Hackers release more data after gaining access to the financial information of many South Africans
A hacking group that claims it fraudulently collected Social Relief of Distress (SRD) grants and infiltrated South Africa’s financial system through vulnerabilities at credit bureaus has released additional information as proof of its statements.
Last week, a group calling itself N4aughtySecGroup contacted the media with a warning that it had breached several credit bureaus and used its access to attack the South African government and local organizations.
The group said they had stolen from the South African Social Security Agency (Sassa) by fraudulently registering thousands of R370 per month SRD grants and claiming $10 million (R175 million).
A spokesperson for the group told MyBroadband they were able to do this thanks to data they obtained from TransUnion, Experian, and XDS through leaks and breaches.
They said they used data obtained in attacks on the bureaus to fraudulently register grants and open over 100,000 bank accounts in people’s names for money to be paid into.
Following denials from the credit bureaus that they had been breached, and statements from the banks assuring that any leaked data didn’t come from their systems, N4aughtySecGroup released more data to prove their claims.
This included screenshots of payment confirmations showing funds transferred between TymeBank accounts and an Investec account.
They also released several text files showing dozens of the TymeBank accounts they allegedly used to collect the fraudulent SRD grants.
MyBroadband contacted TymeBank for comment on the development.
“We have reviewed the latest data provided by MyBroadband and are confident that the TymeBank systems have not been breached,” said TymeBank chief technology officer Bruce Paveley.
“We maintain that this data has been obtained from another party that customers may have engaged with separately.”
Paverley said the data the attackers provided appears to be a few months old.
“Our investigation indicates the accounts in question are low transaction value accounts with very limited functionality and transaction limits,” he said.
“All banks offer these types of accounts as a way of providing basic transactional functionality, as is the case with cash wallets.”
Paverley said they have multiple preventative measures to detect fraud and prevent potential syndicates from accessing accounts fraudulently.
“We work closely with all our partners, industry bodies and government departments to mitigate fraud where possible.”
TymeBank confirmed that some of the accounts in the files sent by the hackers were flagged as suspicious.
Asked whether any of the accounts received grant payments, TymeBank declined to answer specifically.
“Tymebank enables payments requested by Sassa while following an agreed process,” it stated.
“The bank cannot comment on whether funds have been stolen from Sassa.”
Further queried on whether funds had been frozen in some of the accounts for which the hackers had provided account numbers, TymeBank confirmed they had.
Investec declined to comment on the attackers’ proof of payment screenshots.
“Owing to the confidentially pertaining to client accounts, we are unfortunately unable to share any more detail in this regard,” Investec stated.
“However, we can confirm that Investec routinely monitors client accounts and/or client activity in line with relevant policies and guidelines, and further, reports to the relevant authorities in line with our regulatory obligations.”
Weeks before N4aughtySecGroup’s re-appearance, two Stellenbosch University computer science students, Joel Cedras and Veer Gosai, published their report about massive fraud they had uncovered in Sassa’s systems.
After discovering SRD grants and bank accounts registered in their names, Cedras and Veer investigated the security flaws in Sassa’s systems.
They found that they could query Sassa’s application programming interface (API) at a rate of 700 records per minute without being challenged.
This in itself was a problem, as Sassa should have implemented rate limits on its API to prevent this kind of data scraping.
However, the security flaw allowed the students pour over the data for every ID number beginning with 0502 — that is, everyone born in February 2005.
Cedras and Veer found that nearly 75,000 SRD grant applications were made for people born in February 2005.
Statistics South Africa data shows there were 82,097 births in February 2005, which works out to an SRD application rate of about 91%.
While South Africa is experiencing a youth unemployment crisis, Stats SA reports a youth unemployment rate of 45.5% — nowhere near 90%.
The two students explained that Sassa’s systems only required an ID number, name, and surname to apply for an SRD grant — information readily available in the myriad of data leaks and breaches that have happened in recent years.
Sassa grant admission head Brenton van Vrede confirmed to Heart FM that the organization’s grant systems had been compromised.
Van Vrede also said they noticed that three South African banks were not implementing the Financial Intelligence Centre Act (Fica) correctly, allowing fraudsters to open bank accounts with citizens’ ID numbers.
According to N4aughtySecGroup, they have been exploiting this security flaw for the past ten months.
N4aughtySecGroup expressed respect for Cedras and Gosai’s work, calling the pair true heroes.
“They stand for what we fight for,” the hacking group said.
MyBroadband contacted Cedras and Veer for their insights. They said it was entirely possible the group had been exploiting the system that long, as they had seen fraudulent grants dating back more than a year.
Interestingly, N4aughtySecGroup has not made any financial demands. Last year, they demanded payments of $30 million (R519 million) each from TransUnion and Experian.
Now, the group says they want an apology.
“We will not stop until we receive an apology, and for the institutions we have hacked to admit the security flaws and the data and systems we have accessed. We did warn them.”
When MyBroadband asked the group to prove its latest claims last week, it provided recent financial records for two journalists.
In one case, a MyBroadband journalist’s home address was misspelt exactly the same way their bank had recently done it.
For the other journalist, the group pulled data about his car insurance policy, which he had changed less than six months ago.
TransUnion, Experian, and XDS have said they have not found recent evidence indicating a breach of their systems.
“If the credit unions and banks deny, we will destroy the country until we get an apology,” N4aughtySecGroup vowed.
“We know what money and power does. They hide the truth. We will expose it,” they continued.
“People don’t believe us. Do we need to destroy the innocent first to be taken seriously?”