Hacked | Security group flags MTN Nigeria *904# recharge code

The *904# code introduced by MTN Nigeria for easy recharge has opened an equally easy gateway for fraudsters to dupe subscribers on Nigeria’s largest mobile phone company, a tech security group in the country has alerted.

Information Security Society of Africa-Nigeria (ISSAN), warns that MTN Nigeria subscribers using the *904# code are now easy prey to hackers because the mobile service opens a back door into users’ account details, according to the group’s report seen by Technology Times.

The MTN *904# code is the so-called mobile Unstructured Supplementary Service Data (USSD) code issued by MTN Nigeria for easy purchase of airtime by its subscribers.

Meanwhile, the technology security group, ISSAN, which evaluated  mobile banking  fraud trend in 2017 says at its February meeting in Lagos that the affected MTN *904# code has become a vulnerability that allows fraudsters get customers’ account details through gaps in the service.

According to ISSAN, the 904amount# USSD code reveals all accounts linked to the phone numbers, thereby putting subscribers at risk of being duped by fraudsters.

The service is also called MTN on Demand allows MTN subscribers purchase airtime directly from their bank account without extra charges.

Currently, seven Nigerian banks on the MTN platform include Zenith Bank, Diamond Bank, Stanbic Bank, FCMB, Fidelity Bank, First Bank and Access Bank, ISSAN says.

MTN Nigeria, the nation’s biggest mobile phone operator by subscriber numbers, with 53,442,969 active connections account for 36% of the total subscribers in Nigeria, according to the latest market information by Nigeria Communications Commission (NCC), the telecoms industry regulator.

ISSAN suggested that a USSD code be implemented that can allow customers urgently disable their account when their mobile phone is lost.

”There is need to sensitise the customers of the importance of reporting the loss of their phone lines to the bank in order to prevent fraudsters accessing the phones”, the tech security group says.

Also periodic Know Your Customer (KYC) update was suggested by the tech security group to avoid invalid phone numbers on accounts.

Another mobile banking fraud trend in 2017 is inbound remittance frauds that were reported in which fraudsters intercept/hijack inbound Western Union and MoneyGram reference numbers with the alleged help of insiders in some undisclosed financial institutions.

According to ISSAN, ”they use details of the beneficiary provided by an insider to produce fake old national ID (which is unverifiable) to collect/receive the funds. All were encouraged to check that unverifiable IDs are not being used in collection of inbound remittance.”