Page 119 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 119

ITU-T Focus Group Digital Financial Services
                                              Technology, Innovation and Competition



               On a ‘basic’ phone, the STK menu may appear as an additional phone menu item when scrolling through basic
               menus to access the phone’s features. On a feature phone or smartphone,  the STK will usually manifest as
                                                                              58
               a specific application icon that appears on the device’s home screen.
               If updates for functionality or security need to be made to the application on the SIM, a series of ‘over the air’
               (OTA), binary SMSs are sent over the MNO’s network to the phone, which when joined together, will update
               the STK application on the user’s SIM. This may be costly for many non-MNO DFS SPs who have to pay for all
               the SMS to do a full update of the STK menu on the phone and is one of the primary reasons USSD is proffered
               by non-MNO SPs.

               7.3.3   USSD

               USSD is both a GSM bearer technology and a DFS UI usable on all GSM and 3G/4G mobile networks, does not
               require any additional installations by customers, nor does it require an IP-based data access connection by
               users.  As a result, USSD has been termed ‘the third universal app.’
                                                                        60
                    59
               It has been used as payment instrument and UI since the mid-1990s as the primary mechanism for loading
               mobile airtime value into a user’s airtime stored value account when the first prepaid airtime systems were
               launched around the world in 1996. Unlike SMS, no data sent or received during the USSD session is stored
               on the mobile handset which – except for the glaring security issues identified in SS7 – makes USSD useful for
               the transmission and receipt of passwords in DFS sessions.

               While the USSD specification allows a USSD session of up to 600 seconds, typical allowance by MNOs for DFS
               and other third-party services is up to 180 seconds, with 120 seconds being the typical maximum time allowed
               for the entire USSD session by MNOs.

               There is also push USSD – also known as Network Initiated USSD – which is used mostly for 2-factor
               authentication in DFS. 61

               7.4    Graphical interfaces


               7.4.1   Overview

               While text-based UIs currently predominate in DFS, the past few years have seen the emergence of graphical
               and hyperlinked interfaces that provide icon-based navigation to users. The first DFS graphical UIs were
               introduced in 1999 with WAP-based interfaces using time-based CSD as bearers.


               7.4.2   WAP

               WAP is a type of mini-Internet experience designed for small mobile phone screens. It is used for transmission
               of simple web pages in primarily 2G/2.5G networks and may contain links and icons formatted especially to
               be usable and visible on the small screen of the mobile phone. While it first appeared in 1999 using CSD, WAP
               gained more prominence around 2001 when the first always-on IP-based GPRS networks appeared. However,
               the use of WAP as a UI for DFS access has largely dissipated in favor of STK, Java apps, USSD, and smartphone
               applications.








               58   Most of the newer versions of the Android OS do not support STK.
               59   Security concerns relating to SS7 also transpose to USSD.
               60   Perrier, T et al (2015) USSD: The Third Universal App, available at http:// bderenzi. com/ Papers/ perrier- dev2015. pdf
               61   The caveats noted above around SS7 security are also relevant here, although push USSD is conceptually harder to intercept
                  when a USSD session is initiated by an SP.



                                                                                                       103
   114   115   116   117   118   119   120   121   122   123   124