Connect with us
Advertise With Us


Rising Cases of USSD Fraud: How to Protect Yourself



The rate of fraud perpetrated in the financial system through mobile phones have been on the rise in recent years and unsuspecting bank customers as well as banks have been bearing the brunt of stolen funds. BUKOLA IDOWU looks at how the fraudsters operate and how customers can protect their funds

Esther (not real name) had been in the banking hall for more than one hour. She had the mind of not leaving until the bank produces the N100,000 that got missing from her bank account in about a week. A trader in Computer Village, a hub for computer and electronics in the commercial capital of Lagos, Esther was ready to raise a rumble in the banking hall if her money is not refunded.

After long explanations by the customer service officer and a printout of a month long bank statement, she realised that someone around her had been transferring funds from her account using the Unstructured Supplementary Service Data (USSD) short code. Esther may be able to recover her funds as she was able to identify the name on the account where the fund was transferred to.

The case was however different for another young man who noticed weeks after that N10,000 had been missing from his account. The name on the account where the money was moved to was not familiar to him and he insisted that he never allowed anyone to use his phone.

Cases of funds disappearing from customers’ accounts has been on the rise and the latest fraud report by the Nigeria Electronic Fraud Forum show a rising trend in mobile fraud. Deposit money banks had started the trend of using the mobile phone as mini bank and other financial institutions, including mortgage banks and microfinance banks have adopted the trend.

How Does USSD Work?

USSD is a communications protocol used by GSM cellular telephones to communicate with the mobile network operator’s computers. USSD can be used for WAP browsing, prepaid callback service, mobile-money services, location-based content services, menu-based information services, and as part of configuring the phone on the network. USSD messages create a real-time connection during a USSD session. The connection remains open, allowing a two-way exchange of a sequence of data.

It is currently the best available communications technology to deliver mobile financial services to low-income customers and majority of mobile financial service deployments in the developing world use USSD as their primary mechanism for communication between customers and their mobile payments platform.

Using a USSD for transactions does not require much, just a functional mobile device that is connected to telecommunications service provider and customers can do as much as open bank accounts, check account balance, transfer funds, pay bills and much more.

Banks had adopted this platform not just for its convenience but also for its reach. With over 174 million active mobile subscribers banks are hoping to reach the about 40 million adults that are unbanked in the country and a simple USSD code.

Rising Case of Mobile Fraud

Due to the wide usage and ease of the platform, fraudsters have shifted tactics, targeting mobile devices of bank customers and the 2018 fraud report released by the Nigeria Electronic Fraud Forum (NeFF) show that mobile fraud which accounted the third highest recorded fraud in 2017, last year recorded the highest rate of fraud by volume and value.

The 2018 fraud report summary showed that a total of 11,492 fraud cases representing 29.6 per cent of total fraud volume in 2018 had been on mobile devices. Value of fraud on mobile devices rose by 72.2 per cent from N347.64 million in 2017 to N598.8 million in 2018.

The value of fraud on the channel had been on the rise since 2017 having dropped slightly from N248.144 million in 2015 to N235.17 million in 2016. NeFF had last year attributed the increasing level of fraud on mobile to USSD transactions which banks had embraced as part of efforts to deepen financial inclusion, promote cash less policy whilst making banking convenient for customers.

A player in the fintech world explained that “what they do is that they swap your phone. That is, they just walk up to a service provider and claim to be the owner of the line. Most often, they have studied that number and they have collaborators, probably in the bank.

“And because the process for doing a change of SIM card is so loose, the telcom company would change the SIM card for the person and so he assumes the phone number. What does he do? He puts the SIM card in another phone and start using the USSD to make transfers out of the account into another account.”

A software developer also explaining the process of fraud though USSD noted that between the “phone and the network provider, a malicious person can sniff the packets sent with a tool like Burp Suite- if you are connected to an unsecured Wireless Network

“Also, between your network provider and your bank, an insider can trap or sniff the packets of your session with a tool like Packet Analyser. The packet contains everything you enter in a session: account number, amount to transfer, your pin. Your bank and network provider DO NOT know you! They only know your phone number and your pin. Only your sim card and pin stand between you and the money in your bank account.”

What Banks and Regulators are Doing

To ensure that bank customers are protected, the Central Bank of Nigeria (CBN) had issued a guideline on USSD last year. With the implementation of the guideline, bank customers will not be able to conduct transactions that is above N100,000 through the USSD platform on a daily basis.

Also they will have to use both PIN and a soft token to authenticate transactions above N20,000. Presently, USSD transactions require only PIN to authenticate transactions and some do not even require PIN. Asides the beefing up of authentication procedures, the guideline stipulates that service providers put in place systems that enable users/subscribers to block their account from operating USSD service.

This means that no USSD Financial Service should be activated for customer unless the deactivation mechanism. In addition, the framework requires banks to install a, Behavioural Monitoring system with capability to detect SIM-Swap/Churn status, user location, unusual transactions at weekends, etc.

Speaking at the annual meeting of NeFF, Chairman of the Forum and Director, Payment System at the Central Bank of Nigeria, Sam Okejere noted that having scored cored 28.21 per cent on the Fraud Interest Index, the mobile channel has shown early warning signs that fraudsters are shifting focus to mobile attacks and testing the waters in different types of mobile and online banking fraud in 2019.

Noting that innovation savvy customers are increasingly opting for self-initiated banking solutions both online and offline, like mobile banking and USSD with a preference for full service Mobile Banking apps over cheques and other over-the-counter services, he said “the more products channeled through those mobile devices, the more attractive they become to fraudsters.

“It may interest you to know that one of our members operating in the telecommunications sector has recently published an admission of a ransom ware attack, where its system was compromised through its subscriber’s devices.

This further re-affirms our commitment to disclosure of incidents and sharing of intelligence within the Forum.”

He furthered that while NeFF is working towards combating fraud in the system, “the security teams of financial service providers must also continually rethink their strategy, from automating their security hygiene measures to replacing isolated security devices with an integrated security architecture that can seamlessly stem the tide of fraud attacks.”

According to the Executive Director for Information Technology and Operations at Access Bank Plc, Ade Bajomo, the estimation today is that there are over 20 billion internet devices, “and this is one of the biggest tools for hackers. The speed and effectiveness at which hackers are progressing is at such a pace that none of us have ever envisaged. If you go to the dark world you will see just like we have software service. Same way in the dark world there are people selling hacking tools.”

Bajomo who called for collaboration amongst financial institutions and other  players in the financial technology ecosystem noted that in the “Nigerian financial space, each operator is only as protected as the financial ecosystem.”

What Should Bank Customers Do?

While many may want to lay blame on financial institutions, there is little they can do if customers continue to open pathway for fraudsters to access funds in their accounts. Bank customers also have a duty to protect their funds the same way they safeguard their homes and properties.

Financial institutions have continued to sensitize customers on why they need to keep their passwords and personal identification numbers (PIN) to themselves and not share it with people around them. Asides this, there are other steps that customers need to take to ensure that they do not open the doors of their bank accounts to fraudsters.

A techie giving advice said “check the permissions you grant applications before you download them. Many harmless-looking apps like games or dictionary actually do more underneath. So if an app like this is requesting access to your location or settings, be wary.”

While freebies are always a thing to enjoy, customers are advised to ensure that they are not making transactions while connected to a public wifi. Also easy to decode PINs are not always the safest and bank customers are advised not to use their birth year, BVN or the last four digit of debit card as pins.

USSDs are found to be safer to use on phones that is not internet-enabled as they are more secured. Finally when a phone is stolen or lost, the bank should be the first point of call.



%d bloggers like this: