An Evaluation of Current Global System for Mobile Communications
(GSM) Standards in Mobile Money
Mogolodi Lore Menyatso
Abstract
The Global System for Mobile Communications (GSM) network since its invention
was designed to carry voice communications data such as voice calls for devices
that use the GSM network. However, this technology is seen to be applied on
mobile monetary services and solutions, therefore this paper focuses on evaluating,
comparing and formulating a conclusion based on the findings of the evaluation of
Unstructured Supplementary Service (USSD) and Short Message Service (SMS)
GSM standards.
1. Introduction
Since the dawn of networks communications
GSM has been used without any regular
improvements throughout the years. However,
evidence shows that the GSM is becoming
vulnerable with time on due to advancements in
technology, therefore, this leaves the technology
unable to keep up with recent modern
advancements which are resource demanding
and fast paced. Numerous users in the globe
depend on GSM service for e-commerce,
purchases, utility payments, customer service
support and self-service. The technology has
gained traction in impoverished and developing
markets such as Africa. Statistics show that In
Uganda there are at least 25.8 million users and
26 banks participating in this wave of
convenience offered by mobile money, the bank
of Uganda (BoU) reported a warping total of
2.51 billion transactions being made on mobile
monetary platforms (Ali, G., 2020), and note
that was an annual financial report for the year
2018/19.
One of the main reasons of its mass adoption in
developing and impoverished countries is
because the GSM based standards namely SMS
and USSD can operate on low to fair network
bandwidths, and it does not require much
hardware resources such as an internet
connection.
Despite the GSM technology being efficient
cases of underperformance exist. A recent study
(Samera Uga Otor et.al. 2020) elaborates point
of how stakeholders are affected in terms of
business operations due to customers who are
victimized from using their GSM standardbased applications in order to get access to
services and products. Customers are often left
vulnerable to fraudulent attacks, deceiving
algorithms, eavesdropping and interception
cases. These at times, are cases which are
challenging to solve and justify exploited
customers as the individuals who are behind
these unethical acts use anonymous strategies
such as the profound Man-in-the-middle attack
for their activities.
Often there are cases that arise pertaining the
encryption of data collected from pull USSD
services. Evidence shows that poorly encrypted
data could be read easily, and this is worsened
by using the relational database services as data
packets would be travelling in the form of plain
and unencrypted text.
There are multiple papers that address the
unsafe practices and weak points that exists in
the GSM based standards. For Instance,
(Nyamtiga, B et. al. 2013)’s research was
focused on the security establishments of USSD
and SMS standards as being suboptimal.
Nevertheless, high stake participants such as
banking sectors that use the GSM technology to
deliver services and products initiate and take
counteractive security measures as their priority
before any attempts to optimize their service
delivery vehicle. However, access points exist
in the module responsible for coupling the
bank’s infrastructure or any other third-party
organization and the GSM standard-based
application either SMS or USSD. Therefore,
this paper argues that the GSM network
standard must be technically upgraded, and
protocols must be optimized to combat cases of
security and deterioration in mobile money.
This paper first explains the GSM technology as
well as the GSM standards that are used in
mobile money and then evaluate each standard’s
make up and recent research that was aimed at
improving the standards, then it compares and
contrasts the various characteristics in a detailed
manner of how it is utilized in mobile money.
Finally, it addresses the conclusions that
potential could have a positive impact.
1.
Global System for
Communication Network
Architecture
Mobile
(GSM)
On the GSM network, for a connection to be
established with a device that uses the GSM
protocol, a strong network connection with a
fair signal should be available to nearby
devices. Therefore, if a handset is in motion, an
interchange among GSM base stations will
simultaneously take place automatically
depending on the network strength of any given
base station within the radius reach of a device.
Njuguna, M.W., 2020.
Data in all sorts of format such as in Short
Messaging Service (SMS) or voice type is
transported all in one communication line which
directly connects it a Network Sub-System
(NSS) fragment. The NSS is responsible for
establishing a link with an Operation and
Maintenance (OMS) subsystem which its role is
to enable a direct communication with the
assigned databases to provide informational
services.
GSM networks usually have gateways in
between the modules that couple an
organizations infrastructure such as in-house
software
and
hardware.
However,
a
vulnerability exists in the scope, this due to an
optional encryption that uses a weak (A5/1 or
A5/2) stream type cipher algorithm. Saxena N,
Payal A (2011)
Figure1. The GSM network architecture
illustration
2. Short Message Service (SMS)
Architecture
The standard operates wirelessly from any
device with GMS capabilities built into it with
the ability to send and receive data over a split
second despite the network being of low band
width connectivity. Data in this standard is sent
in the form of a byte array, which is then
processed as an alphanumeric package, this data
is then forwarded over to be encapsulated into a
data packet consisting of a header and body that
will be storing the actual data which will be
converted to 70 ASCII characters utilizing an
encoding.
After the processing of the data, it is then sent to
the nearest Base Transceiver Station (BTS)
tower wirelessly to be forwarded to the Base
Station Controller (BSC), the BSC will then be
responsible for transmitting the packet to the
Mobile Switching Center which will then pass it
over to the Signaling System No.7 (SS7), note
how SS7 is stationed as a mid-point in the
architecture setup.
From the SSQ filtration will be done to filter out
packets according to their Mobile carriers and if
it happens that the SMS is from a different
destination operator then the source, a Short
Message Peer to Peer (SMPP)repackaging will
be initiated by the source’s SMS Center
(SMSC) before it is forwarded through a
Transmission Control Protocol and Internet
Protocol (TCP/IP) over any network connected
to the receivers SMSC, the SMSC completes the
link by delivering the packet to its destination
where decapsulation will take place and
presented as plain alphanumeric text to the
receiver (Baraka W. Nyamtiga et.al 2013)
Two-way transmissions are acceptable in the
SMS technology meaning that a cellular
subscriber can send and receive text messages at
any time even during an outgoing call.
Before the response is processed a few
protocols of the GSM network must be followed
in order to validate the action. These are as
follows
• The request is transported from the
phone through the network to the
nearest
telecommunication
tower
available.
• After the communications tower, the
request is then forwarded to a GSM
network module as a packet.
• The gateway will perform a filtration
action and accept certain requests to
get data from the servers, this acts as
an overseer for security rules.
Figure2. The SMS architecture illustration
3.
Unstructured
Supplementary
Service Data (USSD) Architecture
The system runs on top of a Global System for
mobile (GSM) communications network which
is connected to a gateway coherently joined to a
centralized server-side system hooked to a SQL
server at the end of the link. Users access this
service through dialing a combination of short
codes on their GSM mobile phones, this is not
acceptable in Code Division Multiple access
devices (CDMA) as the devices do not have
SIM card integration capability. Therefore, this
protocol serves as a communication link
between destined servers and GSM mobile
devices. Njuguna M.W. (2020).
The integration of the system service starts
when a user dials a few pre-defined short codes
with asterisks/star (*) at the beginning of the
digits then followed by a hash (#) to mark the
end of the code Suraj et. al. (2017). After all this
is processed the procedure is apprehended as a
request packet encapsulating 182-character bit
of data (Suraj et.al). This is sent to the server
and a response is expected to follow suit.
Figure3. The USSD architecture illustration
4. How GSM Standards are used In
Mobile Money
Mobile financial services seem to be one of the
most promising endeavors being developed in
most developing economies Donovan, K.
(2012).
The GSM technology is the backbone which the
SMS and USSD standards run on. It allows for
any service provider to have their own access
codes for a USSD service and SMS. Therefore,
SIM provider would have to utilize what is
already to their disposal, which is to integrate
on the existing GSM technology.
Various APIs and backend systems are
implemented in order to form a link and act as a
medium between the service provider’s servers
and the SMS or USSD standard on the GSM
network.
Third party service providers such as banks and
even SIM provider business rules are
implemented and defined in these APIs.
often stored on the user’s actual handset or the
SIM, these are usually 140 bytes of data held
within a SMS message.
5. Evaluation of GSM Standards
Used in Mobile Money
The first two sections of the payload are used to
establish a connection with a certain port in
GSM network for integration reasons. The next
two sections functionality is to store the SMS
message encoding then the timestamp is for
storing the time when the SMS was received.
The diagram (Figure4) below illustrates how a
SMS payload is sectioned.
SMS and USSD technologies have various
characteristics which differentiates the two
standards from one another.
5.1 Short Message Service (SMS)
This uses the General Packet Radio Service,
which is responsible for processing packets over
the GSM network and the Code Division
Multiple Access (CDMA) networks. If it
happens the destination or the receiving
terminal is unreachable the SMS data will be
saved on-route within the network at the SMSC.
The SMS will remain at the SMSC until the
destination of the packet is reachable on the
other end. Thiga, M. et.al (2013)
However, In the SMS standard data is
forwarded through a TCP/IP protocol to a
SMSC before reaching its destination. This is a
vulnerability in the system as the data is prone
to information interception from unethical
individuals. Medani, A et.al (2011)
SMS technology is more susceptible to attacks
due to the multiple stops a SMS data must make
within the GSM network. Sanganagouda, J.
(2011)’s research examined the flow of the
packet enroute to their destination and derived
results that proved interception attacks are
probable during this process.
Once the user sends a request to the service
provider, for instance a banking platform, a
response will be sent as short code in the form
of text and saved on the user’s device, which the
customer will use to access certain
information/capabilities. Sanganagouda, J.
(2011) furthermore declares this method to be
risky since anyone who has access to the user’s
device could use the short code for exploitation
activities.
In Saxena, N. and Chaudhari, N.S. (2013)’s
paper a conclusion was reached that SMS is
slow despite the fact it uses a method of storing
user data when receiving information which is
Figure4. The SMS Payload illustration
5.2 Unstructured Supplementary Service
Data (USSD)
As for USSD technology it does not need to
store any user data within the actual handset or
device, once USSD is invoked through dialing a
set of short codes. A bi-directional session that a
user can interact with is automatically
initialized. An iterative menu is often presented
to the user making the interaction lively.
Sanganagouda, J. (2011).
Saxena, N. and Chaudhari, N.S. (2013)
discovered that USSD has had an upgrade
which will allow it to have roaming capabilities.
These upgrades include the ability to support an
open HTTP interface and the ability to establish
a communication link directly to the MSC
through the SS7.
Given how efficient USSD is, flaws have been
identified to exist within the standard, these
include USSD applications being vulnerable to
network sniffer attacks such as Wire-shark,
malware attacks found on devices that use
Android IOS as the users PIN is handled
between network protocols in the form of clear
plain text. A user is also victim to being
exploited by the service provider administrators
as well. Mtaho, A.B., (2015)
Adding on to the privacy leakage concern,
Njuguna, M.W. (2020) discovered that despite
the security measure most banking and financial
service providers apply to such services, nontrivial data can still be extracted through an
analysis of the traffic. Adding on to the privacy
leakage concern, (Islam Kazu and Kantarcioglu,
2012) made research that served as evidence to
the possibility of extracting non-trivial data such
as user queries and the secret keys through a
technical method of assessing read access
patterns served as requests from client
terminals.
If in any case there is a breach on to the data,
there would not be any form of defense
mechanism in place to protect the data as it will
be exposed exactly as is from when it was sent
from the source. Research from (Nyamtiga and
Laizer, 2013) and (Ali, G et. al., 2020) states
that there is not any encryption in place in case
there is an occurrence of the GSM backbone
carrier encountering a breach.
Due to the underlying technology that is the
backbone of the system transactions often take
longer and slow to fully complete. Mukesh S.
et.al. (2011) declares that customers that use
mobile money services must wait a couple of
hours when making transactions reasons being
the backend system is flimsy.
(Mukesh S. et.al 2011) continues to claim that
human interference is often required to finish
and seal off any pending transactions which
ends up being a costly operation.
Every time USSD is invoked an active
connection link between the sender and the
receiver must be available as it operates on a
real-time based session, therefore this condition
can be costly Sanganagouda, J. (2011).
6. Comparison of USSD and SMS
Standards in Mobile Money Services
The different features of the SMS and USSD
technologies are tabulated below:
SMS
USSD
Fundamentally uses a
store and forward
strategy
SMSC receives the
SMS data before it
Real-time
based
Client
firsthand
session
interacts
with the
manages to deliver it to
the destined recipient
application
platform
hosting the service
Composed of 160
alphanumeric
characters
Messages are stored
directly on the handset
or the SIM memory
Plain text interaction
Composed of 182
alphanumeric
characters
No messages stored on
menu
driven
interactions
Optional menu driven
interaction
Susceptible to carrying
malformed
short
messages
No short message sent
to phone
7. Conclusion
The paper clearly states how one standard
performs better than the other on every given
dimension where a functional requirement
exists. Therefore, overall, the USSD standard
technology is optimal for commercial uses
however, this does not imply there is not any
room for recommendable improvements.
As flaws exist in the security aspects of the
technology, a recommendation of upgrading
databases with NoSQL databases on the USSD
backend system would have a positive impact
on the encrypting the data and increasing
processing speed as data would be stored and
sent with a json format. This conclusion about
migrating from relation databases to NoSQL
databases is derived from a study conducted by
(Abdelraheem, M.A. et al. 2018). A clear
illustration of table meta-data and number of
records/entries were leaked after the AttributeName recovery-attack was initiated on a relation
database.
Given the fact that a GSM abled handset
connects/ attaches to any base station with a
rather superior connection among a set of base
stations
(Njuguna,
M.W.,
2020),
an
identification measure between devices and
base stations such as a private key should be
integrated in order to avoid handsets from
connecting to rouge base station regardless how
strong the signal is perceived to be. This would
highly curb cases of where client-side terminals
are being deceived into connecting to fraudulent
base stations.
References
Research and Reviews in Computer Science,
2(2), p.295 -303
Otor, S.U., Akumba, B.O., Idikwu, J.S. and
Achika, I.P., 2020. An Improved Security
Model
for
Nigerian
Unstructured
Supplementary Services Data Mobile Banking
Platform.
Saxena, N. and Chaudhari, N.S., 2013.
Prevention of SMS against Repudiation Attack
over the GSM Network. Journal of Information
Assurance & Security, 8(3).
“Nyamtiga, B.W., Sam, A. and Laizer, L.S.,
2013. Security Perspectives for USSD versus
SMS in conducting mobile transactions: A case
study of Tanzania. international journal of
technology enhancements and emerging
engineering research”, 1(3), pp.38-43. Page 41
Thiga, M.M., Siror, J.K. and Githeko, J., 2013.
An SMS and USSD Model for Locationbased
Mobile Advertising.
Donovan, K., 2012. Mobile money for financial
inclusion. Information and Communications for
development, 61(1), pp.61
Medani, A., Gani, A., Zakaria, O., Zaidan, A.A.
and Zaidan, B.B., 2011. Review of mobile short
message service security issues and techniques
towards the solution. Scientific Research and
Essays, 6(6), page.1149.
Ali, G., Ally Dida, M. and Elikana Sam, A.,
2020. Evaluation of key security issues
associated with mobile money systems in
Uganda. Information, 11(6), page. 4.
Mtaho, A.B., 2015. Improving mobile money
security with two-factor authentication.
International Journal of Computer Applications,
109(7). Page 9
Saxena, N. and Payal, A., 2011. Enhancing
security system of short message service for mcommerce in GSM. International Journal of
Computer Science & Engineering Technology
(IJCSET), 2(4), pp.126
Islam, M.S., Kuzu, M. and Kantarcioglu, M.,
2012, February. Access pattern disclosure on
searchable encryption: ramification, attack and
mitigation. In Ndss (Vol. 20, p. 10).
Njuguna, M.W., 2020. Dynamic knowledge
based authentication model for enhancing
security of USSD banking transactions
(Doctoral dissertation, Strathmore University).
Page 11
Mukesh Sadana, George Mugweru, Joyce
Murithi, David Cracknell and Graham A.N.
Wright (2011). Riding the M-PESA Rails:
Advantages & Disadvantages. Page 2
“Nyamtiga, B.W., Sam, A. and Laizer, L.S.,
2013. Security Perspectives for USSD versus
SMS in conducting mobile transactions: A case
study of Tanzania. international journal of
technology enhancements and emerging
engineering research”, 1(3), pp.38-43. Page 41
Sanganagouda, J., 2011. USSD-A Potential
Communication Technology that can Ouster
SMS Dependency. International Journal of
Abdelraheem, M.A., Andersson, T., Gehrmann,
C. and Glackin, C., 2018, September. Practical
attacks on relational databases protected via
searchable
encryption.
In
International
Conference on Information Security (pp. 171191). Springer, Cham.