The security of Global USSD should be discussed in the context of a particular service. There is a big difference between informational services and financial service where big money transactions can be made. Here we have a look at Financial Service Delivery Platform implemented with the help of Global USSD.

You can see five different stages of signal transmitting where potential security threat can exist. Let’s look at each stage in details:

1. A subscriber uses one of our initiation methods to access a service. A call to Call2Service number is the most common one. At this stage it’s impossible to access the service pretending to be this subscriber as USSD session will be send to the original mobile number and phone, not the fake one.
2. After initiation the service data goes through Guest SS7 Network. Here the information can be seen by stuff of this network, i.e. its engineers. End-to-end encryption is not possible here, as governments have policy against such encryption. Also it will require SIM cards to be replaced. All this doesn’t mean that this stage is security prone. Engineers of each network are known and each case of fraud from their side can be easily solved.
3. Point of presence network has the same level of security as Guest Network. The information goes through Eyeline Infrastructure where it is monitored by Eyeline engineers. They signed special clearing contacts for traffic monitoring. Overall, Eyeline’s policy allows a limited number of people to access its infrastructure. So this stage is again, pretty secure.
4. (5) Eyeline infrastructure communicates with Service Provider infrastructure through secure server channels like HTTPS, IP SEC, SSH, etc. The choice of secure channel is subject to agreement.

Finally, the USSD signal which is transferred over the air is not encrypted. But GSM channel that carries the signal has built-in encryption, authentication, authorization and accounting protocols. It will cost minimum $100.000 to acquire the necessary equipment which can sniff and decode the signal.

As you can see, all stages are secure. But the best solution is to invent scenarios where no sensitive information is sent through the system. Scenarios, where such information is entered beforehand, for example, during the setup of a service in a financial institution. Even if sensitive information is sent through the system, it’s still very expensive to get it.

Stay tuned.