Serious faults in the Sassa system are told by parliamentarians - again

An investigation into the Sassa Sassa Society system Social of Distress (SRD) has revealed significant security defects that leave the online payment system vulnerable to Cyberattacks and fraud. Photo: Marecia Damons

An investigation into Sassa Sassa Silly of Dires (SRD) financing system has found significant security defects that make it vulnerable to fraud.
The results were presented on Wednesday to the Parliament’s Social Development Portfolio Commission.
The fraudulent websites that mimic the official Sassa platform steals personal data from the applicants, the victims already suffering from the theft of identity and financial fraud, the investigation found.
The Minister of Social Development, Nokuola Tolashe, promised a stricter surveillance and responsibility.

The weak authentication policies, the unprotected reserve files and the lack of web security measures were among the numerous problems identified in an investigation into the R370 financing system.

The investigation follows finding by two students of the University of Stellenbosch, who discovered vulnerabilities in the payment system led by the payment system of the South African Social Security Agency (Sassa). They found that a large number of fraudulent SRD applications were made using a number of people who have recently been 18 years old.

Their research determined the Minister of Social Development, Nokuola Tolalahe, to launch an investigation. The investigation was made by massaging & Associates incorporated.

On Wednesday, Stanley Matshote presented the conclusions of the Commission for the Social Development of the Parliament’s portfolio. Matshote explained that they found significant security defects in the Sassa system.

It is the second time that the company presented to the Parliament. We underlined the last time that the investigation was superficial and expensive. Does not address fundamental issues in Sassa systems identified by Stellenbosch students (see Here and Here)

The system was classified as a “average” threat level, said Matshote. “While the system is not extremely vulnerable, it is still susceptible to attacks that could compromise Security if left.”

The signaled concerns have included poor authentication mechanisms – facilitating hackers to obtain access, unprotected reserve files – increased risk of data leakage. The security headquarters are missing – exposing the user’s information to potential violations and wrong server garments – allowing unauthorized access to sensitive internal data.

“Despite the fact that they are classified as a medium risk, there are significant threats that could lead to unauthorized access, data violations, service disturbances or reputational damages if vulnerabilities are exploited,” said Matshote.

It is not clear how Matshote has come to the conclusion that the level of risk is average. Myth Defines a high risk system If “the loss of confidentiality, integrity or availability of these informational assets could reasonably be reasonably leading to serious damage to people or the Institute.” Numerous fraudulent SRD applications have been made by exploiting the weak points in the system and a large number of them succeeded, fraudulently. This is the very essence of a high level of risk.

In order to alleviate these risks, he recommended Sassa to implement the authentication of multi-factors, stricter checks over the requests for periodic security subsidies and audits.

“As the site (malicious) works without the approval of Sassa, it can violate data protection laws, such as Popia (the law on personal information) in South Africa,” said Matshote.

The investigation also discovered fraudulent web sites that mimic the official site of Sassa, putting the beneficiaries at risk of identity and financial fraud.

Matshote said that these false platforms harvest personal data from applicants who are not respected, some already falling victims of stolen identities. Sites – and – They are not affiliated with Sassa, but claim to provide accurate information about social subsidies. These sites collect personal data from applicants, said Matshote MPS.

“It is recommended that Sassa take into account the issuance of an immediate public warning beneficiary regarding the unofficial (false) sites. Also, the authorities should work with field registrars and cybersecurity teams to close these unofficial (fraudulent) web sites, ”said Matshote.

He also recommended that Sassa bind the ID of each applicant to a unique phone number to prevent multiple records, extending biometric verification to detect more efficient fraud and perform periodic tests to strengthen the system against cyber threats.

The Sassa CEO in office, Themba Matloou, recognized the vulnerabilities in their system, but stressed that they were taken to approach them. “We have implemented processes of attenuation of the risk,” said Matlou, adding that security updates have been implemented. “The system is safe. I reconfigured the server after receiving the report, but obviously there are still to be done, ”Matlou told parliamentarians.

Despite the fact that approximately R280,000 were spent for the investigation, the parliamentarians were worried that he failed to deal adequately with the entire fraud, the number of affected victims and how many subsidies were paid.

Nhlanhla Gcwabaza (MK) said that although the system fixation is crucial, the immediate impact on the beneficiaries has not been completely addressed. “There are people who had to get the subsidies, but not,” he said.

Paulnita Marais (EFF) has questioned how beneficiaries could complete the identity check if they do not have access to a smartphone. While Alexandra Abrahams (yes) raised the concern that Sassa did not set any terms to address some of the problems raised in the report.

Tolashe acknowledged the government’s failures in preventing these security violations, promising more responsibility before. “We have no excuse. Not now, not tomorrow. Our people have gone through the non-employment to strategic leadership, ”she said.

You can republish this article, as long as you credit the authors and the land and do not change the text. Please include a link back to the original item.

We put an invisible pixel in the article, so we can count traffic to republicators. All analysis tools are exclusively on our servers. We do not give our journals to any third party. The journals are deleted after two weeks. We do not use any IP address identification information except to count regional traffic. We are exclusively interested in counting hits, Don’t follow users. If you republished, please do not delete the invisible pixel.