ussd: a communication technology to potentially oust sms ... - Aricent

USSD: A COMMUNICATIONTECHNOLOGY TOPOTENTIALLY OUSTSMS DEPENDENCYJANAGOUDAR SANGANAGOUDASenior Product Engineer, AricentSeptember 2011

DISCLAIMERSThis white paper provides an overview of Unstructured SupplementaryService Data (USSD) technology as compared to Short Message Service(SMS). It presents information and guidance but does not support aspecific plan of action, which would require additional information andinsights into each situation. The vulnerabilities, analyses, and risks shownand analyzed in this paper are intended to be indicative of the risks anapplication vendor, third-party host, or network operator might face.The analysis given should not to be considered an exhaustive or fullyobjective list.It is important that risks be assessed and validated based on the situation,the intended functionality to be offered, and the process controls thatwill be required or are already in place. Additional guidance should besought wherever necessary before taking any action.ABSTRACTValue Added Services (VAS) have become an indispensable part of theproducts and services offered by mobile/telecom operators today. Withgrowing competition in the telecom industry, operators must be diligentin how they price both new and existing services. They are thereforelooking for faster and more economical technologies.USSD technology is the key solution in all cases. It is a messaging servicethat is almost seven times faster than SMS and is highly cost effective.The operations involved in using USSD are simple and handset independent,which means the service can be accessed from almost any mobile device(from old cell phones to the latest smartphones).From the core network to the internet, the reach of modern USSD servicesis rapidly transforming the telecom cloud into a services cloud. USSDis fast emerging as the communication protocol, which can ouster thedependency on SMS for quick messaging services like spreadingawareness about epidemics and fatal diseases to the users, mobilebanking using USSD, updating mobile software over-the-air (OTA), andmany others.SCOPE AND ASSUMPTIONSThis paper discusses the key features of USSD technology. It alsoemphasizes on three business messaging applications in detail withrespect to their economic viability, profitability, scalability and ease ofimplementation using USSD in comparison to using SMS technology.However, it does not cover:1 Implementation details of any specific application2 Generalized rules based on which USSD codes are derived (USSDcodes are derived using a set of rules and are affixed to identify aspecific service. Users must enter the defined code to access theservice, but do not need to bother about its derivation.)3 Detailed description of the Multi Media Interface (MMI) commandsused in USSDThis technical paper assumes the reader has a fair knowledge of theGSM network.

The MSC connects to the HLR in the home network via theSS7 network. GSM network (including HLR, VLR, MSC) is alsoconnected to the USSD Gateway via the SS7 link. The USSDGateway communicates with all its supporting externalapplications via SMPP.Generally, billing is based on the duration of the session. Durationbasedcharging permits users to search for information within asession-based service. It is charged on a per minute basis and ismore economical than SMS. USSD is device independent anddoes not require specific activation.3.1 ELEMENTS OF USSD MOBILE NETWORKThe mobile network comprises components that carry datamessages between the handset and the corresponding USSDapplication. Figure 2 explains the elements of the mobilenetwork and the communication protocols they use.USSD services reside as applications in the mobile network.These applications can reside in MSC, VLR, HLR, or anindependent application server that is connected through aUSSD Gateway (using SMPP).If a USSD message is not destined for an application in the MSC,VLR, or HLR, a USSD handler in these nodes routes the messageto the USSD Gateway using the MAP protocol based on theservice code. The gateway interprets the code and routes it tothe specific USSD application server to fetch the necessaryinformation requested by the user. In response, the applicationsends the relevant information to the USSD Gateway, which inturn converts the message to MAP format, and then sends tothe mobile terminal.Applications under the mobile operator’s control will typicallyreside in the GSM network (MSC, VLR, HLR), while third-partyapplications may reside elsewhere such as on the internet.The application can also be a hyperlink to an internet site orinformation stored locally in the Service Application System.In a mobile-initiated service request, a session is created betweenthe network and the mobile terminal. This session is used forall information transfers and must be released before anothersession can be started. Additionally, an application in thenetwork (residing in the MSC, VLR, HLR, or external applicationserver) may at any time send a message to a mobile terminal.This can be a request for information or a notification. Again,the session must be released upon completion.3.2 BILLING OF USSD USAGE SERVICESA billing mechanism for USSD services is not implementedin most cases. However, there are some rare cases wherenetwork operators implement a billing system. Depending onthe sophistication of the rating platform, the subscriber will bebilled according to one of the following criteria:1 One-off cost2 Number of menu transactions3 Time spent browsing the menu/duration of the session4 USSD HANDLINGThere are two modes of USSD implementation:1 Push Service Mode: Network-initiated USSD service inwhich the network (MSC, VLR, or HLR) sends USSDmessage toward MS2 Pull Service Mode: MS-initiated USSD service with usersending USSD message toward MSC4.1 NETWORK-INITIATED USSD OPERATIONSAt any stage while the MS is registered with a network, thenetwork (HLR, VLR, or MSC) can send a USSD string to the MS.This string contains operator-determined information that isrelevant to the user.This string/USSD command may be a request (asking the MS toprovide information) or a notification (requiring no informationfrom the MS). If the information is unable to reach the MS, anerror is returned to the network node that originated theoperation.4.2 INVOKING USSD OPERATION FROM THE MSC, VLR,AND HLRWhen an application in the MSC needs to send a USSD requestor notification to an MS, it sets up a transaction to the MS wherethe subscriber is currently registered and sends the operationto the MS. The MSC then awaits a response from the MS.Because the MSC initiated the transaction, it is also responsiblefor controlling the transaction. The MSC normally releases thetransaction after receiving a response from the MS, but in somecases MSC may release the transaction before receiving a response(e.g., if an application timer expires).If the application in the MSC needs to send further operationsto the same MS, it will continue to use the same transactionuntil all operations are completed. If a different transaction isused for a subsequent operation, the MSC releases the firsttransaction before starting the next. If the MS releases thetransaction at any time (e.g., due to the user clearing), MSCinforms its application and terminates the USSD operation.(An MSC-invoked USSD request is likely to be used for callrelatedoperations where the application is controlling a call toor from the MS.)USSD: A Communication Technology to Potentially Ouster SMS Dependency5

MS MSC VLR HLRUSSDUSSDUSSDFigure 4 shows the message flow for USSD requests failed atVLR, MSC, MS for a single operation.HLRVLRUSSDReleaseUSSDUSSDReleaseUSSDReleaseUSSDUSSDReleaseUSSDReleaseActions at MSThe MS may at any time receive a USSD operation request/notification from MSC. The MS processes the operation if it is ina state in which it can handle the operation. After sending theresponse to a USSD operation, the MS waits for the network torelease the transaction. While awaiting this release, the MS willprocess any further USSD operation requests in the normal way.MSC initiatedUSSDUSSDAt times, MS may not be able to process the network-initiatedUSSD because of the following reasons:Release1 Feature not supported by the user (MS)Figure 3: Information flow for a USSD request (single operation)Figure 3 shows the message flow for a network-initiated (HLR,VLR, and MSC) USSD request for a single operation.In another case, when an application in the VLR needs to senda USSD request or notification to an MS, it sets up a transactionto the MSC where the subscriber is currently registered andsends the operation to the MSC. The MSC further interacts withthe MS as explained above. The VLR then awaits a response fromthe MSC. Because the VLR initiated the transaction, it is alsoresponsible for controlling the transaction.In a third case, when an application in the HLR needs to send aUSSD request or notification to an MS, it sets up a transactionto the VLR where the subscriber is currently registered andsends the operation to the VLR. The VLR further interacts withthe MSC which then interacts with the MS as stated above. TheHLR then awaits a response from the VLR. Because the HLRinitiated the transaction, it is also responsible for controlling thetransaction. The HLR normally releases the transaction afterreceiving a response from the VLR.VLR cannotcontactsubscriberMSCcannot contactMS MSC VLR HLRUSSDErrorUSSDUSSDErrorError2 Alphabet indicated in USSD is not supported by MS3 User is engaged in another USSD session (network- ormobile-initiated)4 A non-call related supplementary service transaction is inprogress. In all the above failure cases, an error indicatorwill be returned to the originator (MSC or VLR or HLR)4.3 MOBILE-INITIATED USSD OPERATIONSThe MS may initiate a USSD operation either during a call oroutside.Actions at the NetworkIf the serving network (MSC) does not recognize the USSD codein a mobile-initiated USSD operation, it sends the operation tothe next level (i.e., VLR). If VLR also does not recognize/decodethe operation, it forwards the same request to HLR. If even HLRis unable to decode it, an error message gets passed downwardand the session is terminated.If MSC, VLR, or HLR (in the same hierarchical order) is able todecode the operation/service requested, and if either of thenetwork nodes has the required data, then this information getspassed downward back to MS. However, if the network nodesare able to decode the operation/service request, but can’tsupport the required application, then a check is made with theUSSD platform. The decoded request is forwarded to USSDGateway and then to USSD applications to fetch the requiredinformation.If the mobile-initiated USSD transaction is found to beErrordetected at MSMS clearstransactionsUSSDErrorUSSDUSSDErrorUSSDUSSDErrorUSSDincompatible, the operation is rejected by a non-supportingnetwork and the attempt fails. Figure 5 shows the flow diagramfor a mobile-initiated USSD request. (The application at MSC/VLR may pass the request to another network element. Thatscenario is not shown here.)ReleaseReleaseReleaseFigure 4: Information flow for a failed USSD requestUSSD: A Communication Technology to Potentially Ouster SMS Dependency6

Requesthandled byMSCRequesthandled byVLRRequesthandled byHLRMS MSC VLR HLRUSSD requestUSSD responseUSSD requestUSSD responseUSSD requestUSSD responseFigure 6 shows the message flow for a mobile-initiated USSDrequest that failed at MSC, VLR, and HLR. It also depicts a casewhere an MS clears the transaction before it receives a responseto the initiated USSD request.USSD requestUSSD responseUSSD requestUSSD responseUSSD requestUSSD responseFigure 5: Information flow for a mobile-initiated USSD requestUSSD is an excellent choice for roaming with mobile prepaidservice, which utilizes the USSD connection to originate a callwhile roaming. USSD messages from handsets always route tothe home network. Thus, when roaming in another network,dialing a USSD string will always route the application on thehome network. This feature allows for the virtual homeenvironment concept.The MSC connects to HLR of the home network via VLR usingthe SS7 network. The HLR sends the request to the USSDGateway, which in turn passes the request to the prepaidapplication server. The application server ascertains the user’sbalance and provides instructions for handling the call via thesame path to the serving MSC in the visited network.Also, users accustomed to accessing a particular service in theirhome network are able to access that network from anothercountry. The processing happens in the same way as explainedabove, but the supporting USSD application server may bedifferent. Conversely, roaming subscribers from other networkscannot access USSD services on a host network.6 STRATEGICAL BUSINESS APLICATIONSUSING USSDErrordetected atMSCMS MSC VLR HLRUSSD requestErrorServices requiring menu-/session-based interaction betweenthe user and the application are ideal for offer via USSD. Somestrategic applications that can be developed or are still in theirnaive stages of development are discussed below in detail.Errordetected atVLRErrordetected atHLRMS clearstransactionbeforeresponsereceivedUSSD requestErrorUSSD requestErrorUSSD responseReleaseUSSD requestErrorUSSD requestErrorUSSD responseReleaseUSSD requestErrorUSSD responseReleaseFigure 6: Information flow for a failed mobile-initiated USSD request6.1 MOBILE BANKING VIA USSDNo other channels have the ability to reach the consumer asthoroughly as mobile phone. The coverage of cell phone networksin relation to fixed ATMs and branches helps reach morecustomers.Architectural view of banking systemA bank’s core banking system houses consumers’ accounts,related transaction management, and history. It is necessaryfor translating banking instructions received from consumersthrough bank channels such as ATMs, the internet, and mobiledevices into a format it can process.5 USSD USAGE AT HOME AND ROAM NETWORKUSSD can be accessed via two locations: Home Public Land MobileNetwork (HPLMN) and Visited Public Land Mobile Network (VPLMN).USSD messages can be handled either from the VLR or the HLR,depending on the current location of the user. When accessingUSSD at the home location (HPLMN), the user directly communicateswith the HLR in case of a mobile-initiated USSD operation. And whenaccessing USSD at a visitor location (VPLMN), the user communicatesto the HLR through the VLR.ATMCore Banking SystemEFT Channel SwitchMobile servicesBranchClient side Server sideJ2ME SMS USSD IVRFigure 7: The Banking System ArchitectureWebUSSD: A Communication Technology to Potentially Ouster SMS Dependency7

This translation is normally performed by an Exchange TradedFunds (EFT) channel switch that switches transactions from thechannel to the appropriate area within the core banking system.Client-side applications refer to those applications that resideon the customer’s SIM card or mobile phone device. Client-sidetechnologies include J2ME. On the other hand, server-sideapplications are developed on a server away from customers’mobile phone or SIM card. Server-side technologies includeUSSD, IVR, SMS, and WAP.6.1.1 CRITICAL REVIEW OF SECURITY OPTIONS FORMOBILE BANKINGMobile banking brings new opportunities and new horizons, butalso comes with implicit risks to financial providers, carriers, andthe financial system. On the one hand, it holds out the prospectof adding convenience for accessing banking and paymentservices to customers. But the addition of a new channelalso brings new operational risks to providers, just as theintroduction of internet banking posed the risks a decade ago.For this reason, mobile Financial Service Providers (mFSP)seeking to enter the market have to assess their risks and developstrategies to mitigate those risks on an ongoing basis. Securityis a very sensitive issue for M-Banking, so this section comparesthe risks of using SMS and USSD messaging services.Data carried across the mobile network is protected by thestandard GSM security protocols at the communication layer.The subscriber identity is also protected across this chain. Therisk in transporting data across the GSM channel is directlydependent on the number of stoppages the data must makebefore reaching the bank.Data security with SMS bankingSMS service is deemed to be the least secured of the technologiessuggested for mobile banking because of the number of pointswhere the SMS data is available to others in a clear or unencryptedformat.The diagram below shows the entities involved across the GSMchannel in SMS banking.Base stationMSC SMSC BankFigure 8: SMS Banking GSM ChannelA customer initiates a transaction by sending an SMS to the bankusing the bank’s SMS short code. The SMS is stored on thehandset and is available to anyone who looks at the customer’sphone; hence, making it unsecure at the very first step. The SMSthen passes through the encrypted GSM communicationchannel through the base stations and terminates at the mobilenetwork operator’s SMSC. There, it is typically stored in anunencrypted form, making it unsecure at also the second step.The SMSC passes the message onto the bank’s wirelessapplication processor or mobile banking processor (which maybe a third party), where it is stored either in encrypted orunencrypted form. The third party then passes the message tothe bank across an encrypted fixed line to the bank, where it istypically stored in a secured environment.In all, there are three highly susceptive points of exposure duringthe transaction where the data is stored, making the SMS servicefar less secure.Data security with USSD bankingUnlike SMS, USSD message is not stored on customers’ mobile,making it secure at the first level. USSD opens a single sessionbetween the device and the supporting application at thenetwork operator/processor/bank.Base stationMSC USSD Gateway BankFigure 9: USSD Banking GSM ChannelThe data is also encrypted at the USSD gateway sitting at thenetwork operator/processor/bank, preventing any misuse ofthe data. This makes it secure at the second step. The end-to-endtransaction flow occurs across the encrypted GSMcommunication layer while the subscriber identity is also hidden.Hence, USSD service is safer than to SMS and other GSMtechnologies.However, there is one risk. If the GSM encryption (which is usedto carry the data within the communication layer by securedmeans) is broken, the data can be accessed–which can actuallyhappen with all GSM technologies (e.g., SMS, USSD, etc.). Toavoid this, the GSM encryption needs to be made more robust,much like how internet banking has evolved over the years.Excluding this generic threat, USSD appears to be the mostsuited technology for mobile banking application.USSD: A Communication Technology to Potentially Ouster SMS Dependency8

6.1.2 MARKET PROJECTIONS FOR M-BANKING USERSA recent report from Juniper Research gives a detailed forecastfor mobile banking users by 2011 across eight regions of theworld (Figure 10).Scalability and costs involved in using SMSThe size limit of 160 characters restricts the amount of contentinformation that can be communicated through text. A detaileddescription of any disease/medicine therefore requires two ormore messages, which means extra costs for an operator.7%5%8% 12%2%22%North AmericaSouth AmericaWestern EuropeEastern EuropeSMS delivery charges are costlier because they involve SMSCand other related transmission trunks. Also, scheduling costsof SMS are much higher because traffic at network and itsavailability versus traffic at SMSC must be taken into account.41%6.2 SPREADING AWARENESS ABOUT EPIDEMICSAND FATAL DISEASESUSSD service can be used innovatively to educate people andspread awareness about fatal, epidemic diseases such as AIDS.For many of these diseases, prevention still remains the onlyavailable cure. Taking early disease-prevention measures,educating people about their symptoms, providing anonymouscounseling, gathering data, linking patients to services, andmany other such acts can go a long way in improving thehealth of developing nations.For millions of people affected by HIV and other diseases, thereis an unmet need to circulate information regarding these diseases.Currently, this information is disseminated in numerous waysincluding print media, radio, television, newspapers, and theinternet. However, not all of these channels are accessibleto everyone; hence, using cell phones to reach the massesseems an obvious extension.The information people require varies from basic knowledgelike symptoms or prevention measures to a more detailedunderstanding of a particular disease’s course and treatment.The menu implementation of USSD can be set in a singletransaction, and the interested users can dig into the requiredinformation.3%Far East & ChinaIndian SubcontinentRest of Asia PacificAfrica & Middle EastFigure 10: Mobile Banking Users – 2011 Regional Forecast (%)Reference: Juniper Research6.2.1 SMS VERSUS USSD FOR IMPLEMENTING THE SERVICEStudies have indicated that reminding people to take theirmedicine on time can increase adherence to treatment. Thesemessages need to be timed appropriately to suit each purpose.When patients regularly skip taking their medicine, or take it atthe wrong time, the severity of their disease can increase, oftennecessitating costlier and more expensive second-line treatment.Scalability and costs involved in using USSDUSSD’s 180-character capacity per message increases thescope for content length. And because the USSD platformsends messages directly without using SMSC, it is lessexpensive than SMS.In-depth information can be provided via a menu-basedapproach using which the interested users can drill down to thedidactic content. Hence, an operator can provide handy tips ina common, free message while the cost of providing additionalinformation can be charged to the user (only if the user uses aninteractive USSD menu-based session). The messages can alsobe better timed by using USSD rather than SMS because thereis no need to account for network congestion at SMSC.Impact or AnalysisIt can be concluded from this discussion that the USSDtechnology can go a long way in improving the living conditionsof the poor.Assuming that this innovative service is offered at no extra costto customers (at least in developing and underdevelopedcountries), the analysis is done only with respect to the operatingcosts for operators/service providers.Although USSD is an efficient technology, it’s too early to deriveany conclusion on the impact and effectiveness of this servicebecause data collection from the end user is an arduous job.Many people don’t want to share information about their diseases,or register with the operator for fear it may lead to disclosure oftheir personal data.This medical care application was just an example to demonstratehow USSD can be used in broadcasting relevant messages tothe customers, especially in the health sector. There are manyother similar areas where this service can prove beneficial suchas in alerting fishermen about the rising tides and sea/weatherconditions; teaching farmers about the best seasonal crops togrow in different regions and the new innovative tools availableto improve agricultural productivity; and informing students onjob trends and career opportunities.USSD: A Communication Technology to Potentially Ouster SMS Dependency9

INNOVATIONSERVICESFOR THECONNECTEDWORLDThe Aricent Group is a global innovation and technology servicescompany that helps clients imagine, commercialize, and evolveproducts and services for the connected world. Bringing together thecommunications technology expertise of Aricent with the creativevision and user experience prowess of frog, the Aricent Groupprovides a unique portfolio of innovation capabilities that seamlesslycombines consumer insights, strategy, design, software engineering,and systems integration. The client base includes communicationsservice providers, equipment manufacturers, independent softwarevendors, device makers, and many other Fortune 500 brands. Thecompany’s investors are Kohlberg Kravis Roberts & Co., SequoiaCapital, The Family Office, Delta Partners, and The Canadian PensionPlan Investment Board.

aricent.com © 2012 Aricent Group. All rights reserved.All Aricent brand and product names are service marks, trademarks, orregistered marks of Aricent Inc. in the United States and other countries.