We’re two first-year pc science college students at Stellenbosch College. We have now been on the lookout for vulnerabilities in authorities and private-sector programs. We do that fully legally, by utilizing publicly obtainable web sources, such because the backends of varied authorities portals.
We inform all related establishments of any vulnerabilities we discover, and most often give them ample time to deal with the problems earlier than we disclose them publicly. We by no means exploit the vulnerabilities for our personal profit.
However typically a system bug is so dangerous that it brings to mild fraud or gross incompetence. We imagine it’s proper to then go public with what we discover instantly. That is the case with Sassa’s Social Reduction of Misery (SRD) grant system.
After we uncovered the issues described right here, we did attempt to alert Sassa however discovered it near-impossible to pay money for anybody. Many of the contact numbers listed on its web site both don’t exist, or ring indefinitely.
Hundreds of thousands of persons are receiving the SRD grant. Many have utilized however their purposes have been turned down. This grant, R370/month at present, is touted as a doable forerunner to a fundamental earnings grant.
Findings from the Sassa SRD system
We queried Sassa’s public portal with 300 000 ID numbers for February 2005 at a charge of 700/minute. The primary downside is that this shouldn’t be doable. A reliable system with fundamental safety would have restricted the speed at which we might question it.
We’d have thought-about this a mere bug, knowledgeable Sassa and given them a chance to repair the issue earlier than disclosing it. Besides we found an even bigger downside.
We discovered that 74 931 SRD grant purposes had been made for folks born in February 2005. In accordance with Statistics South Africa (as of 2020) there have been 82 097 births in February 2005. This is able to imply that the appliance charge is roughly 91%. This can be very unlikely that so many purposes had been made by folks born on this month.
We additionally processed the primary 500 male and 500 feminine IDs of individuals born on 1 January, from 1960 to 2006. Our findings present that there was a mean software charge of 52% for all the years, however when taking a look at folks born between 2002 and 2006, the appliance charge turns into roughly 90%. That is notable as a result of it displays the appliance charge of people that have turned 18 for the reason that grant was first issued in 2020. A 90% software charge is extraordinarily unlikely to have occurred naturally – it’s disproportionately massive and reeks of fraud.
Caption: Sassa SRD grant purposes for first 500 male and 500 feminine ID numbers on 1 January of every 12 months from 1960 to 2006.
We additionally uncovered that Sassa has paid grants out on a variety of events to candidates that used our ID numbers, although we’ve by no means obtained the SRD grant. This means that not solely are fraudulent purposes being made; it’s possible a lot of them are succeeding. Not solely are ineligible folks receiving the grant, however there are possible people who find themselves eligible who’re shedding out as a result of a fraudster is getting what needs to be their grant.
Survey findings
We carried out an on-campus survey of 60 folks we all know. Fifty-eight of them had lively grant purposes for the SRD grant on Sassa’s system. Fifty-six said that they’d by no means truly utilized for the grant themselves, which signifies that 56 are fraudulent purposes.
The size of this strongly factors to an organised effort to reap the benefits of Sassa’s weak IT system. A query to ask is whether or not the system was deliberately carried out to be so weak. If not, then why has it taken Sassa so lengthy to note it? Why is it not correctly fastened but? And why has the general public not been correctly knowledgeable about what’s occurring?
Sassa’s admission
We went public with our findings on Thursday on Coronary heart FM. Since then Brenton van Vrede, who heads up grant operations at Sassa, admitted, additionally on Coronary heart FM, that fraud is widespread.
“We do sadly have numerous these instances,” he mentioned, which is kind of an understatement.
Van Vrede requested individuals who uncover that fraudulent purposes have been made of their identify to contact Sassa’s name centre, in order that they will undergo a biometric verification course of. We’re sceptical that that is sensible. That is additionally an enormous burden to put on members of the general public, particularly the poorest of the poor, to deal with an issue of Sassa’s making.
Reboot required
Sadly, the size of this disaster means there is no such thing as a straightforward answer to it. All the Sassa SRD system must be re-envisioned. We advocate that Sassa not solely reverify each single grant software, however that it additionally requests further particulars to confirm. Alternately, it must reimplement the system from scratch – although this might be an enormous enterprise that may possible go away many SRD recipients out of pocket.
Sassa’s dedication to biometric verification defeats the aim of the SRD grant, which is meant to be accessible, even to folks utilizing gadgets with the bottom specs.
As a substitute, verification can embody particulars such because the sensible ID difficulty date (discovered on the again of ID playing cards), which is what some banks and different establishments use. However extra importantly, the system needs to be fastened in order that it’s tougher to make purposes in fast succession and not possible to commit fraud on a big scale.
Sassa wants to completely disclose what has occurred and the size of it. There must be an inquiry into what has occurred. Who developed the Sassa SRD system? How a lot did it value? Who maintains it? What safety checks have been put in place? And who’re the kingpins answerable for what is nearly actually an organised huge fraud? — Joel Cedras and Veer Gosai, (c) 2024 GroundUp 2024
