SRD web application has vulnerabilities that could compromise the security of the systems.Image: Brenton Geach

Scale of R350 grant fraud still unknown — minister

Probe not yet conclusive to tell how many IDs were stolen, how much money did we lose — minister

by · SowetanLIVE

An investigation into Sassa's social relief grant application system has left more questions than answers, this after the minister of social development failed to answer crucial questions about the extent of the fraud caused by the compromised system.

Sisisi Tolashe also failed to indicate how much the department may have lost as a result of the vulnerabilities identified in the web application system for the R350 grant.

“For now as I have already indicated, the investigation is not yet conclusive for us to say how many IDs were stolen or how much money did we lose.”

On Wednesday morning, the department presented its preliminary report before parliament. The investigation, which was conducted by Masegare & Associates Inc, comes a month after two first-year students from the University of Stellenbosch alleged that Sassa's application system was vulnerable.

Parliament had given Tolashe's department 30 days to probe the allegations made by the students.

In her report on Wednesday, Tolashe confirmed the students' findings, saying the investigation team found that its assessment of the SRD web application revealed vulnerabilities that could compromise the security and functionality of the system.

Verification for R370 SRD grant can take monthsNew applicants and existing beneficiaries of the R370 per month Social Relief of Distress (SRD) grant have been battling to access their money for months due to issues with the South African Social Security Agency’s verification procedure.Marecia Damons, 23 Oct 2024

These issues include weaknesses in protecting user information, securing system components and ensuring compliance with modern security standards.

The probe also highlighted that the login page is vulnerable to automated attacks where hackers can repeatedly guess passwords to access sensitive accounts.

“This can lead to unauthorised access to user data and administrative controls,” the report said.

The team has also uncovered that the SRD platform has a number of gaps — these include allowing multiple applications with the same phone number and therefore increasing the chances of impersonation and fraudulent claims.

“OTP [one-time password] reliance makes the system vulnerable to SIM swap fraud, where attackers gain control of victims' numbers and intercept OTPs. Lack of OTPs is even a greater risk to the platform.”

The report also found that fraudulent beneficiaries could exploit weak verification processes to divert funds via mobile money or Cash Send. The team also said the system may not detect cases of shared or reassigned cell phone numbers, leading to disputes or misuse.

We have introduced facial biometrics through our electronic know your client (Ekyc) program and strengthened relationships with other government entities and the banking industrySisisi Tolashe

Some of the recommendations made were that the department should “implement multi-factor authentication (MFA) by combining OTPs with biometric verification or other secure authentication methods (e.g. secure tokens).This will provide an additional layer of security, reducing the risk of unauthorised access.

Tolashe said since 2023, Sassa had intensified its efforts against fraud, working closely with law enforcement agencies.

“We have introduced facial biometrics through our electronic know your client (Ekyc) program and strengthened relationships with other government entities and the banking industry,” she said.

But when pressed for answers about the gaps and challenges faced, Tolashe said: “I said earlier on we received only a preliminary report which identifies that there are gaps and in their own language they were not conclusive to say this is what the conclusion is.”

SowetanLIVE

More than 17-million people apply for R370 grantMore than 17-million people applied for the R370-a-month social relief of distress grant in September. This is an increase of more than three million people since September 2021, when 13.8-million people applied, according to the latest figures supplied by the SA Social Security Agency (Sassa). About a quarter (4.Marecia Damons and Innocentia Nkadimeng, 04 Oct 2024'I eat noodles three times a day'Student Palesa* has been relying on the Social Relief of Distress grant since February when she lost funding after switching courses.Herman Moloi, 07 Oct 2024R4bn underspending by Sassa a travesty – NGOsOrganisations helping vulnerable people have described as a travesty the underspending of R4bn by Social Security Agency of SA (Sassa) on the social relief of distress (SRD) grants in the last financial year.Jeanette Chabalala, Koena Mashale and Marecia Damons, 13 Sep 2024Verification for R370 SRD grant can take monthsNew applicants and existing beneficiaries of the R370 per month Social Relief of Distress (SRD) grant have been battling to access their money for months due to issues with the South African Social Security Agency’s verification procedure.Marecia Damons, 23 Oct 2024Rules for R370 grants in court challengeA challenge to the rules for the R370-a-month Social Relief of Distress grant will be heard in the Pretoria high court in October.Marecia Damons, 03 Sep 2024SRD grant recipients with old ID book in limboOver the past two weeks thousands of people have been struggling to access their Social Relief of Distress (SRD) grant because of a new identity verification process introduced to fight fraud.Marecia Damons, 27 Jun 2024