USSD Security: Best Practices to Safeguard Mobile Transactions

Mobile technology has expanded beyond smartphones and apps in today’s digital-first world. One standout technology that continues to serve millions, particularly in developing regions, is USSD (Unstructured Supplementary Service Data). It powers essential services, such as mobile banking, airtime purchases, and utility bill payments, even on feature phones without internet access. However, with this widespread use comes an urgent concern: USSD security. How secure is this technology? What threats do users and businesses face? And more importantly, how can those threats be mitigated? This article examines USSD security, the associated risks, and the best practices that businesses and developers can adopt to safeguard users while delivering reliable mobile services.

What is USSD, and why is it still relevant?

USSD is a communication protocol that GSM mobile phones use to interact with service providers. It typically works by dialing a code (like *123#), followed by menu-based interactions. Unlike SMS or internet-based communication, USSD sessions are real-time and session-based. The messages are not stored on the device or the network; the interaction ends once the session is closed. This makes USSD a fast and cost-effective option, especially for customers without smartphones or reliable internet access. But despite these benefits, USSD was never designed with modern security requirements in mind. That is where the problem begins.

Why businesses use USSD:

• Wider reach: Compatible with all phones, including basic models.
• Low cost: No need for data connectivity.
• Accessibility: Ideal for rural or underdeveloped regions.
• Speed: Real-time responses enable quick interactions.

Understanding USSD security risks

While USSD is convenient, it lacks built-in encryption and end-to-end security controls. This makes it susceptible to various security threats:

1. Lack of encryption: USSD messages are not encrypted, meaning that if the data is intercepted, for example, by a malicious actor with access to the mobile network, it can be read in plain text.
2. SIM swap and social engineering attacks: Fraudsters can impersonate users and convince telecom operators to issue new SIM cards to them. Once they gain control of a user’s number, they can access USSD banking services and drain accounts.
3. Session hijacking: Because USSD sessions are temporary and run on telecom infrastructure, attackers who gain access to the network may hijack or manipulate sessions in real-time.
4. Insider threats: Telecom operators and financial service providers may have employees who misuse access to USSD data for fraudulent purposes.
5. User behavior: Many users are unaware of how USSD works. They may accidentally reveal PINs, respond to phishing codes, or use USSD on untrusted networks.

10 Best practices for USSD security

Let’s explore how businesses, developers, and users can work together to create a more secure USSD environment.

1. Implement strong user authentication: Always verify users adequately before accessing sensitive services. For financial services, PIN-based authentication is a minimum requirement. Best practices:

• Require users to enter a secure 4 to 6-digit PIN.
• Prevent default or predictable PINs, such as “1234.”
• Use retry limits to block access after multiple failed attempts.
• Use two-factor authentication (2FA) when possible (e.g., linking with SMS OTPs or app-based confirmation for high-risk actions).

2. Encrypt data at the application layer: Although USSD does not support encryption, service providers can implement encryption at the backend, where data is processed and stored. How:

• Secure all communication between USSD gateways and application servers using HTTPS or VPN.
• Mask sensitive user information, such as PINs, account numbers, and balances, in logs and databases.
• Avoid displaying sensitive information on-screen during the session (e.g., showing only the last four digits of an account).

3. Use session timeout and lockouts: USSD sessions should automatically expire after a short period of inactivity (usually 30–60 seconds). This reduces the risk of someone else picking up the phone and continuing the session. Additional strategies:

• Lock the user account after a set number of failed login attempts.
• Require re-authentication for critical actions, such as fund transfers or bill payments.

4. Monitor for suspicious activities: Monitoring and analytics are essential for identifying fraud attempts. Unusual behavior patterns, such as logins from different locations or repeated failed transactions, should raise red flags. Tools:

• Fraud detection systems that analyze user behavior in real-time.
• Alerts for unusual login times or high-volume transactions.
• Geo-restriction policies to limit access to known safe regions.

5. Secure the USSD gateway: The USSD gateway is the bridge between mobile users and backend servers. If compromised, it can be exploited to manipulate transactions or steal data. Security tips:

• Use firewalls and intrusion detection systems (IDS) to protect the USSD gateway.
• Regularly audit access logs and configuration changes.
• Restrict access to the USSD gateway based on roles and privileges.
• Keep all software and firmware up to date to patch known vulnerabilities.

6. Educate users on safe USSD practices: Users are often the weakest link in the security chain. Educating them on how to use USSD securely can prevent many types of fraud. Key messages to share:

• Never share your PIN or account information with anyone.
• Do not use USSD codes on borrowed or public phones.
• Contact your service provider immediately if your SIM is lost or stolen.

7. Always confirm the correct USSD code before entering sensitive information. Avoid using USSD for high-risk transactions. Where possible, limit USSD use to low— or medium-risk services, such as checking balances or viewing account information. Consider directing users to more secure channels, like mobile apps, for high-risk actions like large fund transfers or password changes.

8. Work with trusted telecom partners: Security is a shared responsibility. Ensure your telecom partners follow best practices for data privacy, SIM issuance, and gateway security. Choose telecom providers with a strong reputation and a track record of security compliance. Ask questions like:

• Do they log USSD sessions securely?
• How do they handle SIM swaps or suspicious SIM activity?
• What is their policy on insider access and monitoring?

9. Stay compliant with regulatory standards: Countries often have financial and data protection regulations that apply to USSD services. Staying compliant is not just about avoiding fines; it helps build trust and ensures your security practices are up to par. Examples include:

• NDPR in Nigeria (Nigeria Data Protection Regulation)
• GDPR in the EU
• PCI DSS for payment data
• CBN guidelines for mobile financial services

10. Regular security audits and penetration testing: Conduct regular security audits and penetration testing on your USSD infrastructure to identify vulnerabilities before attackers can exploit them. This involves systematically checking your USSD applications, gateways, backend systems, and telecom integrations for potential weaknesses. Why it matters:

• Helps detect misconfigurations, outdated software, or insecure authentication flows.
• Simulates real-world attacks to test system resilience.
• Ensures your security controls are functioning as intended.
• Tip: Engage third-party cybersecurity experts for unbiased assessments, and act promptly on their recommendations to strengthen your USSD platform’s defenses.

The future of USSD and security innovations

While USSD is often seen as a legacy technology, it remains vital in regions with limited internet access. However, it is evolving to meet modern security needs.

Emerging trends:

• Tokenization: Replacing sensitive data with unique identifiers.
• Voice or biometric authentication (via integration with other platforms).
• End-to-end encryption using overlay networks between telcos and service providers.
• USSD over IP (UUI): A hybrid solution that merges USSD usability with secure data channels.

Case study: Mobile banking in Nigeria

Nigeria is one of the biggest markets for USSD banking. To enable mobile banking, most banks use USSD codes, such as *737#, *901#, or *966#. However, security incidents have also made headlines, especially those involving SIM swap fraud. To address these issues, Nigerian banks and the Central Bank of Nigeria (CBN) require stricter authentication, including mandatory PIN use, transaction limits, and customer education campaigns. Additionally, telecom operators have enhanced their SIM replacement policies by requiring national ID verification and biometric validation to prevent unauthorized SIM swaps. These combined efforts make USSD banking safer and more reliable for millions of users.

Secure USSD is possible, but requires vigilance

USSD technology is essential for financial inclusion and low-cost mobile services, but its simplicity should not be mistaken for safety. While it lacks the built-in protections of modern web or app platforms, USSD security can be strengthened with the right mix of backend encryption, session control, user education, and telecom collaboration. For businesses, investing in USSD security isn’t just about protecting users; it is about safeguarding their brand reputation and ensuring long-term trust in their service. By following the best practices discussed above, you can ensure that your USSD solutions remain safe, user-friendly, and relevant as the digital world evolves.