Scale of R350 grant fraud still unknown — minister
Probe not yet conclusive to tell how many IDs were stolen, how much money did we lose — minister
by Jeanette Chabalala · SowetanLIVEAn investigation into Sassa's social relief grant application system has left more questions than answers, this after the minister of social development failed to answer crucial questions about the extent of the fraud caused by the compromised system.
Sisisi Tolashe also failed to indicate how much the department may have lost as a result of the vulnerabilities identified in the web application system for the R350 grant.
“For now as I have already indicated, the investigation is not yet conclusive for us to say how many IDs were stolen or how much money did we lose.”
On Wednesday morning, the department presented its preliminary report before parliament. The investigation, which was conducted by Masegare & Associates Inc, comes a month after two first-year students from the University of Stellenbosch alleged that Sassa's application system was vulnerable.
Parliament had given Tolashe's department 30 days to probe the allegations made by the students.
In her report on Wednesday, Tolashe confirmed the students' findings, saying the investigation team found that its assessment of the SRD web application revealed vulnerabilities that could compromise the security and functionality of the system.
These issues include weaknesses in protecting user information, securing system components and ensuring compliance with modern security standards.
The probe also highlighted that the login page is vulnerable to automated attacks where hackers can repeatedly guess passwords to access sensitive accounts.
“This can lead to unauthorised access to user data and administrative controls,” the report said.
The team has also uncovered that the SRD platform has a number of gaps — these include allowing multiple applications with the same phone number and therefore increasing the chances of impersonation and fraudulent claims.
“OTP [one-time password] reliance makes the system vulnerable to SIM swap fraud, where attackers gain control of victims' numbers and intercept OTPs. Lack of OTPs is even a greater risk to the platform.”
The report also found that fraudulent beneficiaries could exploit weak verification processes to divert funds via mobile money or Cash Send. The team also said the system may not detect cases of shared or reassigned cell phone numbers, leading to disputes or misuse.
We have introduced facial biometrics through our electronic know your client (Ekyc) program and strengthened relationships with other government entities and the banking industrySisisi Tolashe
Some of the recommendations made were that the department should “implement multi-factor authentication (MFA) by combining OTPs with biometric verification or other secure authentication methods (e.g. secure tokens).This will provide an additional layer of security, reducing the risk of unauthorised access.
Tolashe said since 2023, Sassa had intensified its efforts against fraud, working closely with law enforcement agencies.
“We have introduced facial biometrics through our electronic know your client (Ekyc) program and strengthened relationships with other government entities and the banking industry,” she said.
But when pressed for answers about the gaps and challenges faced, Tolashe said: “I said earlier on we received only a preliminary report which identifies that there are gaps and in their own language they were not conclusive to say this is what the conclusion is.”
SowetanLIVE