- There is likely massive amounts of theft happening at SASSA through online cybercriminals exploiting its weak security systems.
- Government has only now launched an investigation and found many “vulnerabilities.”
- The Department of Social Development has only now started updating its systems.
The South African government is investigating alleged “vulnerabilities” in the application processes and IT systems used by South African Social Security Agency (SASSA) for the payment of social grants, especially on systems that apply to the social relief of distress (SRD) grants.
It launched the investigation after claims of cyberfraud were made by two students from the University of Stellenbosch.
“Phase 1 of the investigation consisted of a comprehensive audit into the SRD application system administered by SASSA to determine the extent to which the system was exposed to fraud,” the Department of Social Development, per state news.
Adding to that the findings of Phase 1 will be used as a basis to find alleged cyberfraud and weaknesses in the broader social grant system of South Africa, which result in people who shouldn’t be getting grants receiving them.
It is believed that around 28 million South Africans receive social grants from SASSA, supported by around 7.5 million taxpayers. Brenton van Vrede, head of operations at SASSA IT told Heart FM last year that the agency “unfortunately has quite a lot of these cases” of fraud.
This is likely a massive understatement.
It’s so easy to steal from SASSA
A GroundUp report in October last year alleged that the SASSA application system was extremely vulnerable to exploitation by threat actors seeking to defraud the state.
“We queried SASSA’s public portal with 300 000 ID numbers for February 2005 at a rate of 700 per minute. The first problem is that this shouldn’t be possible. A competent system with basic security would have limited the rate at which we could query it,” the publication reported.
It said that it found nearly 75 000 SRD grant applicants born in February 2005 registered on the system, but according to Stats SA only 82 097 people were born in February 2005 – this means that around 91 percent of everyone born in South Africa on that date had applied to receive an SRD grant which is obviously not possible.
According to the first phase of SASSA’s investigation, “the SRD web application has weaknesses, such as unencrypted communications, that present threats to the security of the platform and the safety of users.”
Additionally, it found that fake SASSA SRD websites are used extensively by threat actors to harvest information from beneficiaries in order to defraud the state and steal grant funding. We found in 2023 that one of these websites was being run by a company called “Konza Technology Systems.”
A quick search places this company in the Free State, while when we looked at the time it was supposedly located in Kenya.
What do you mean you don’t update your security?
Following the results of the first phase of the investigation, the department says it has outlined an action plan that includes taking down the many, many fake SASSA websites within the next 18 months, as well as replace the HTTPS method with a POST method to better encrypt communications between applicants and SASSA servers, and begin updating its outdated software.
It also plans to start patching its systems “more regularly”, which is absolutely insane that an entity that handles billions of Rands doesn’t even follow through with the most basic of security protocols.
We will probably only know the full extent of the theft happening at SASSA after the final investigation is through.
