South Africa botches cyber crackdown after huge hack

The South African Social Security Agency (Sassa) has announced that it will suspend all Social Relief of Distress (SRD) grants to beneficiaries it suspects of committing fraud, according to a GroundUp report.

This means that SRD grant beneficiaries suspected of fraud must reapply by confirming their identities.

However, the systems needed for citizens to identify themselves are not in place.

The government agency announced in 2024 that it planned to introduce facial recognition verification to confirm the identities of SRD grant beneficiaries.

Sassa said this was because when the platform was opened to people to change their personal information, it also opened up to fraudsters.

This follows an enquiry into SRD grant fraud after two Stellenbosch University students uncovered vulnerabilities in the platform.

Sassa also recently announced that it is recalling its Electronic Know Your Customer (eKYC) system, which verifies the identities of grant recipients so it can improve its functionality.

The eKYC system verifies applicants’ identities, meaning that legitimate beneficiaries who are required to reapply will be unable to do so.

Since this announcement, #PayTheGrants campaign deputy director Elizabeth Raiters said the organisation has constantly received emails from beneficiaries.

As a result of the fraud detected, Sassa is currently being investigated by the Department of Social Development.

Joel Cedras and Veer Gosai, the two first-year computer science students who uncovered the fraud, did so by discovering that their and their friends’ identities had been stolen to obtain R370 grants in their names.

They also found a bank account registered in Cedras’ name that had been receiving a grant every month.

When they dug deeper, they found that Sassa’s application programming interface (API) for the online SRD grant system was not properly secured against data scraping.

After scraping the database, Cedras and Gosai found that nearly 75,000 grant applications were made for people born in February 2005.

They compared this figure to the number of reported births that month — 82,100 — which works out to an application rate of about 91%, much higher than the youth unemployment rate of 60.2%, as reported by Stats SA.

R185 million stolen in SRD grants

Shortly after Cedras and Gosai reported their findings, a hacking group calling themselves N4aughtySec reached out to them and MyBroadband.

N4aughtySec claimed that they were behind $10 million (R185 million) of the fraudulent grant payments.

The group said they extracted the funds by creating over 100,000 new bank accounts, which they achieved by breaching credit bureau XDS and further exploiting TransUnion and Experian.

All three credit bureaus denied the allegation, telling MyBroadband they had found no evidence indicating a breach of their systems.

As proof of their claims, N4aughtySec showed the personal data they had obtained about two MyBroadband journalists.

MyBroadband did not provide them with any information about the journalists to aid the search. N4aughtySec found the data using only their first name or nickname and surname.

They returned with details about loans, credit cards, and other financial data that was not more than a few months old.

This was in addition to the personally identifying information needed to look up this information, such as full names and ID numbers. They also had the journalists’ home addresses.

It later emerged that fraudsters had exploited weaknesses in TymeBank and Shoprite’s systems for opening new accounts. Both companies have since addressed the shortcomings.

Another essential component in perpetrating this fraud was access to a large supply of fraudulently registered cellphone numbers.

Cedras and Gosai’s investigation led them to mobile virtual network operator (MVNO) Me&you Mobile, which they discovered had significant flaws in its online onboarding system.

Me&you Mobile launched in May 2015 and introduced its eSIM offering in late 2023.

The pair found that the MVNO allowed you to activate as many free eSIMs as you wished without validating any of the proof of identity and address information it requests as part of RICA.

RICA is the Regulation of Interception of Communications and Provision of Communication-related Information Act.

As FICA does for financial service providers, RICA requires telecommunications operators to verify a customer’s identity and physical address before providing services to them.

Cedras and Gosai found they could upload a mathematics assignment for proof of address and a picture of Me&you Mobile’s logo for the ID and not have their eSIM deactivated.

Only after contacting the MVNO and releasing their findings publicly was their account flagged for further verification.

After their report, Me&you Mobile disabled the eSIM ordering functionality on its website.