Barclay's recently launched "Hello Money" in India (See website). Based on face value this is commendable and it seems as if a great job was done. It is always good if progress is made in mobile banking. I wish them many subscribers and of course a positive business case.
The one topic that I do find intriguing and would like to place on the table of discussion is the claim that it is secure. (I assume that this means that Barclay is happy that it conforms to their banking security policy). Based on what I have seen on their website, I would like to argue that this is not the case...
USSD traffic through the GSM network as it travels from the handset via base-stations and the radio network through the IN platform is often in the clear. This means that it can be intercepted by engineers skilled in the art of GSM traffic. It is virtually impossible to defend against such an attack (primarily because the bank does not have any control over this protocol). This means that it is possible to steal security information that would allow some-one to perform a fraudulant transaction.
Usually banks caters for this risk by limiting the functionality available through USSD-based mobile banking. Yet, Barclays have decided to allow fund transfers to unregistered Visa cards on a once off basis. This creates a serious potential security loophole. Am I missing something, or have they been ill-advised?