Good news about security flaw that exposed people’s financial information in South Africa

A credit score checking system on Nedbank’s website had a security vulnerability that attackers could have exploited to harvest the security questions of any financially active person in South Africa.

Nedbank confirmed the vulnerability but said that after a comprehensive investigation, there is no evidence to suggest that a malicious actor exploited it.

Security questions like the ones that were exposed are often used by call centre operators, including those in fraud response, to verify the identity of the person they are speaking with.

Credit bureau Experian supplied the security questions and answers exposed by Nedbank’s system.

“On becoming aware of it, Nedbank immediately disabled the site as a precautionary measure, pending a thorough investigation,” a spokesperson for the bank told MyBroadband.

“The system will be reinstated in June 2025, equipped with enhanced security features and updated safeguards.”

The vulnerability was discovered by independent security researcher Veer Gosai, who is a second-year computer science student at Stellenbosch University.

Gosai said he disclosed the vulnerability on 31 March 2025, and the system was taken down ten days later.

He explained that the vulnerability was not trivial to exploit but warned that if malicious actors discovered it, it could have put valuable information in the hands of identity thieves.

Gosai said the core issue was that the bearer authorisation token in Nedbank’s free credit score checking service was not correctly implemented.

This allowed any logged-in user to query the security questions of any other person with a financial record in South Africa.

It was not necessary to be a Nedbank customer to log into the system either. Gosai explained that an attacker only needed a cellphone to receive the bank’s USSD-based “Approve-It” message.

There were some limitations, such as the authorisation token sometimes working only once or twice, though there was one case where it worked an infinite number of times.

“Protecting the privacy and trust of our customers is our highest priority, and we regret any concern this may have caused,” Nedbank stated.

“We remain committed to transparency, continuous improvement and maintaining the highest standards of data security.”

Attackers targeting South African financial institutions

Gosai’s discovery of the vulnerability in Nedbank’s credit score checking system comes a year after he and classmate Joel Cedras uncovered fraud in Sassa’s Social Relief of Distress (SRD) grant system.

The grant is supposed to offer people without any other kind of support R370 per month. Cedras and Gosai discovered that their and their friends’ identities had been stolen to obtain SRD grants in their names.

Their investigation ultimately revealed that the fraud was enabled by a chain of security flaws in various systems that didn’t properly conduct proof of identity checks.

These included a mobile virtual network operator (MVNO) not validating documents submitted for RICA, and some banks allowing grants to be paid into their basic-level accounts without FICA documents.

The final flaw in the chain was that Sassa itself did not properly validate grant applicants to ensure that beneficiaries legitimately qualified for welfare.

The banks and operator in question have since addressed these issues, although Gosai and Cedras have since discovered another MVNO allegedly skirting RICA laws by not properly validating documents.

In February 2025, the portfolio committee on social development was briefed by external auditors, Cybersecurity specialist Stanly Machote and auditing firm Masegare & Associates, who confirmed Cedras and Gosai’s findings.

While Sassa has begun a crackdown on SRD Fraud, a full investigation into the scale is still to be completed. Sassa has also not addressed all of the security flaws in its system.