Location of Repository

Securing USSD in mobile financial transactions: a practical proposal for m-finance

By Paula Margarida Mendonça da Silva Cravo


Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011This work analyses an existing mobile-finance scheme at Portuguese PT Inovação, targeting users that do not have a bank account, and using the USSD communication channel to process financial transactions between three parties: the User, an Agent that represents, or acts on behalf of, an institution, but not necessarily a bank or a financial one, and the Financial Transaction Manager (FTM) that manages the Agent network, the Users and the transactions made. We start by analyzing USSD communications: by itself it is not a secure communications channel, but it is available at every GSM device, allows for instant messaging services and is inter-operable, i.e. is not telecom dependent. Besides, it can run on commodity mobile phones, and requires practically no software download. From the user point of view, it resembles a normal text message and requires no special communications contract with the telecom operator other than the one that allows for sending text messages. It presents some security issues, namely, no authentication, no confidentiality, no integrity. We demonstrate that these issues can be solved through the use of end-to-end secure protocols on top of USSD in addition to other security mechanisms. PT Inovação’s m-finance scheme already implements a set of operations and financial transactions. We analyze the system’s threat model and we propose a solution that will protect a specific communication path, namely, between the Agent and the FTM. We suggest the implementation of SSL/TLS over USSD, a lightweight version that we call USSL/UTLS. We demonstrate that it is feasible to implement such security mechanism on a USSD communication channel, and that it provides end-to-end security over the network communication path, at least if the devices present some processing capabilities. We propose some possible implementation paths, and conduct a brief performance analysis

Topics: USSD, SSL/TLS, m-finance, Confidentiality, Authenticity, Teses de mestrado - 2011
Year: 2011
OAI identifier: oai:repositorio.ul.pt:10451/8707

Suggested articles



  1. (2007). Access Channels in m-Commerce doi
  2. (1996). Cellular Telecommunications System; Unstructured Supplementary Service Data (USSD)
  3. (2008). Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication”. doi
  4. (2009). M.K.: “Seeing-Is-Believing: using camera phones for human-verifiable authentication”. doi
  5. (2008). S.: “Mobile ATM for developing countries”. doi
  6. (2008). Solutions to the GSM Security Weaknesses”. doi
  7. (1996). Specification of the SIM Application Toolkit for the Subscriber Identity Module - Mobile Equipment (SIM-ME) interface. http://www.etsi.org,
  8. (2003). State of the Art Review of Mobile Payment Technology”.
  9. (2010). Stragglers of the herd get eaten: security concerns for GSM mobile banking applications”. doi
  10. (2011). The Times They Are A-Changin’: Mobile Payments in India”. doi
  11. (2011). Towards End-to-End Security in Branchless Banking”. doi
  12. (2010). Usably Secure, Low-Cost Authentication for Mobile Banking”. doi

To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.