Don't let cyberattacks disrupt your workflow. See what's at risk.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
HomeCybersecurity 101
USSD

What is USSD?

Written by: Lizzie Danielson

Published: 10/10/25

woman at laptop
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page

How USSD works

Think of USSD as a direct phone call to a service, but instead of talking, you're texting in real-time. Here's the basic flow:

  • User initiates: You dial a code like *123# to start a session

  • Network processes: The USSD gateway receives your request and forwards it to the appropriate application

  • Service responds: The application sends back a response (like a menu or information)

  • Interactive session: You can continue the conversation by selecting options or entering data

  • Session ends: The connection closes when you're done or after a timeout

The key difference from SMS? USSD keeps the connection open during your entire interaction, making it perfect for things like checking your bank balance or topping up your phone credit.

USSD message format and structure

USSD messages follow a specific pattern that's easy to recognize:

  • Start with: Asterisk (*) or hash (#)

  • Middle: Numbers and sometimes letters

  • End with: Hash symbol (#)

Examples:

  • *123# (balance inquiry)

  • 5551234# (recharge with code 1234)

  • #100# (check data balance)

Messages are capped at 182 characters, so everything stays short and sweet.

Common USSD applications

You've probably used USSD without even thinking about it. Here are the most common uses:

Financial services

  • Mobile banking transactions

  • Balance inquiries

  • Money transfers

  • Bill payments

Telecommunications

  • Prepaid recharge

  • Data package purchases

  • Service activation/deactivation

  • Network configuration

Other applications

  • Voting systems

  • Survey responses

  • Location-based services

  • Emergency notifications

USSD vs. SMS: understanding the differences

Feature

USSD

SMS

Connection type

Session-based (real-time)

Store-and-forward

Character limit

182 characters

160 characters

Internet required

No

No

Works on basic phones

Yes

Yes

Cost

Usually free or low-cost

Per-message charges

Delivery guarantee

Immediate or fails

Eventual delivery

Cybersecurity implications of USSD

Here's where things get interesting from a security perspective. USSD's simplicity and widespread adoption make it an attractive target for cybercriminals:

SIM swapping and social engineering

Attackers can exploit USSD codes to:

  • Transfer phone numbers to attacker-controlled SIMs

  • Access mobile banking services

  • Bypass two-factor authentication

  • Gather account information

Network-level attacks

Since USSD operates at the network level, malicious actors might:

  • Intercept USSD communications

  • Launch man-in-the-middle attacks

  • Exploit weak authentication mechanisms

  • Access sensitive user data

Recommendations for organizations

  • Monitor USSD traffic for unusual patterns or unauthorized access attempts

  • Implement strong authentication for any USSD-based services

  • Educate users about USSD-based social engineering attacks

  • Regularly audit USSD code configurations and access controls

  • Deploy network monitoring tools to detect suspicious USSD activity

USSD in IoT and modern applications

Don't think USSD is just for checking phone balances. It's found new life in IoT applications:

  • Remote device management: Sending configuration updates to IoT devices

  • Data collection: Gathering sensor readings from remote locations

  • Emergency communications: Backup communication when data networks fail

  • Asset tracking: Location updates from GPS-enabled devices

The low bandwidth and universal compatibility make USSD perfect for these use cases—but they also create new security challenges organizations need to address.

Staying secure in a USSD world

USSD isn't going anywhere—it's too useful and too embedded in global telecommunications infrastructure. As cybersecurity professionals, we need to understand how it works and where the risks lie.

The key is treating USSD like any other network protocol: monitor it, secure it, and educate users about potential threats by utilizing effective and comprehensive security awareness training. With proper controls in place, USSD can be a valuable tool without becoming a security nightmare.

ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page

FAQs

This message appears when your phone is processing a USSD request. It should complete within a few seconds. If it hangs, try restarting your phone or checking your network connection.

Yes! USSD operates over the cellular network's control channels, not data networks. It works on any GSM-compatible phone, even basic feature phones.

USSD has basic security features, but it's not encrypted end-to-end. The security depends on your mobile carrier's implementation and the specific service you're accessing.

Most USSD sessions end automatically after completing a transaction or timing out. You can usually cancel by pressing the "Cancel" or "Back" button on your phone.

Common issues include weak network coverage, carrier restrictions, incorrect code format, or your phone plan not supporting certain USSD services.

Glitch effect

Additional Resources

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free