Learn what 3G is, its cybersecurity risks, and how legacy systems relying on 3G impact modern security. Discover how to mitigate these threats effectively.
How USSD works
Think of USSD as a direct phone call to a service, but instead of talking, you're texting in real-time. Here's the basic flow:
User initiates: You dial a code like *123# to start a session
Network processes: The USSD gateway receives your request and forwards it to the appropriate application
Service responds: The application sends back a response (like a menu or information)
Interactive session: You can continue the conversation by selecting options or entering data
Session ends: The connection closes when you're done or after a timeout
The key difference from SMS? USSD keeps the connection open during your entire interaction, making it perfect for things like checking your bank balance or topping up your phone credit.
USSD message format and structure
USSD messages follow a specific pattern that's easy to recognize:
Start with: Asterisk (*) or hash (#)
Middle: Numbers and sometimes letters
End with: Hash symbol (#)
Examples:
*123# (balance inquiry)
5551234# (recharge with code 1234)
#100# (check data balance)
Messages are capped at 182 characters, so everything stays short and sweet.
Common USSD applications
You've probably used USSD without even thinking about it. Here are the most common uses:
Financial services
Mobile banking transactions
Balance inquiries
Money transfers
Bill payments
Telecommunications
Prepaid recharge
Data package purchases
Service activation/deactivation
Network configuration
Other applications
Voting systems
Survey responses
Location-based services
Emergency notifications
USSD vs. SMS: understanding the differences
Feature | USSD | SMS |
Connection type | Session-based (real-time) | Store-and-forward |
Character limit | 182 characters | 160 characters |
Internet required | No | No |
Works on basic phones | Yes | Yes |
Cost | Usually free or low-cost | Per-message charges |
Delivery guarantee | Immediate or fails | Eventual delivery |
Cybersecurity implications of USSD
Here's where things get interesting from a security perspective. USSD's simplicity and widespread adoption make it an attractive target for cybercriminals:
SIM swapping and social engineering
Attackers can exploit USSD codes to:
Transfer phone numbers to attacker-controlled SIMs
Access mobile banking services
Bypass two-factor authentication
Gather account information
Network-level attacks
Since USSD operates at the network level, malicious actors might:
Intercept USSD communications
Launch man-in-the-middle attacks
Exploit weak authentication mechanisms
Access sensitive user data
Recommendations for organizations
Monitor USSD traffic for unusual patterns or unauthorized access attempts
Implement strong authentication for any USSD-based services
Educate users about USSD-based social engineering attacks
Regularly audit USSD code configurations and access controls
Deploy network monitoring tools to detect suspicious USSD activity
USSD in IoT and modern applications
Don't think USSD is just for checking phone balances. It's found new life in IoT applications:
Remote device management: Sending configuration updates to IoT devices
Data collection: Gathering sensor readings from remote locations
Emergency communications: Backup communication when data networks fail
Asset tracking: Location updates from GPS-enabled devices
The low bandwidth and universal compatibility make USSD perfect for these use cases—but they also create new security challenges organizations need to address.
FAQs
This message appears when your phone is processing a USSD request. It should complete within a few seconds. If it hangs, try restarting your phone or checking your network connection.
Yes! USSD operates over the cellular network's control channels, not data networks. It works on any GSM-compatible phone, even basic feature phones.
USSD has basic security features, but it's not encrypted end-to-end. The security depends on your mobile carrier's implementation and the specific service you're accessing.
Most USSD sessions end automatically after completing a transaction or timing out. You can usually cancel by pressing the "Cancel" or "Back" button on your phone.
Common issues include weak network coverage, carrier restrictions, incorrect code format, or your phone plan not supporting certain USSD services.
Staying secure in a USSD world
USSD isn't going anywhere—it's too useful and too embedded in global telecommunications infrastructure. As cybersecurity professionals, we need to understand how it works and where the risks lie.
The key is treating USSD like any other network protocol: monitor it, secure it, and educate users about potential threats by utilizing effective and comprehensive security awareness training. With proper controls in place, USSD can be a valuable tool without becoming a security nightmare.
Related Resources
Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free
