ThinSIM-based attacks on mobile money systems

Abstract

Phone-based mobile money is becoming the dominant paradigm for financial services in the developing world. For example, mPesa has a cash flow of over thirty billion USD, equivalent to nearly half of Kenya’s GDP. Inside of these markets, competitors have appeared who leverage ThinSIMS, small SIM-card add-ons, to provide alternative mobile money implementations. However, the security implications of ThinSIMs are not well understood. To resolve this, we explore the security of phone-based mobile money systems against attacks via the SIM interface, the 3GPP-defined interface between a SIM card and a phone. Using a ThinSIM to intercept and initiate communication over the SIM interface, we demonstrate that a malicious ThinSIM can steal a user’s mPesa credentials and initiate transactions without the user’s consent or knowledge. We also demonstrate a similar ThinSIM-based attack against USSD-based mobile money systems that allows for similar transactions without the user’s knowledge or participation. Lastly, we propose and implement modifications to both STK and USSD-based mobile money systems to limit the impact of our discovered ThinSIM-based attacks.