South Africa calls in big guns after cybercriminals plunder funds for the poor
The Department of Social Development is roping in the State Security Agency (SSA) and the Special Investigating Unit (SIU) to tackle widespread Social Relief of Distress (SRD) grant fraud, EWN reports.
Joel Cedras and Veer Gosai, two first-year computer science students at Stellenbosch University, uncovered the extensive fraud problem in mid-October 2024.
Following an internal investigation, social development minister Sisisi Tolashe said the SSA and SIU must get involved to get to the bottom of the “huge” SRD grant fraud.
“This is not a very small thing. This is a huge thing. Hence, we will have to work with SSA as well as SIU,” she said.
She explained that the problem is extensive and involves other departments like Home Affairs as people’s identity numbers have been stolen.
Tolashe added that the internal investigation had confirmed many of Cedras’ and Gosai’s findings.
Cedras and Gosai went public with their findings in October 2024. The pair discovered that they and several of their friends had been fraudulently registered to receive SRD grants of R370 per months.
After further investigation, they found a bank account registered in Cedras’ name that had been receiving the monthly grant.
Effectively, fraudsters used Cedras’ identity number to apply for the SRD grant and receive the funds in bank accounts they’ve registered using the same IDs.
However, the students found that the problem was far more extensive.
They queried an application programming interface (API) for the SRD system and were able to obtain the grant status of every South African born in February 2005.
Gosai and Cedras found that the South African Social Security Agency (Sassa) had implemented no rate limits on the API, and were able to query it at a rate of 700 records per minute.
Their data mining found nearly 75,000 SRD grant applications.
Considering that Stats SA data indicates there were roughly 82,100 births that month, that means the grant application rate is around 91%.
SRD grants are only available to people who don’t qualify for any other grant and have no income or financial support from any other source.
Therefore, even given South Africa’s extremely high youth unemployment rate of over 60%, such a high application rate is extremely suspicious.
Based on Cedras and Gosai’s research, security flaws in multiple systems were exploited to defraud Sassa.
These included RICA and FICA–related issues at various banks and at least one mobile virtual network operator.
Sassa grant admission head Brenton van Vrede said they found three banks weren’t implementing FICA correctly.
Another enabler of the attack was likely various data leaks containing ID numbers, full names, addresses, contact details, and other sensitive information.
Over the years, data from Home Affairs and credit bureaus have been subject to data breaches and leaks.
After attackers obtained names and identity numbers through these leaks, they could fraudulently apply for and receive SRD grants, which were approved due to a lack of validation from Sassa.
Weak FICA and RICA controls then allowed attackers to open thousands of bank accounts and cellphone numbers with eSIMs.
Cedras and Gosai recently published a follow-up report after finding that mobile virtual network operator Me&you Mobile wasn’t correctly implementing RICA, enabling them to create numbers using bogus information.
They found the eSIM ordering application fails to verify a prospective customer’s first name, last name, address, or ID number.
This means attackers could register for Me&you Mobile eSIMs by uploading irrelevant documents for their proof of address.
In a related incident, hacking group N4aughtySec has claimed to have stolen from Sassa by registering thousands of R370-a-month SRD grants and claiming $10 million (R182 million).
The group contacted the media, alleging they had breached several credit bureaus. They said they had used this access to attack the South African government and local organisations, including Sassa.