Following the electronic pay services auditing, Shaparak has applied new limitations for offering USSD services.

USSD (Unstructured Supplementary Service Data) is a Global System for Mobile (GSM) communication technology that is used to send text between a mobile phone and an application program in the network. Applications may include prepaid roaming or mobile chatting.
The limitations mentioned above include two services for the purchase and account balance by the USSD codes and determining monetary limitation for paying bills and purchasing cellphone credits.
This action of Shaparak, taken based on the instructed explicit circular to the PSP companies under the Central Bank’s order has evoked different argumentations and reactions.
Although these limitations directly affect the business of E-Pay companies, the managers of these companies have preferred to postpone any reactions to post-coordination stage with Shaparak and Central bank and are informed on the emergencies which has led to such limitations. Some have stood fast against this action of the Central Bank and Shaparak which will be discussed in due time.
Besides this discussion other notes must be mentioned about the decision of Shaparak:
• During the latter years offering and using cellphone and its services are intensely increased in Iran. Maybe the most important factor of such vast growth is the ease-of-use for the users in absence of the proper internet foundation within the cellphone arena. In other words, since using USSD does not require smartphones or cell-Internet phones, it was used to the extent that it could make meaningful changes in cellphone transaction share in comparison with other E-Pay tools.
• During such circumstances together with the increase in banks’ financial services and E-Pay the field of electronic payment, companies offering services, Central Bank and even Shaparak, did not take any significant action to improve the safety and security of using USSD services. On top of that, Central Bank and Shaparak were not quick enough to organize security standards. Also on cellphones operator’s behalf, no security actions were taken.
The action of Central Bank and Shaparak and applying limitations on USSD services was good but came late. However, as they say better late than never. Still we do have a few questions to ask the government and we request that the decision makers answer these question to enlighten the experts of this field.
1- Central Bank, Shaparak and other supervisor entities knew the security levels in USSD and at times it was mentioned in conferences and expert notes repeatedly. Why did they allow this system to expand within the recent years despite its weak safety and security?
2- What has made them apply limitations on USSD services?
3- What was the applied imitations for and to what extent it’s possible to decrease the probability and dimensions of occurring security issues within the usage of the users of this service?
4- In technical security discussion, the data transfer layer through GSM/CDMA must be guaranteed by the mobile operators in aspect of data transfer. The approval of the message sender within the network occurs by using the encryption algorithms of the Public Key Infrastructure. In this case there is a need of CA and connection to its centers. Despite the existence of Public Key Infrastructure center in the Central Bank and the possibility to use it, one wonders why no actions has been taken yet to issue Signature Certificate for the users in order to identify and encrypt the information?
5- What approaches or tools have they kept in mind to increase the security of this service and developing its usage?
At the end, based on my specialization in the field of “security and identification of the cyber users” and also “the trust in cyberspace” while considering that the most of the security threats of this service can be mentioned as follows:
• Lack of identification of the users.
• Requesting instruction and manipulating them
• Executing weak encryption for vital information (customer’s number, card number, PIN, details of the beneficiary of the account numbers, balance summary)
• …
We suggest they consider the following methods:
• Using CA in order to identify user’s identification.
• Using proper encryption mechanisms for securing the information.
• Using encryption hardware and software such as HSM on the data transfer route to the banks in order to encrypt sensitive and significant information.
• Producing mobile banking application and mobilizing them to the tools of Public Key Infrastructure and encryption.
• Not saving sensitive information to identify customers - included and not limited to CVV2, CVV, complete information of the card magnetic stripe, PIN, Pin Block.
• Investigating the new approaches in the today’s world in order to use cellphone services and increasing the security of information transfer in this field. As examples we can refer to Google Wallet and Apple Pay.

Shahin Norouzi is ICT security consultant at Iran’s Property and Deed Registry Organization