Security; Infrastructure and Trust Working Group Security testing for USSD and STK based Digital Financial Services applications
About this report
Abbreviations and acronyms
1 Introduction
2 Main components of a USSD; STK DFS ecosystem
3 Testing attacks to USSD and STK DFS based implementations
     3.1 Passive and active attacks against DFS transactions
     3.2 Device validation
     3.3 IMSI validation and verification
     3.4 Man-in-the-middle attacks on STK SIMs
     3.5 Attacks using binary OTA message
     3.6 Remote USSD execution on the device using ADB
     3.7 Remote USSD execution using SS7
     3.8 SIM clone attack
4 Best practices to mitigate USSD and STK threats
     4.1 Best practices to mitigate against retrieval of user data
     4.2 Best practices to mitigate SIM swap and SIM recycling risks
     4.3 Best practices to avoid remote USSD execution on devices
     4.4 Best practices to mitigate SIM exploitation using binary OTA