The South African Social Security Agency (Sassa) is confident that its Social Relief of Distress (SRD) grant system was not breached.
Sassa's statement comes after two first-year computer science Stellenbosch University students Joel Cedras and Veer Gosai discovered severe bugs and fraud in the Sassa SRD grant system.
Their investigation found that fraudulent grant applications, including those using their ID numbers, were approved while legitimate beneficiaries were denied. A campus survey conducted by the students revealed that 56 out of 60 students had grant applications made in their names, despite never applying.
This indicates that criminals may exploit the system by changing beneficiaries' contact details to redirect funds.
Sassa says they are already aware of such fraud and have been working to combat it.
The agency recently beefed up its security measures, including algorithms for detecting suspicious applications and enhanced verification processes such as facial recognition and OTP verification.
Over time, the risk landscape has evolved, necessitating Sassa to adapt accordingly. In response, Sassa has implemented several countermeasures, including algorithms based on data and metadata to identify potentially fraudulent applications that require further identity verification.
Sassa says they collaborate with financial institutions and law enforcement to minimise fraud while balancing security with accessibility for their mostly non-tech-savvy client base.
"Sassa has also been working with other institutions like the banks from the onset to ensure that the grant is paid to those who are eligible for the grant. In this regard, Sassa is also working closely with some banks to accelerate their biometric verification solutions for clients when opening bank accounts."
Sassa says more than 2 million applications have been flagged for further identity verification, as a result of the success of these measures. Grant applicants would receive a Referred SRD grant status if they must do further verification.
As a result of these measures, more than 2 million applications have been blocked and placed in a “referred status”. This requires applicants to verify their identity through facial recognition software.
While the students' findings were noted, Sassa says the students did not fully consider the scope of Sassa’s ongoing efforts to address vulnerabilities and maintain system integrity.
"It is our notion that the students who raised their findings did so in a vacuum of having all relevant facts and consideration of the Sassa clientele profile, considering the system functionality versus vulnerability, the Sassa risk assessments performed and the fact that Sassa is working with various companies, as well as the authorities in the prosecution of fraudulent client applications."