ThinSIM-based Attacks on Mobile Money Systems

ThinSIM-based Attacks on Mobile Money Systems

• Mobile money applications are widely used in developing countries where access to banks is limited
• ThinSIMs are small SIM card add-ons that provide alternative mobile money implementations without operating their own mobile networks
• The security implications of ThinSIMs are not well understood
• Attackers can use ThinSIMs to steal money from mobile money platforms by intercepting, modifying, and creating toolkit commands
• The attacks take place in two phases: stealing credentials and making fraudulent payments
• Mobile money platforms offer different interfaces such as USSD, smartphone apps, SIM toolkit apps, and IVR
• ThinSIM-based attacks can be triggered through various means, and defense is difficult

Mobile money applications are particularly useful for people who live in places where banks are rare and the nearest bank is a couple of villages away. For example, a referral farmer may not have a bank account because it would take too long to get to the nearest bank. Mobile money is a useful tool for these people to become more financially secure. However, the security implications of ThinSIMs, which are widely used to provide alternative mobile money implementations, are not well understood. Attackers can use ThinSIMs to steal money from mobile money platforms by intercepting, modifying, and creating toolkit commands. The attacks take place in two phases: stealing credentials and making fraudulent payments. Mobile money platforms offer different interfaces such as USSD, smartphone apps, SIM toolkit apps, and IVR. ThinSIM-based attacks can be triggered through various means, and defense is difficult.

Phone-based mobile money is becoming the dominant paradigm for financial services in the developing world processing more than a billion dollars per day for over 690 million users. For example, mPesa has an annual cash flow of over thirty billion USD, equivalent to nearly half of Kenya's GDP. Numerous other products exist inside of nearly every other market, including GCash in the Philippines and easyPaisa in Pakistan. As a part of this growth, competitors have appeared who leverage ThinSIMS, small SIM card add ons, to provide alternative mobile money implementations without operating their own mobile networks. However, the security implications of ThinSIMs are not well understood. This talk dives into decade old telecom standards to explore how ThinSIMs work and what attackers of mobile money systems can do when they control the interface between the SIM card and the phone. We will also demo two proof of concept exploits that use ThinSIMs to steal money from mobile money platforms and detail the difficulties of defense.