Hackers who inflitrated South African financial system reveal data for a large number people
A hacking group that claims it fraudulently collected Social Relief of Distress (SRD) grants and infiltrated South Africa’s financial system through credit bureaus has released data appearing to belong to Absa and Standard Bank customers.
N4aughtySecGroup contacted the media earlier this month with a warning that it had breached several credit bureaus and used its access to attack the South African government and local organizations.
The group said they had stolen from the South African Social Security Agency (Sassa) by fraudulently registering thousands of R370 per month SRD grants and claiming $10 million (R175 million).
A spokesperson for the group told MyBroadband they were able to do this thanks to data they obtained from TransUnion, Experian, and XDS through leaks and breaches.
Their claims came shortly after two Stellenbosch University computer science students, Joel Cedras and Veer Gosai, published their findings about massive fraud they had uncovered in Sassa’s systems.
Last year, the same group claimed to have breached TransUnion and Experian and demanded a $30-million (R530 million) ransom from each.
However, this time around, the group said it is not asking for money. It wants an apology.
“We will not stop until we receive an apology, and for the institutions we have hacked to admit the security flaws and the data and systems we have accessed. We did warn them,” they said.
As proof, the group provided sensitive financial information about two MyBroadband journalists.
This included a specific spelling mistake in a residential address that one journalist’s bank made, and details about a new vehicle insurance policy that the other had taken out in the past six months.
Following denials from the credit bureaus that they had been breached, and statements from the banks assuring that any leaked data didn’t come from their systems, N4aughtySecGroup released more data to prove their claims.
Most recently, they released files that appear to contain the personal information of millions of Absa and Standard Bank customers.
The Absa files have 2007 and 2008 timestamps, suggesting the data they contain may be old.
However, the Standard Bank files are newer, with timestamps in 2023.
“Absa takes these claims seriously and has conducted a thorough analysis of the data at hand,” a spokesperson told MyBroadband.
“At this time, there is no compelling evidence that points to a new breach that contributed to false account opening, which was used as mule accounts to defraud Sassa,” the bank continued.
“The data provided appears to be identical to a data set reviewed in 2023.”
Absa said it addresses mule accounts on a daily basis.
“Where we identify any suspicious transaction activity, these activities are investigated and accounts are closed,” it said.
“Absa works continuously with the industry, local and international law enforcement, and regulatory authorities to mitigate the potential risks or exposure to security breaches.”
Standard Bank declined to comment on the data.
“We do not comment on data that has been obtained illegally or through third parties. Our commitment to client confidentiality remains sacrosanct,” it stated.
Prior to the Absa and Standard Bank data, the group released screenshots of payment confirmations showing funds transferred between TymeBank accounts and an Investec account.
They also released several text files showing dozens of the TymeBank accounts they allegedly used to collect the fraudulent SRD grants.
TymeBank chief technology officer Bruce Paveley told MyBroadband after reviewing the data that they are confident their systems were not breached.
“We maintain that this data has been obtained from another party that customers may have engaged with separately.”
Paverley said the data the attackers provided appears to be a few months old.
“Our investigation indicates the accounts in question are low transaction value accounts with very limited functionality and transaction limits,” he said.
Investec declined to comment.
Gosai and Veer’s investigation into widespread fraud at Sassa has revealed significant security holes in the RICA and FICA processes implemented by several banks and at least one mobile service provider.
Elsewhere in the world, these are called Know Your Customer (KYC) standards.
These require certain industries to collect proof of identity and address from customers to prevent crimes like fraud, money laundering, and terrorism financing.
Sassa grant admission head Brenton van Vrede said they had found three banks that were not implementing FICA correctly.
Had it not been for a series of flaws in the banks’ and mobile operator’s implementations of these standards, this attack would not have been possible.
Another likely enabler was the various data leaks of ID numbers, full names, addresses, contact details, and other sensitive information from various different sources — including credit bureaus.
However, the first step in the attack chain was Sassa’s weak or non-existent verification systems, combined with a lack of rate limits on its online interfaces.
This allowed attackers to steal thousands of people’s identities and fraudulently apply for and receive SRD grants in their names.
Thanks to weak FICA and RICA controls, they could then open thousands of cellphone numbers with eSIMs and bank accounts to complete the attack.
Mercifully, TymeBank’s feedback suggests that much of the misappropriated money is “stuck” in these limited-functionality bank accounts.
However, it declined to confirm or deny whether any of the accounts listed in the data provided by the attackers had received Sassa SRD grant payments.
“Tymebank enables payments requested by Sassa while following an agreed process,” it stated.
“The bank cannot comment on whether funds have been stolen from Sassa.”