February has been a busy month for me. Outside work, there were elections. For those of you living under a rock, President Buhari of APC won and Atiku’s PDP will have none of it.
On the Hovatek front, there were two important projects (IMG unsign tool v1.0 & MTK Auto TWRP porter v1.4) which we’ll be announcing at the blog in a few days).
I’ve been working on a new personal project called VenFinder. Its a website that helps you compare device specs and find devices by specs or price range. There’s also me trying to adjust to fatherhood 🙂 .
Just when I thought February wouldn’t spring any more surprises, the early hours of today happened.
While streaming on my Android TV box last night, I ran out of data.
I had about 2 GB left for night browsing so I decided to wait till Airtel’s night browsing. The plan was to topup via internet banking while running my usual early-hour tasks.
In case you’re wondering, I’d ditched Ntel Wawu for Airtel after WAWU went cold. 12 am and still no internet access. Two bowls of Chin Chin later, same story. It then dawned on me that the night time browsing data becomes useless once you exhaust your day time browsing data.
I normally would have just recharged a small amount the next day to get some MB to access the GTBank internet banking portal. For some reason, I thought to try out the GTBank *737# USSD mobile banking… and it all began with oooo 737.
I’ve always had strong reservations about the security of this service but went ahead to try it anyway. I saw Recharge Self and Recharge Others so I selected Recharge Self. I wasn’t certain of the difference (being my first time). I was expecting some kind of PIN verification request, at which point, I would know I’d selected the wrong option. Next thing I knew, I got a N3,000 MTN VTU topup notification. Ah!
Did I just recharge my MTN line from my own bank account unchallenged? I didn’t know which surprised me more; that I was unchallenged or that I just accidentally recharged N3,000 to my MTN of all lines. Those MTN guys and the way they forcefully subscribe you to silly tips.
Imagine the potential for bank theft via USSD
Now I recall why I didn’t touch their USSD banking since launch; I’d seen the flaws from the word go. This means anyone who steals my phone could topup my line then gift data to another line unchallenged. Let alone the possibility to set, retrieve or change the USSD security PIN.
Stories of peoples bank accounts getting emptied shortly after a phone or SIM theft are scary. USSD banking is a ticking bomb. Tracing the perpetrators of such crimes should be easy right? The level of undocumentation and compromise down here will amaze you.
I’m hugging my hardware token tight. GTB can have their ‘convenient’ USSD banking . I have requested that USSD banking be disabled for my account. I don’t know if such is possible but time will tell.
Update: The feature has been disabled for my account. Thanks GTB!