The South African Social Security Agency (SASSA) intends to expand the scope of its verification processes, including upping the number of annual vulnerability assessments and penetration testing it conducts.
This, after an investigation of the Social Relief of Distress (SRD) grant system uncovered “medium-level” vulnerabilities in online applications and payment.
The probe was prompted after two students from Stellenbosch University last year reportedlyidentified weaknesses in SASSA’s SRD grant payment system and fraud within the application process.
The system, according to the report, showed the students had applied for and received the grant, even though they had not applied, nor received any payments.
As a result, social development minister Nokuzola Tolashe ordered the investigation into the SASSA-administered grant, following a recommendation made by the Parliamentary Portfolio Committee on Social Development.
Yesterday, the portfolio committee was briefed by the Department of Social Development (DSD), SASSA, as well as Masegare and Associates Incorporated, which conducted the investigation of the SRD grant system.
The investigation revealed there are some areas of weakness that could compromise the system’s integrity if not addressed.
The committee heard about the key vulnerabilities within the system, which include weaknesses in the one-time PIN (OTP)-based authentication, the allowance for multiple applicants per cellphone number, and the use of a mobile money service that exposes the platform to potential fraud and misuse.
Furthermore, identity theft was flagged, which SASSA said complicates its efforts to maintain the integrity of the SRD grant application process.
As part of the investigation, it’s been recommended that SASSA introduce multi-factor authentication that combines OTPs with biometric verification, or secure tokens to provide protection against unauthorised access and mitigate risks such as SIM swap fraud.
It’s also been recommended that SASSA broadens the use of biometric verification to include more transactions, or introduce randomised checks to enhance fraud prevention by making it more difficult for malicious actors to exploit the system.
The outcomes of the investigation have been welcomed by the portfolio committee, as well as SASSA, with acting CEO Themba Matlou saying the agency will improve controls to ensure systems are secure.
According to Matlou, an implementation plan of the recommendations will immediately be actioned.
The number of annual vulnerability assessment and penetration testing will increase to four from the two tests that are currently conducted, he notes.
In addition, SASSA is in discussions with the DSD to reduce the number of clients that can apply on one cellphone number from five to one.
“SASSA is implementing rigorous account verification processes and real-time monitoring systems to detect anomalies and unauthorised transactions. Regular audits to proactively identify and address potential fraud are also conducted by the agency,” he states.
“SASSA is broadening the use of biometric verification to include more transactions, or introduce randomised checks. This will enhance fraud prevention by making it more difficult for malicious actors to exploit the system.”
Matlou adds that SASSA has, on a short-term basis, begun reconfiguring the web server config file to mitigate the identified risks and prevent web pages from external manipulation.
“The system’s firewall has been upgraded to a new version, to mitigate unauthorised access, data breaches, remote code execution and service disruptions presented by older versions. In addition to this, regular scheduled patch management processes will be strengthened.”
In the medium- to long-term, SASSA is planning to implement biometric verification for all online transactions and cyber security threat intelligence, as well as introduce a web application firewall, improve the software development lifecycle, and extend the scope of the security operations centre, with domain monitoring and take-down services.
Initially introduced in 2020 to cushion qualifying citizens against the financial pressures caused by the COVID-19 pandemic, the SRD grant has continued as part of government’s social grants programme.
The grant, previously R350, was increased by 5.7% to R370 as of April 2024.
Share