Exploring Security of Phone-based Mobile Money Systems Against Attacks
Rather than operating on the wider Internet and using standard encryption protocols and banking best practices, most mobile money systems are built and operated by mobile network operators (MNOs) using telecom primitives such as the short message service (SMS), unstructured supplementary service data (USSD), and the SIM Toolkit (STK) to communicate with servers in their core network. These services rely on the encrypted air interface to protect user data and ensure safe transmission of mobile money data and requests. While the telecom ecosystem has existed for decades and is generally understood to have numerous security issues, the size, scale, and impact of mobile money is a recent change that is focused primarily in the developing world. The security of this ecosystem has seen little exploration, with what does exist being focused on higher-end, less used Android applications or attacks that leverage fake base stations.