Fake websites and security weaknesses blamed for fraudulent SRD grants

The Department of Social Development (DSD) and the South African Social Security Agency (Sassa) have issued a warning to applicants of the Covid-19 Social Relief of Distress (cSRD) grant about fraudulent websites.

This warning came during a parliamentary session on Wednesday when the Portfolio Committee on Social Development received an update on the investigation into alleged weaknesses and fraud in the application and payment system of social grants.

Late last year, Minister of Social Development Sisisi Tolashe initiated the investigation following recommendations from the portfolio committee after two University of Stellenbosch students claimed to have identified fraud in the Covid-19 Social Relief of Distress application system.

“We might be aware that we live in a digital world, which always poses some threat in our daily life if not properly managed,” Tolashe told the committee.

“This is now a growing concern globally and it is impacting individuals, governments, and ourselves as well.

“We understand that any fraud in the system amounts to taking food out of the mouth of the poor and this is not acceptable.”

SRD grant investigation findings

The investigation consisted of an audit of Sassa’s SRD application system to determine the extent to which it was exposed to fraud.

The findings will serve as input for the second phase, which will investigate alleged fraud and weaknesses in the broader social grant system.

Several critical issues were identified:

• The existence of malicious websites with .org and .co.za domain names that falsely present themselves as authentic SRD application websites, harvesting applicants’ information for fraudulent purposes.
• Security weaknesses in the SRD web application, including unencrypted communications, that present medium-risk threats to the platform and users.

Dr. Peter Masegare, from Masegare and Associates Inc., told the committee that the SRD cybersecurity team had addressed the issues that were brought to light by the two university students.

ALSO READ: Sassa social grant security breach: Minister wants answers

Students exposed system vulnerabilities

First-year Computer Science students Joel Cedras and Veer Gosai from Stellenbosch University revealed the vulnerabilities.

The pair claimed to have been searching for weaknesses in government and private-sector systems using publicly available internet resources.

They uncovered system irregularities that made people’s identities susceptible to fraud and revealed that the SRD system was not well protected.

The students also observed that the SRD grant appeared linked to their own IDs despite them never having applied, raising concerns about unauthorised applications and potential misallocation of funds.

ALSO READ: Court rules Sassa’s regulations limiting access to SRD grant unconstitutional and invalid

Sassa cybersecurity specialist’s report

Stanley Matshote, a cybersecurity specialist from Masegaro, presented a report that addressed cybersecurity risks within the SRD system, the growth of platforms claiming to process Sassa information, and opportunities to enhance the security and integrity of the grant system.

“The results from our assessments indicate that the overall threat level for the SRD grant interface is classified as medium,” Matshote explained.

“This classification is based on an evaluation of various vulnerabilities, misconfigurations, and potential risks that could affect the security and integrity of the platform.”

He said the medium threat level “indicates a moderate risk of exploitation, meaning that while the system is not highly vulnerable, it is still susceptible to certain types of attack that could compromise security if left unaddressed.”

ALSO READ: Unauthorised funeral policy deductions alarm Sassa grant recipients

Warning to applicants

The Final Audit Report recommended a communication campaign warning beneficiaries and applicants about the unofficial and fake sites used to harvest their information for fraudulent purposes.

DSD and Sassa confirmed that the only authentic application platform for applications to the Covid-19 Social Relief of Distress is: https://SRD.sassa.gov.za.

Sassa said fraudulent sites are used to collect personal information from unsuspecting applicants.

Plan to address SRD grant vulnerabilities

Sassa developed an action plan to respond to the recommendations of the final audit report.

The plan includes short, medium, and long-term activities:

• Replacing the HTTPS method with a POST method to protect communications between applicants and the server processing their information;
• Implementing a rate limit to restrict abnormal numbers of requests to the SRD application system;
• Updating outdated software;
• Implementing regular patch updates and introducing biometric verification;
• Taking down fake websites and other content that violates Sassa’s brand, copyright, or right to information and privacy within the next 18 months.

Concerns about SRD grant timelines

Committee members expressed concern about the lack of specific dates in the implementation plan.

DA MP Alexandra Abrahams questioned the timelines presented by Sassa.

“We’ve always been a committee that’s asked for timelines… not seeing actual dates in either of the presentations is concerning to me,” Abrahams stated.

“It’s been November, December, January, February – we’re reading the fourth month since this crisis has come to our attention. So is it to say that we are now in month four of your short-term plan?”

Abrahams also questioned whether the system is currently secure and if any consequences had been implemented for officials involved in the design flaws.

“Has the necessary consequence management taken place to the officials involved in this design? Because the excuse or reason that we were given was that it was done in a hurry. I don’t believe that’s a good enough reason,” she remarked.

Chairperson of the Portfolio Committee on Social Development, Bridget Staff Masango, acknowledged the work being done while emphasising the committee’s responsibility to ensure implementation follows the presented plans.

“We appreciate the work that is being done, appreciating it with the backdrop obviously of how it has the potential of affecting the people that are served by this department,” the chairperson stated.

“You can measure our panic when things don’t seem to happen in the way that they should.”

NOW READ: Sassa grant card switchover leaves beneficiaries sleeping outside, allegedly denied medical care