A recent security review of South Africa’s Social Relief of Distress (SRD) grant program, overseen by the South African Social Security Agency (SASSA), uncovered significant vulnerabilities in financial crime security across multiple sectors.
In November, independent researchers Joel Cedras and Veer Gosai revealed that criminals had exploited weaknesses in mobile and banking systems to register fraudulent claims for SRD grants, resulting in the theft of millions of rands. This discovery prompted an immediate investigation by the independent firm, Masegare and Associates Incorporated.
The investigation highlighted various areas of risk, extending well beyond SASSA. The findings emphasised that financial institutions were not the only entities at risk of being entangled in financial crime schemes.
Hackers had created counterfeit websites posing as the South African Social Security Agency, allowing them to gather personal information from legitimate grant applicants. This stolen data was then used to submit fraudulent applications, redirecting funds into the criminals’ accounts.
One key vulnerability identified was Me&You Mobile’s system, which failed to properly verify the identity of SIM card recipients through the RICA process. This lack of proper identification allowed fraudsters to obtain phone numbers without adequate RICA checks, enabling them to use these numbers for One-Time Passwords (OTPs) to create fake grant applications – with their true identity remaining unknown.
Moreover, weaknesses in the identity verification systems of TymeBank and Shoprite were also exploited. Fraudsters used these gaps to gain access to legitimate bank accounts, diverting taxpayer funds intended for rightful recipients into accounts controlled by the criminals.
In response to the fraud, TymeBank and Shoprite quickly updated their systems to ensure that SRD grants could only be paid into accounts that had been biometrically verified. Me&You Mobile, likewise, temporarily disabled its online eSIM ordering system while addressing its security shortcomings.
Similarly, SASSA moved swiftly to implement biometric verification for all applicants.
This sophisticated fraud operation exploited the lack of robust identity verification, inadequate compliance checks, and flawed digital onboarding systems across government agencies, financial institutions, and mobile operators, underscoring the need for comprehensive improvements in security measures.
