All Article Properties:
{
"access_control": false,
"status": "publish",
"objectType": "Article",
"id": "2481790",
"signature": "Article:2481790",
"url": "https://staging.dailymaverick.co.za/article/2024-11-27-confirmed-stellenbosch-students-fraud-frailty-warning-on-sassa-grant-system/",
"shorturl": "https://staging.dailymaverick.co.za/article/2481790",
"slug": "confirmed-stellenbosch-students-fraud-frailty-warning-on-sassa-grant-system",
"contentType": {
"id": "1",
"name": "Article",
"slug": "article"
},
"views": 0,
"comments": 16,
"preview_limit": null,
"excludedFromGoogleSearchEngine": 0,
"title": "Confirmed — Stellenbosch students’ fraud frailty warning on Sassa grant system",
"firstPublished": "2024-11-27 23:09:08",
"lastUpdate": "2024-11-27 23:09:11",
"categories": [
{
"id": "387188",
"name": "Maverick News",
"signature": "Category:387188",
"slug": "maverick-news",
"typeId": {
"typeId": "1",
"name": "Daily Maverick",
"slug": "",
"includeInIssue": "0",
"shortened_domain": "",
"stylesheetClass": "",
"domain": "staging.dailymaverick.co.za",
"articleUrlPrefix": "",
"access_groups": "[]",
"locale": "",
"preview_limit": null
},
"parentId": null,
"parent": [],
"image": "",
"cover": "",
"logo": "",
"paid": "0",
"objectType": "Category",
"url": "https://staging.dailymaverick.co.za/category/maverick-news/",
"cssCode": "",
"template": "default",
"tagline": "",
"link_param": null,
"description": "",
"metaDescription": "",
"order": "0",
"pageId": null,
"articlesCount": null,
"allowComments": "1",
"accessType": "freecount",
"status": "1",
"children": [],
"cached": true
}
],
"content_length": 6164,
"contents": "The South African Social Security Agency's IT system vulnerabilities to fraud have been confirmed, yet the agency still hasn’t formed an action plan to address the chaos.\r\n\r\nVulnerabilities in Sassa’s IT system were confirmed at a parliamentary social development committee meeting on 27 November 2024, following a 30-day investigation requested by Social Development Minister Sisisi Tolashe. However, Sassa's failure to present an implementation plan has left the investigation incomplete.\r\n\r\n<p><img loading=\"lazy\" class=\"size-full wp-image-2481364\" src=\"https://www.dailymaverick.co.za/wp-content/uploads/2024/11/GroundUp-Sassa-recovers.jpg\" alt=\"sassa queue\" width=\"2362\" height=\"1542\" /> <em>People queue for social grants outside the Sassa office in Eerste River, Cape Town. (Archive photo: Ashraf Hendricks)</em></p>\r\n\r\nThe investigation confirmed the allegations made by Stellenbosch University first-year computer science students Veer Gosai and Joel Cedras, who discovered fraudulent activity and vulnerabilities in the Social Relief of Distress (SRD) grant IT system.\r\n\r\nGosai and Cedras found the <a href=\"https://groundup.org.za/article/we-discovered-flaws-massive-fraud-in-sassas-srd-system/\">major problems</a> in the system included:\r\n<ul>\r\n \t<li>A lack of rate limiting, allowing them to run queries through the system thousands of times a minute;</li>\r\n \t<li>No way to update an application once it was fraudulently made;</li>\r\n \t<li>A general lack of verification of details and biometric verification, allowing for “mass grant and identity fraud”, according to Gosai.</li>\r\n</ul>\r\nSassa CEO Busisiwe Memela-Khambula said that due to the urgent need for the SRD grant, the system was “implemented quickly” and that they were “building the system as we [went]”.\r\n\r\n“This has created challenges in ensuring it was done properly,” she said.\r\n\r\nThe SRD grant was introduced during the Covid-19 pandemic to assist people aged 18-59 who found themselves in dire need of financial assistance. The grant is currently R370 a month.\r\n\r\nMasegare and Associates, an external service provider appointed by Sassa, was unable to complete the investigation due to time constraints and “huge” amounts of data, according to company CEO Peter Masegare.\r\n\r\nSassa admitted that of the five external service providers specialising in auditing and cybersecurity who had been invited to submit proposals to complete the investigation, only one responded. Tolashe said all due processes had been followed in vetting the service provider.\r\n\r\n<strong>Read more:</strong> <a href=\"https://www.dailymaverick.co.za/article/2024-10-14-reboot-needed-after-students-discover-massive-fraud-in-sassas-social-relief-of-distress-grant-system/\">Reboot needed after students discover massive fraud in Sassa’s Social Relief of Distress grant system</a>\r\n<h4><strong>‘Two-phase investigation lacks urgency’</strong></h4>\r\nThe faults found by Masegare and Associates, appointed by Sassa on 11 November, to do a comprehensive investigation of all its grant systems, including but not limited to child support, disability, old age pension and foster-child grants, revealed an extensive scope of work required to address Sassa’s IT system faults.\r\n\r\nDue to “higher volumes of data than anticipated”, the company said the investigation would be split into two phases.\r\n\r\nAltia Sthembile Hlongo (ANC) said the two-phase plan “lacks urgency”, further delaying an investigation into an issue with national import.\r\n\r\nThe faults found so far by Masegare and Associates determined that Sassa’s SRD grant system fell into the “medium” risk category, while the implication of system infiltration carried significant consequences for the public.\r\n\r\nThe faults found and recommendations provided by Masegare and Associates include:\r\n<ul>\r\n \t<li>Multiple applicants per cellphone number, allowing fraudulent applications. (Recommendation: Sassa should strengthen the link between ID numbers and associated phone numbers.)</li>\r\n \t<li>OTP-based authentication makes the system vulnerable to SIM-swap fraud, with a lack of OTPs at certain points of the application process. (Recommendation: Sassa should implement multifactor authentication and combine OTPs with biometrics.)</li>\r\n \t<li>Mobile money and Cash Send allow fraudulent beneficiaries to divert funds. (Recommendation: regular auditing of mobile money mechanisms.)</li>\r\n \t<li>The location of the server and access control hosting system remains vulnerable to insider threats. (Recommendation: implement strict access control and insider threat mitigation by conducting regular audits and insider threat training.)</li>\r\n \t<li>The system may not detect shared or reassigned cellphone numbers (Recommendation: Sassa should perform periodic re-evaluations of cellphone ownership.)</li>\r\n \t<li>Lack of clear data encryption for sensitive data, such as ID numbers and banking details. (Recommendation: implement end-to-end encryption for all sensitive information both in transit and at rest.)</li>\r\n</ul>\r\n<h4><strong>No action by Sassa</strong></h4>\r\nMemela-Khambula confirmed that addressing the issues in the report was still a “work in progress”, with Sassa having not yet engaged in dialogue with Masegare and Associates.\r\n\r\nTshilidzi Munyai (ANC) said Sassa was “leaving doors open” by leaving issues unresolved while the investigation was ongoing.\r\n\r\nAltia Sthembile Hlongo (ANC) said Sassa should urgently present an intervention plan to restore public trust.\r\n\r\n“We can’t now wait for students to come and identify a problem,” she said.\r\n\r\n<strong>Read more:</strong> <strong><a href=\"https://www.dailymaverick.co.za/article/2024-10-28-legitimate-social-relief-of-distress-grant-applicants-pay-the-price-for-fraudsters/\">Legitimate Social Relief of Distress grant applicants pay the price for fraudsters</a></strong>\r\n\r\nKerileng Tlhong (ANC) agreed that the department needed to present an action plan for how Sassa and the Department of Social Development would collaborate. She also pointed out the lack of an impact assessment, with no indication of how many people had been affected by fraudulent activities and how they might be remunerated.\r\n<h4><strong>A crime that ‘knows no borders’</strong></h4>\r\nMinister Tolashe said collaboration between public, expert and governance bodies was ever more critical, pointing to the rapidly increasing risks to cybersecurity worldwide.\r\n\r\n“This is one crime that knows no borders,” she said.\r\n\r\nTolashe cited the South African Banking Risk Information Centre Annual Crime Statistics report for 2023, which revealed that South African banks lost R3.3-billion to digital fraud, card fraud and contact crimes.\r\n\r\n“We want to be better than the banks,” said Deputy Minister of Social Development Ganief Hendricks.\r\n\r\nWhile Tolashe recognised the urgency of the matter, she said the 30-day time period requested was too short to either complete the investigation or effectively resolve any problems.\r\n\r\n“We underestimated the task at hand,” she said. <strong>DM</strong>",
"teaser": "Confirmed — Stellenbosch students’ fraud frailty warning on Sassa grant system",
"externalUrl": "",
"sponsor": null,
"authors": [
{
"id": "1056233",
"name": "Nicola Amon",
"image": "",
"url": "https://staging.dailymaverick.co.za/author/nicola-amon/",
"editorialName": "nicola-amon",
"department": "",
"name_latin": ""
}
],
"description": "",
"keywords": [
{
"type": "Keyword",
"data": {
"keywordId": "3703",
"name": "Department of Social Development",
"url": "https://staging.dailymaverick.co.za/keyword/department-of-social-development/",
"slug": "department-of-social-development",
"description": "",
"articlesCount": 0,
"replacedWith": null,
"display_name": "Department of Social Development",
"translations": null
}
},
{
"type": "Keyword",
"data": {
"keywordId": "3704",
"name": "Sassa",
"url": "https://staging.dailymaverick.co.za/keyword/sassa/",
"slug": "sassa",
"description": "",
"articlesCount": 0,
"replacedWith": null,
"display_name": "Sassa",
"translations": null
}
},
{
"type": "Keyword",
"data": {
"keywordId": "9436",
"name": "Stellenbosch University",
"url": "https://staging.dailymaverick.co.za/keyword/stellenbosch-university/",
"slug": "stellenbosch-university",
"description": "",
"articlesCount": 0,
"replacedWith": null,
"display_name": "Stellenbosch University",
"translations": null
}
},
{
"type": "Keyword",
"data": {
"keywordId": "51596",
"name": "Fraud",
"url": "https://staging.dailymaverick.co.za/keyword/fraud/",
"slug": "fraud",
"description": "",
"articlesCount": 0,
"replacedWith": null,
"display_name": "Fraud",
"translations": null
}
},
{
"type": "Keyword",
"data": {
"keywordId": "280853",
"name": "social relief of distress grant",
"url": "https://staging.dailymaverick.co.za/keyword/social-relief-of-distress-grant/",
"slug": "social-relief-of-distress-grant",
"description": "",
"articlesCount": 0,
"replacedWith": null,
"display_name": "social relief of distress grant",
"translations": null
}
},
{
"type": "Keyword",
"data": {
"keywordId": "405952",
"name": "Sisisi Tolashe",
"url": "https://staging.dailymaverick.co.za/keyword/sisisi-tolashe/",
"slug": "sisisi-tolashe",
"description": "",
"articlesCount": 0,
"replacedWith": null,
"display_name": "Sisisi Tolashe",
"translations": null
}
},
{
"type": "Keyword",
"data": {
"keywordId": "425386",
"name": "Joel Cedras",
"url": "https://staging.dailymaverick.co.za/keyword/joel-cedras/",
"slug": "joel-cedras",
"description": "",
"articlesCount": 0,
"replacedWith": null,
"display_name": "Joel Cedras",
"translations": null
}
},
{
"type": "Keyword",
"data": {
"keywordId": "425387",
"name": "Veer Gosai",
"url": "https://staging.dailymaverick.co.za/keyword/veer-gosai/",
"slug": "veer-gosai",
"description": "",
"articlesCount": 0,
"replacedWith": null,
"display_name": "Veer Gosai",
"translations": null
}
},
{
"type": "Keyword",
"data": {
"keywordId": "427357",
"name": "Nicola Amon",
"url": "https://staging.dailymaverick.co.za/keyword/nicola-amon/",
"slug": "nicola-amon",
"description": "",
"articlesCount": 0,
"replacedWith": null,
"display_name": "Nicola Amon",
"translations": null
}
},
{
"type": "Keyword",
"data": {
"keywordId": "427358",
"name": "Busisiwe Memela-Khambula",
"url": "https://staging.dailymaverick.co.za/keyword/busisiwe-memelakhambula/",
"slug": "busisiwe-memelakhambula",
"description": "",
"articlesCount": 0,
"replacedWith": null,
"display_name": "Busisiwe Memela-Khambula",
"translations": null
}
}
],
"short_summary": null,
"source": null,
"related": [],
"options": [],
"attachments": [
{
"id": "100378",
"name": "People queue for social grants outside the Sassa office in Eerste River, Cape Town. (Archive photo: Ashraf Hendricks)",
"description": "The South African Social Security Agency's IT system vulnerabilities to fraud have been confirmed, yet the agency still hasn’t formed an action plan to address the chaos.\r\n\r\nVulnerabilities in Sassa’s IT system were confirmed at a parliamentary social development committee meeting on 27 November 2024, following a 30-day investigation requested by Social Development Minister Sisisi Tolashe. However, Sassa's failure to present an implementation plan has left the investigation incomplete.\r\n\r\n[caption id=\"attachment_2481364\" align=\"alignnone\" width=\"2362\"]<img class=\"size-full wp-image-2481364\" src=\"https://www.dailymaverick.co.za/wp-content/uploads/2024/11/GroundUp-Sassa-recovers.jpg\" alt=\"sassa queue\" width=\"2362\" height=\"1542\" /> <em>People queue for social grants outside the Sassa office in Eerste River, Cape Town. (Archive photo: Ashraf Hendricks)</em>[/caption]\r\n\r\nThe investigation confirmed the allegations made by Stellenbosch University first-year computer science students Veer Gosai and Joel Cedras, who discovered fraudulent activity and vulnerabilities in the Social Relief of Distress (SRD) grant IT system.\r\n\r\nGosai and Cedras found the <a href=\"https://groundup.org.za/article/we-discovered-flaws-massive-fraud-in-sassas-srd-system/\">major problems</a> in the system included:\r\n<ul>\r\n \t<li>A lack of rate limiting, allowing them to run queries through the system thousands of times a minute;</li>\r\n \t<li>No way to update an application once it was fraudulently made;</li>\r\n \t<li>A general lack of verification of details and biometric verification, allowing for “mass grant and identity fraud”, according to Gosai.</li>\r\n</ul>\r\nSassa CEO Busisiwe Memela-Khambula said that due to the urgent need for the SRD grant, the system was “implemented quickly” and that they were “building the system as we [went]”.\r\n\r\n“This has created challenges in ensuring it was done properly,” she said.\r\n\r\nThe SRD grant was introduced during the Covid-19 pandemic to assist people aged 18-59 who found themselves in dire need of financial assistance. The grant is currently R370 a month.\r\n\r\nMasegare and Associates, an external service provider appointed by Sassa, was unable to complete the investigation due to time constraints and “huge” amounts of data, according to company CEO Peter Masegare.\r\n\r\nSassa admitted that of the five external service providers specialising in auditing and cybersecurity who had been invited to submit proposals to complete the investigation, only one responded. Tolashe said all due processes had been followed in vetting the service provider.\r\n\r\n<strong>Read more:</strong> <a href=\"https://www.dailymaverick.co.za/article/2024-10-14-reboot-needed-after-students-discover-massive-fraud-in-sassas-social-relief-of-distress-grant-system/\">Reboot needed after students discover massive fraud in Sassa’s Social Relief of Distress grant system</a>\r\n<h4><strong>‘Two-phase investigation lacks urgency’</strong></h4>\r\nThe faults found by Masegare and Associates, appointed by Sassa on 11 November, to do a comprehensive investigation of all its grant systems, including but not limited to child support, disability, old age pension and foster-child grants, revealed an extensive scope of work required to address Sassa’s IT system faults.\r\n\r\nDue to “higher volumes of data than anticipated”, the company said the investigation would be split into two phases.\r\n\r\nAltia Sthembile Hlongo (ANC) said the two-phase plan “lacks urgency”, further delaying an investigation into an issue with national import.\r\n\r\nThe faults found so far by Masegare and Associates determined that Sassa’s SRD grant system fell into the “medium” risk category, while the implication of system infiltration carried significant consequences for the public.\r\n\r\nThe faults found and recommendations provided by Masegare and Associates include:\r\n<ul>\r\n \t<li>Multiple applicants per cellphone number, allowing fraudulent applications. (Recommendation: Sassa should strengthen the link between ID numbers and associated phone numbers.)</li>\r\n \t<li>OTP-based authentication makes the system vulnerable to SIM-swap fraud, with a lack of OTPs at certain points of the application process. (Recommendation: Sassa should implement multifactor authentication and combine OTPs with biometrics.)</li>\r\n \t<li>Mobile money and Cash Send allow fraudulent beneficiaries to divert funds. (Recommendation: regular auditing of mobile money mechanisms.)</li>\r\n \t<li>The location of the server and access control hosting system remains vulnerable to insider threats. (Recommendation: implement strict access control and insider threat mitigation by conducting regular audits and insider threat training.)</li>\r\n \t<li>The system may not detect shared or reassigned cellphone numbers (Recommendation: Sassa should perform periodic re-evaluations of cellphone ownership.)</li>\r\n \t<li>Lack of clear data encryption for sensitive data, such as ID numbers and banking details. (Recommendation: implement end-to-end encryption for all sensitive information both in transit and at rest.)</li>\r\n</ul>\r\n<h4><strong>No action by Sassa</strong></h4>\r\nMemela-Khambula confirmed that addressing the issues in the report was still a “work in progress”, with Sassa having not yet engaged in dialogue with Masegare and Associates.\r\n\r\nTshilidzi Munyai (ANC) said Sassa was “leaving doors open” by leaving issues unresolved while the investigation was ongoing.\r\n\r\nAltia Sthembile Hlongo (ANC) said Sassa should urgently present an intervention plan to restore public trust.\r\n\r\n“We can’t now wait for students to come and identify a problem,” she said.\r\n\r\n<strong>Read more:</strong> <strong><a href=\"https://www.dailymaverick.co.za/article/2024-10-28-legitimate-social-relief-of-distress-grant-applicants-pay-the-price-for-fraudsters/\">Legitimate Social Relief of Distress grant applicants pay the price for fraudsters</a></strong>\r\n\r\nKerileng Tlhong (ANC) agreed that the department needed to present an action plan for how Sassa and the Department of Social Development would collaborate. She also pointed out the lack of an impact assessment, with no indication of how many people had been affected by fraudulent activities and how they might be remunerated.\r\n<h4><strong>A crime that ‘knows no borders’</strong></h4>\r\nMinister Tolashe said collaboration between public, expert and governance bodies was ever more critical, pointing to the rapidly increasing risks to cybersecurity worldwide.\r\n\r\n“This is one crime that knows no borders,” she said.\r\n\r\nTolashe cited the South African Banking Risk Information Centre Annual Crime Statistics report for 2023, which revealed that South African banks lost R3.3-billion to digital fraud, card fraud and contact crimes.\r\n\r\n“We want to be better than the banks,” said Deputy Minister of Social Development Ganief Hendricks.\r\n\r\nWhile Tolashe recognised the urgency of the matter, she said the 30-day time period requested was too short to either complete the investigation or effectively resolve any problems.\r\n\r\n“We underestimated the task at hand,” she said. <strong>DM</strong>",
"focal": "50% 50%",
"width": 0,
"height": 0,
"url": "https://dmcdn.whitebeard.net/dailymaverick/wp-content/uploads/2024/11/ED_520456.jpg",
"transforms": [
{
"x": "200",
"y": "100",
"url": "https://dmcdn.whitebeard.net/i/01lmWc0BNlqOwLZ9BNXoMjVJyEg=/200x100/smart/filters:strip_exif()/file/dailymaverick/wp-content/uploads/2024/11/ED_520456.jpg"
},
{
"x": "450",
"y": "0",
"url": "https://dmcdn.whitebeard.net/i/G8_VieTl81nNkoWykumNmWcsYWE=/450x0/smart/file/dailymaverick/wp-content/uploads/2024/11/ED_520456.jpg"
},
{
"x": "800",
"y": "0",
"url": "https://dmcdn.whitebeard.net/i/unUwT68KyEgnOs3Qetde5O6xspk=/800x0/smart/filters:strip_exif()/file/dailymaverick/wp-content/uploads/2024/11/ED_520456.jpg"
},
{
"x": "1200",
"y": "0",
"url": "https://dmcdn.whitebeard.net/i/DZ7pMWQgl8j9_hty94L06Aqhn5Q=/1200x0/smart/filters:strip_exif()/file/dailymaverick/wp-content/uploads/2024/11/ED_520456.jpg"
},
{
"x": "1600",
"y": "0",
"url": "https://dmcdn.whitebeard.net/i/Mg3Y2w6CsMvpAON3qbKxyb3Yjv8=/1600x0/smart/filters:strip_exif()/file/dailymaverick/wp-content/uploads/2024/11/ED_520456.jpg"
}
],
"url_thumbnail": "https://dmcdn.whitebeard.net/i/01lmWc0BNlqOwLZ9BNXoMjVJyEg=/200x100/smart/filters:strip_exif()/file/dailymaverick/wp-content/uploads/2024/11/ED_520456.jpg",
"url_medium": "https://dmcdn.whitebeard.net/i/G8_VieTl81nNkoWykumNmWcsYWE=/450x0/smart/file/dailymaverick/wp-content/uploads/2024/11/ED_520456.jpg",
"url_large": "https://dmcdn.whitebeard.net/i/unUwT68KyEgnOs3Qetde5O6xspk=/800x0/smart/filters:strip_exif()/file/dailymaverick/wp-content/uploads/2024/11/ED_520456.jpg",
"url_xl": "https://dmcdn.whitebeard.net/i/DZ7pMWQgl8j9_hty94L06Aqhn5Q=/1200x0/smart/filters:strip_exif()/file/dailymaverick/wp-content/uploads/2024/11/ED_520456.jpg",
"url_xxl": "https://dmcdn.whitebeard.net/i/Mg3Y2w6CsMvpAON3qbKxyb3Yjv8=/1600x0/smart/filters:strip_exif()/file/dailymaverick/wp-content/uploads/2024/11/ED_520456.jpg",
"type": "image"
}
],
"summary": "A 30-day investigation has confirmed allegations of vulnerabilities in Sassa’s SRD grant system uncovered by Stellenbosch University students, who pointed towards ‘mass grant and identity fraud’. Sassa’s investigation remains incomplete, without any intervention plan presented.",
"template_type": null,
"dm_custom_section_label": null,
"elements": [],
"seo": {
"search_title": "Confirmed — Stellenbosch students’ fraud frailty warning on Sassa grant system",
"search_description": "The South African Social Security Agency's IT system vulnerabilities to fraud have been confirmed, yet the agency still hasn’t formed an action plan to address the chaos.\r\n\r\nVulnerabilities in Sassa’s",
"social_title": "Confirmed — Stellenbosch students’ fraud frailty warning on Sassa grant system",
"social_description": "The South African Social Security Agency's IT system vulnerabilities to fraud have been confirmed, yet the agency still hasn’t formed an action plan to address the chaos.\r\n\r\nVulnerabilities in Sassa’s",
"social_image": ""
},
"cached": true,
"access_allowed": true
} 
People queue for social grants outside the Sassa office in Eerste River, Cape Town. (Archive photo: Ashraf Hendricks)