The USSD bearer is accessed by calling a number that starts with the asterisk or gate (or hash) characters "*" or "#" and then a combination of numerals, asterisks and finally the gate or hash character "#".
It may also be used for other applications. To see how it works, try dialling a few service codes on the phone on the right:
Hint Try service codes such as:
*100*12345678# - Recharge with voucher 12345678
*140*0895551234# - Send Please Call Me to 0895551234
*120# - Enter the portal (menu driven)
USSD Push is also known as Network Initiated USSD (NI USSD) or Mobile Terminating USSD (MT USSD).
With USSD Push, the session to the handset is started by the application. Different handsets handle the notification differently, but most handsets will beep and display the text sent to it by the application.
This information could even be a menu to which the user may respond. USSD Push is used for applications such as subscriber surveys, payment verification and even mobile marketing.
The handset recognises such numbers and will use the USSD bearer instead of a voice call. Instead of calling another subscriber or a service, the handset communicates with the USSD infrastructure.
The first USSD services were called "Phase 1", or "MAP 1" and were only able to pass information from the handset to the USSD application with a confirmation. There was therefore no session held between the handset and the application.
"Phase 2" (or "MAP 2") USSD added the capability for establishing a session instead of a once-off transaction. This meant that the handset and the USSD application could now have the technical equivalent of a dialogue.
GSM handsets supported USSD from the first days of GSM, so unlike SMS, every single GSM handset in the world supports USSD. Phase 2 has been supported for years and over 99% of handsets currently in use can use sessions on the USSD bearer.
Most handsets also support NI USSD (network initiated USSD), also called "USSD Push". With NI USSD, the network can push information to the subscriber's handset.
Another important fact about USSD, is that messages from handsets route to the home network. This means that if you are roaming in another network, then dialling a USSD string on your phone will always route to the application on your home network. If you are used to accessing a particular service in your home network, then you will also be able to access it from another country. Conversely, roaming subscribers from other networks cannot access USSD services on a host network.
The interactive nature of USSD Phase 2 allows an application to give a subscriber options in the form of menus. These menus are not stored on the phone and actually have very little to do with USSD.
The menus are formatted text lists of options separated by line feed characters. On a handset (phone), the text renders as a menu. The subscriber responds by entering a character that corresponds with the selection. Because the application served the menu text, it will be able to recognise the return selection.
The only formatting option available, is the new line character ("\l") and this leads to highly predictable rendering across all handsets.
It should be clear by now that USSD is not a menu on the handset as is often believed, but the bearer for the menu text and selections. Menus are also independent of the handset as well as the SIM card. It is up to the server-side application to keep track of where in the menu structure every subscriber is at all the time.
The subscriber does not have to get special software for the handset or special SIM cards to be able to access USSD. This has a huge impact on the take-up of services and GSM Network Operators are now recognising this benefit.
But is it Secure?
Mobile banking and payments have taken off over the past few years due to the fact that it solves a number of problems such as ease of use, low cost, reach into unbanked markets and scalability. Fraud is always hot on the heels of money and mobile banking has suffered it's share of fraud.
Most of the current fraud is committed with SIM swaps and these may be limited by checking the IMSI number associated with an MSISDN. This matching is not always effective though and new threats include spoofing attacks from off-net sources. In addition, the air-interface encryption has been compromised and should be assumed to be compromised.
Some banks responded with mobile phone-based applications, but these are even more vulnerable to large-scale malware (virus) attacks.
The solution is ValiPort®. Valiport® mitigates the problem of a lack of encryption by offering rock-solid validation of the source or destination of a transaction and then to encrypt it in a way that offers a bank peace of mind that:
- the transaction is in fact, with a specific SIM card; and
- the transaction is unaltered from the ValiPort®-enabled gateway to the bank.
Menus served over USSD should not be confused with menus and applications served by STK (Sim Tool Kit).
STK is a technology embedded on the SIM card where special applications can be accessed by the subscriber. With STK, the handset receives instructions from the SIM card to perform functions.
One popular application is a WIB (wireless Internet browser). The WIB is downloaded onto the SIM card before distribution and appears on the subscriber's telephone menu as a range of services. The WIB communicates with a server on the GSM Network Operators's network that connects it to other servers offering the services. The communication bearer commonly used is SMS.
The result is that such services are very slow and more often than not annoying. Usually, STK will use SMS as a bearer for communication.
STK as a technology can use USSD as a bearer, but it is very dependent on the STK implementation on the particular handset. Some handset manufacturers did not adequately implement STK support for USSD. The result is that in practise, STK will always use only SMS as a bearer.
USSD compared to SMS
USSD differs from the other short message bearer, SMS, in a number of significant ways.
It is not a store-and-forward bearer like SMS, but a transparent session-based bearer ideal for transacting. Information is delivered and responses obtained in real-time. Simply put, USSD is similar to speaking to someone on a phone as SMS is sending a letter.
USSD is also not a point-to-point bearer such as SMS. One subscriber cannot send another text using USSD unless there is a special network application offering such an application.
One can send 182 characters using USSD, but SMS only allows for 140 x 8-bit, or 160 x 7-bit characters.
Like SMS, USSD uses the GSM control channels for data transfer. SMS and USSD both use the SDCCH (stand-alone dedicated control channel) when the handset is not in a call. When the handset is busy with a call, USSD will use the FACCH (fast associated control channel) with a significant improvement in transfer speed (1000 bits/second).
This use of the SDCCH channel leads to the one drawback with USSD. Because the SDCCH channel is also used by GSM for call-setup, many open USSD sessions may limit new call-setups in congested networks. In practise, this doesn't happen often and GSM Network Operatorss can upgrade the radio resources in highly congested cells to prevent this from happening.
Unlike SMS, the subscriber does not have to create a message. The USSD call string can even be stored in the phone book under a name. Some applications will also allow menu shortcuts where the subscriber can add the menu item selection after an "*" seperation character. In our earlier example, the user might create a phonebook entry call "Pretoria Weather" with the number *150*1234*12*3#. The additional "*3" denotes menu selection 3.
On a GSM network level, the USSD Gateway is defined as a gsmSCF (GSM Service Control Function), whereas an SMSC is defined as another HLR (Home Location Register).
Routing and Rating
Historically, USSD Gateways have extremely limited routing and billing functionality and are limited to signalling. "Routing and Rating" platforms such as TruTeq Wireless's TruRoute need to be added to the USSD Gateway to deconcentrate the connectivity to hundreds of application and content providers.
When subscribers dial the published USSD strings, the Routing and Rating platform routes the sessions to the correct application via an interface such as XML over HTP, SMPP3.4, or SSMI.
The application must accept the session and serve the appropriate menu to the subscriber. The Routing and Rating platform maintains the session and will generate billing tickets for the billing system for post-paid subscribers and reserve funds and debit prepaid accounts. Depending on the sophistication of the Routing and Rating platform, the subscriber can be billed based on a once-off cost, the number of menu transactions, or the time spent browsing the menus.
Due to the fact that an open USSD session takes up network resources, the time-based model is usually deployed and subscribers are encouraged to browse the menus quickly.
For roaming subscribers, the service code is always (usually) sent back to the home network.
The menus are served by applications. This may not be at the GSM network operator, but at a content provider connected to the USSD infrastructure.
Applications or content can therefore be served from :
- Standard supplementary services
- GSM Network Operators value-added services
- Third party content and application providers
Mobile Money and Mobile Banking
Payments and banking are excellent applications of USSD, but caution should be used on securing it against fraud.
Standard supplementary services
The supplementary services are the standard offerings as described by the ETSI standards.
These services are accessed by the handset without the need for the subscriber to know the codes. When the subscriber selects an action on the handset's internal menu, the handset will communicate with the GSM.
Even though the handset hides the complexities in accessing the supplementary services, it is still possible to access them directly using USSD.
One example of such a service is call forwarding. The service codes associated with call forwarding service, are 004, 21, 61, 62 and 67:
These service codes are fixed and all GSM handsets will be able to use them to provision the relevant supplementary services.
GSM Network Operator services
These services include value-adding services such as airtime top-up, airtime transfer, call-back services and prepaid roaming.
The Network Operator service codes depend on the routing inside the GSM Network Operators and may be anything in the range 1XY, where X = 1,2,3,4 and Y=1,2,3,4,5,6,7,8,9,0
As an example, a call-back service to alert subscriber 0855551234 that another subscriber want to be called, might be *120*0855551234#
The menu items could also be embedded in the dial string, so that an airtime transfer string might look like: *123*1234*2*0855551234# where "1234" is the pin number, "2" is the menu item for airtime transfer, and "0855551234" is the target number.
There are many different types of applications that a mobile network operator (MNO) could host.
Third Party Content and Services - application examples
By connecting to the routing and rating platform on a USSD Gateway, third parties can offer services to all the subscribers on a GSM network
Some examples of USSD applications include:
- Information services such as weather forecasts, traffic, news, geo-location services, directory services etc.
- Entertainment services such as games, sports etc.
- Lifestyle services such as dating, horoscopes etc.
- Financial services such as airtime top-up, banking etc.