scammers sometimes share fake USSD codes that mimic legitimate services.
Unsuspecting users may enter personal details or PINs, which are then captured and misused for fraudulent purposes.
How to strengthen USSD security without limiting access
USSD remains a practical solution for delivering services across devices and regions, especially where internet access is limited.
However, as adoption increases, so does the need to reinforce its security without compromising accessibility.
Rather than phasing out USSD, the focus should be on strengthening its structure to protect both users and service providers.
Below are key strategies that can help achieve this balance.
1. Use session timeouts
To reduce the risk of session hijacking or unauthorized access, USSD sessions should automatically expire after a short period of inactivity.
This helps prevent someone else from taking control of an open session, especially on shared or lost devices.
2. Enhance PIN controls
Strengthening PIN policies is essential.
PINs should be longer and harder to guess, with limits on the number of failed attempts.
Service providers should also discourage or block the reuse of the same PIN across different platforms.
3. Implement SIM swap detection
SIM swap fraud remains a significant vulnerability.
Telecom operators should monitor for SIM card replacements or unusual activity and temporarily restrict access to USSD services until the user verifies their identity.
This additional step can prevent unauthorized access following a SIM swap.
4. Introduce two-factor verification
For sensitive actions such as money transfers or personal information updates, adding a second layer of authentication, like a one-time password (OTP) sent via SMS or a voice call, can significantly reduce the risk of unauthorized transactions.
5. Educate users
Many USSD-related breaches stem from user error or lack of awareness.
Service providers should invest in regular user education campaigns that explain how to:
- Recognize official USSD codes
- Create and protect strong PINs
- Identify and avoid phishing attempts
6. Mask sensitive information
USSD responses should avoid displaying full account numbers, balances, or personal data on the screen.
Instead, use partial masking (e.g., showing only the last four digits of an account number) to minimize the risk if a device falls into the wrong hands.
7. Monitor and log transactions
Telecom and service providers should implement effective monitoring systems to log USSD activity in real-time.
This helps detect suspicious patterns, such as unusual login times or repeated failed attempts, enabling faster response to potential breaches.
8. Regularly audit USSD platforms
Security assessments should be part of routine operations.
Regular penetration testing, vulnerability scanning, and code reviews can help identify weak points and ensure compliance with evolving cybersecurity standards.
The role of service providers and regulators
Tech-driven companies like Arkesel are well-positioned to lead secure USSD innovation across multiple African markets.
By embedding best practices in security, compliance, and user privacy into their systems, they help build long-term trust with both businesses and consumers.
Their cross-country presence allows them to share lessons learned across regions and set high standards for how USSD services should be delivered securely, efficiently, and inclusively.
However, service providers cannot do it alone.
Telecom regulators across the continent play a crucial role in establishing rules and ensuring their adherence.
Regulators should:
1. Enforce security standards for USSD-based platforms: This includes requiring operators to meet defined benchmarks for data protection, system integrity, and session management, particularly in sectors such as banking, mobile money, and healthcare services.
2. Mandate minimum protections, such as encryption and authentication.
Although USSD has technical limitations, regulators can advocate for enhanced infrastructure, including GSM-level encryption or more robust SIM-based verification methods, to mitigate exposure to cyber threats.
3. Penalize service providers that fail to safeguard user data: Enforcement must go beyond guidelines.
Regulators should apply fines, service suspensions, or public warnings to any provider that neglects cybersecurity or mishandles user information.
4. Promote collaboration between telecoms and financial institutions:
A joined-up approach helps detect fraud faster, share intelligence, and ensure that USSD services remain both accessible and secure.
Encourage user education and transparency: Regulators can require providers to communicate risks, offer opt-in/opt-out features for sensitive services, and share tips for safe USSD usage.
Real-world example
In 2022, several mobile users in East Africa fell victim to SIM swap fraud, which exploited weaknesses in USSD banking platforms, resulting in unauthorized withdrawals that went undetected.
Securing the future of USSD in Africa
USSD is more than a legacy communication channel; it remains a vital link between millions of people and the digital services they rely on every day.
In many African countries, it serves as the primary means for underserved and rural populations to access essential services, including banking, healthcare, education, and government programs.
Its simplicity and reach have made it indispensable.
But as USSD becomes more integrated into critical service delivery, the risks associated with its use should be addressed with equal seriousness.
Securing USSD should no longer be viewed as optional or secondary; it should be considered a critical component.
It deserves the same attention and investment given to mobile apps, websites, and other modern digital platforms.
A secure USSD ecosystem is a step in the right direction.
Service providers, telecom operators, and regulators should prioritize the integration of secure design principles into USSD services.
Research, cross-industry collaboration, and continuous user education are essential for achieving both scale and safety.
