Exposed: critical vulnerabilities in USSD banking authentication protocols

Unstructured Supplementary Service Data (USSD) authentication has been widely adopted as a popular method for verifying user identity and securing transactions in mobile financial banking, particularly in Sub-Saharan African countries. This is due to the convenience, speed, and accessibility since they do not require high-powered computing phones, large storage, or internet connectivity. However, like every technological advancement, this has been widely exploited by malicious actors due to weak authentication requirements. This study critically examines all 19 commercial banks in Nigeria, which has the largest USSD banking usage in Sub-Saharan Africa. We analyse 30 scenarios to conduct an anatomy and build a timeline of USSD banking attacks. Furthermore, we critically but anonymously examine each USSD banking platform against several security factors selected from government guidelines, the National Institute of Standards (NIST) SP800-63B framework and the National Cyber Security Centre (NCSC) recommendations. This led to the revelation that certain services only require a single authentication, such as PIN, while others require no authentication at all. Also, most of the banks failed to comply with governmental and industrial authentication standards. Furthermore, we present a 5-phase timeline of USSD attacks and address present recommendations for different stakeholders at the various stages.