The huge security flaw exposed in South Africa’s financial systems
Two first-year Stellenbosch University computer science students, Joel Cedras and Veer Gosai, uncovered massive fraud in South Africa’s Social Relief of Distress (SRD) grant system last year.
Their investigation ultimately revealed that the fraud was enabled by a chain of security flaws, including at a cellular service provider, banks and other financial service providers, and the South African Social Security Agency (Sassa).
Cedras and Gosai’s investigation began when they discovered that their and their friends’ identities had been stolen to obtain R370 grants in their names.
They found a bank account registered in Cedras’ name that had been receiving a grant every month.
When they dug deeper, they found that Sassa’s application programming interface (API) for the online SRD grant system was not properly secured against data scraping. They were able to query its database at a rate of 700 records per minute.
To get a sense of the scope of the problem, the pair conducted a simple test — they scraped the grant application status of everyone born in February 2005.
These were all individuals who were at least 18 years old and likely similar in age to Cedras and Gosai. To qualify for an SRD grant, you must be between 18 and 65 years old and not have any other source of income.
After scraping Sassa’s SRD database, Cedras and Gosai found that nearly 75,000 grant applications were made for people born in February 2005.
They compared this figure to the number of reported births that month — 82,100 — which works out to an application rate of about 91%.
This is much higher than South Africa’s already extremely high youth unemployment rate of 60.2%, as reported by Stats SA.
Shortly after Cedras and Gosai reported their findings, a hacking group calling themselves N4aughtySec reached out to them and MyBroadband.
N4aughtySec claimed that they were behind $10 million (R185 million) of the fraudulent grant payments.
The group said they extracted the funds by creating over 100,000 new bank accounts, which they achieved by breaching credit bureau XDS, as well as further exploiting TransUnion and Experian.
All three credit bureaus denied the allegation, telling MyBroadband they had found no evidence indicating a breach of their systems.
As proof of their claims, N4aughtySec showed the personal data they had obtained about two MyBroadband journalists.
MyBroadband did not provide them with any information about the journalists to aid the search. N4aughtySec found the data using only their first name or nickname and surname.
They returned with details about loans, credit cards, and other financial data that was not more than a few months old.
This was in addition to the personally identifying information needed to look up this information, such as full names and ID numbers. They also had the journalists’ home addresses.
N4aughtySecGroup emerged in 2023 demanding a $30-million (R555 million) ransom each from TransUnion and Experian or face having all their client data leaked.
They used a similar name to a cyber extortion gang that claimed responsibility for an attack on TransUnion in 2022 — N4ughtySecTU.
While N4aughtySecGroup wanted people to believe they are N4ughtySecTU, it is unclear whether they are the same outfit.
Following Gosai and Cedras’ report about the Sassa SRD grant fraud, the group said they never left South Africa and had retained constant access to TransUnion and Experian’s systems.
However, this time, they made no financial demand and instead asked for an apology from the institutions they said they had hacked and for them to admit the security flaws in their systems.
Gosai and Cedras continued to dig into the fraud to try and establish where the attackers were getting the bank accounts needed to receive the grants.
N4aughtySec named five banks whose systems they said they could access via the credit bureaus — Absa, FNB, Nedbank, Discovery, and TymeBank.
Sassa grant admission head Brenton van Vrede also said in an interview last year that they had noticed three banks not implementing the Financial Intelligence Centre Act (FICA) correctly.
This had enabled fraudsters to open bank accounts with other citizens’ ID numbers, he said.
GroundUp recently reported that attackers used at least TymeBank and Shoprite to defraud Sassa. Shoprite offers customers a no-fee Money Market account in partnership with Grindrod.
Both institutions offered ways for prospective clients to quickly open an account online with minimal verification.
The functionality of these accounts was limited, with the idea that customers would need to verify their identity biometrically to remove the limits.
However, the limited functionality available on the basic accounts was sufficient for a R370 per month SRD grant.
TymeBank and Shoprite have since locked down their systems.
Shoprite said that fraudulent SRD grant applications are no longer possible via a Money Market Account as all new accounts are now biometrically onboarded.
TymeBank has similarly blocked Sassa grant payments from being made into accounts where the client hasn’t been biometrically verified.
The bank is also going through accounts opened before implementing this new policy in August 2024 to identify potentially fraudulent grant beneficiaries.
“Accounts that are non-biometrically verified will be suspended, pending successful biometric verification,” TymeBank said.
Shoprite also said that Sassa has removed third-party access to the grant application system.
Non-compliance with FICA can have serious repercussions for financial institutions.
Most recently, the South African Reserve Bank (SARB) Prudential Authority issued a R56 million administrative penalty against Capitec following inspections conducted of its operations years ago — in 2021 and 2022.
Among other things, the regulator found that Capitec failed to conduct proper due diligence on customers.
It also failed to submit suspicious transactions and activity reports to the Financial Intelligence Centre.
Another essential component in perpetrating this fraud was access to a large supply of fraudulently registered cellphone numbers.
Cedras and Gosai’s investigation led them to mobile virtual network operator (MVNO) Me&you Mobile, which they discovered had significant flaws in its online onboarding system.
Me&you Mobile launched in May 2015 and introduced its eSIM offering in late 2023.
The pair found that the MVNO allowed you to activate as many free eSIMs as you wished without validating any of the proof of identity and address information it requests as part of RICA.
RICA is the Regulation of Interception of Communications and Provision of Communication-related Information Act.
As FICA does for financial service providers, RICA requires telecommunications operators to verify a customer’s identity and physical address before providing services to them.
Cedras and Gosai found they could upload a mathematics assignment for proof of address and a picture of Me&you Mobile’s logo for the ID and not have their eSIM deactivated.
Only after contacting the MVNO and releasing their findings publicly was their account flagged for further verification.
After their report, Me&you Mobile disabled the eSIM ordering functionality on its website.
With easily-obtainable cellphone numbers from online eSIMs, the attackers had all four ingredients they needed to defraud the SRD grant system at scale:
- A cache of personally identifying information, obtained either through alleged breaches at credit bureaus or through various other massive leaks of people’s private data.
- Access to an ample supply of cellphone numbers that could be used without requiring a physical SIM card.
- The ability to open bank accounts online using the aforementioned stolen or leaked private data and cellphone numbers.
- A Sassa grant system that does not validate applicants or properly verify whether they qualify for a grant.
Once the grant has been received, the last step is to transfer and launder the money.
Regarding this step, N4aughtySec released screenshots of proof of payment from a TymeBank to an Investec account to show how it extracts the money.
Investec declined to comment on the matter.
“Owing to the confidentially pertaining to client accounts, we are unfortunately unable to share any more detail in this regard,” a spokesperson told MyBroadband.
“However, we can confirm that Investec routinely monitors client accounts and/or client activity in line with relevant policies and guidelines, and further, reports to the relevant authorities in line with our regulatory obligations.”