In a second presentation to parliament on SRD security flaws, independent investigators have detailed ‘significant’ weaknesses to the R370-per-month grant. While acting CEO Temba Matlou welcomed the report’s findings, the sheer number of SRD security flaws highlighted should be of grave concern for the agency and country as a whole, reports GroundUp.
Specifically, the examination by Masegare & Associates Incorporated identified “weak authentication policies, unprotected backup files and a lack of web security.” The investigation follows two first-year computer science students at Stellenbosch University who brought the SRD security flaws to light after their ID numbers were used in apparent identity theft.
SRD SECURITY FLAWS
Last week, a Mr. Matshote presented his second report the Parliament’s Portfolio Committee on Social Development. The firm’s first report faced criticism for not addressing fundamental, systemic problems in the South Africa Social Security Agency’s Social Relief of Distress grant system. Matshote labelled the SRD security flaws as a ‘medium’ threat level. “While not highly vulnerable, it is still susceptible to attacks that could compromise security if left unaddressed,” he explained in parliament.
Going into detail, there are concerns over weak authentication mechanisms, unprotected backup files and server misconfigurations. All of the above represent ‘significant’ SRD security flaws and allow unauthorised access of sensitive internal data to hackers. That said, it is also unclear how Matshote reached the conclusion that SASSA’s risk level is only ‘medium’. Moreover, social welfare costs the National Treasury the second-highest budget portion of all (after debt servicing), so the threat of SASSA SRD fraud is highly damaging economically.
FRAUDULENT SRD APPLICATIONS
As a result, Matshote revealed as many as 1 650fraudulent SRD applications have been identified and stopped since the investigation started. But he shared no further information. The investigation also uncovered fraudulent websites mimicking SASSA’s official portal. These malicious sites operate without SASSA approval, of course, and violate Protection of Personal Information Act (POPIA) data protection laws. Two of the fake sites mentioned are: srd-sassa.org.za and srdsassagov.co.za. They collect personal data from applicants which is then used for identity theft and fraudulent transactions.
Some of Matshote’s recommendations to help solve these glaring SRD security flaws include:
- Issue an immediate public advisory warning to beneficiaries about the unofficial sites (above).
- Work with domain registrars and cybersecurity teams to shut down these unofficial/fake sites (above).
- Link SASSA applicant IDs to a unique phone number.
- Expand biometric verification with randomised verification checks.
- Increase annual vulnerability and penetration assessments.
- Reduce the number of clients who can apply per cellphone number from five to one.
- Introduce real-time system monitoring to detect anomalies.
Finally, Social Development Minister Sisisi Tolashe acknowledged government’s failure in preventing these security breaches. “We have no excuse. Not now, not tomorrow. Our people have gone through enough non-commitment by strategic leadership,” she concluded.
HOW DO YOU THINK SASSA SRD CAN BE MADE SAFER?
Let us know by leaving a comment below or send us a WhatsApp on 060 011 0211. Subscribe to The South African’s newsletter and follow us on WhatsApp, Facebook, X and Bluesky for the latest FREE-to-read news.
