Government29.11.2024

South Africa plans to introduce facial recognition verification

The South African Social Security Agency (Sassa) has said it plans to introduce facial recognition verification to confirm the identities of Social Relief of Distress (SRD) grant beneficiaries.

This is according to Sassa spokesperson Paseka Letsatsi, who told Newzroom Afrika that the social security agency plans to implement biometric verification to crack down on social grant fraud.

This follows an enquiry into SRD grant fraud after two Stellenbosch University students uncovered several vulnerabilities on the platform.

“Firstly, there are people who plainly commit identity theft and claim other people’s grants without them knowing,” Letsatsi said.

“Secondly, when we opened the platform allowing social grant beneficiaries to change their personal details, such as their phone number and bank details, we also opened it up to fraudsters.”

Two Stellenbosch University computer science students, Joel Cedras and Veer Gosai, found earlier this year that nearly 75,000 SRD grant applications were made for people born in February 2005.

However, StatsSA data shows there were around 82,100 births that month, which works out to an application rate of about 91%.

This is much higher than South Africa’s extremely high 60.2% youth unemployment rate.

Cedras and Gosai’s findings indicated that not only are fraudulent applications being submitted to Sassa, but many are likely succeeding.

As a result, Letsatsi said that Sassa plans to introduce biometric verification, such as facial recognition or fingerprint scanning, to verify grant beneficiaries’ registration or alteration of personal information.

This was proposed in the past but received backlash, with critics saying grant applicants would not have a smartphone with the necessary features.

“We think that implementing this type of verification is important to verify whether someone who would like to change their details is the rightful person,” Letsatsi said.

“We must cooperate with society, and people must understand that we are doing this to save the public purse.”

However, this attack required multiple failures within South Africa’s financial system.

The first step in the attack chain was Sassa’s weak or non-existent verification systems, combined with a lack of rate limits on its online interfaces.

This allowed attackers to steal thousands of people’s identities and fraudulently apply for and receive SRD grants in their names.

Secondly, ID numbers needed to be available via data leaks from entities such as Home Affairs, the 2017 “Master Deeds” leak, and credit bureaus.

The fraudsters also needed access to cellphone numbers and bank accounts.

Earlier this month, Cedras and Gosai disclosed that Me&you Mobile’s eSIM application process had a vulnerability that could be exploited to obtain a phone number in minutes without being properly RICA’d.

They found they could sign up for a new number by providing a fake name and ID number, which the service failed to verify. The service then provided a free activated eSIM immediately.

It also allowed them to generate as many numbers as they wanted to using any ID number.

Gosai and Cedras’s investigation also revealed security lapses in the FICA processes implemented by several banks.

Following the discovery of the fraud, hackers calling themselves N4aughtySecGroup contacted MyBroadband with a warning that it had breached several credit bureaus and used its access to attack the South African government and local organisations.

A spokesperson for the group told MyBroadband they could do this thanks to data they obtained from TransUnion, Experian, and XDS through leaks and breaches.

The group said they had stolen from Sassa by fraudulently registering thousands of R370 per month SRD grants and claiming $10 million (R180 million).

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter