Image Source: Polity
Local – The South African Social Security Agency (SASSA) has introduced several security upgrades after uncovering fake websites targeting COVID-19 Social Relief of Distress (cSRD) grant applicants.
The official application site is https://SRD.sassa.gov.za, but two fraudulent platforms—https://srd-sassa.org.za and https://srdsassagov.co.za—were found to be stealing personal information from applicants hoping to access the R370 grant.
In response, SASSA has taken several steps to strengthen the security of its application system and protect applicants’ personal information.
The HTTPS method has been replaced with a more secure POST to ensure safer communication between applicants and the server. A rate limit has been introduced to prevent abnormal traffic from overwhelming the system.
Outdated software has been updated, and regular patch updates have been implemented to strengthen the platform further. Additionally, biometric verification has been introduced to provide an extra layer of security.
“In the long term, and within 18 months, SASSA will take down the fake websites and other content that violates its brand, copyright or right to information and privacy.”
SMread| South African soldiers repatriated from DRC
The Discovery of the Fake Websites
The discovery of these fake websites came to light during a recent parliamentary session where the Portfolio Committee on Social Development received an update on an investigation into alleged fraud and weaknesses in SASSA’s grant application system.
The investigation was ordered by Minister of Social Development Sisisi Tolashe after two University of Stellenbosch students, Joel Cedras and Veer Gosai, raised concerns about possible fraud in the application process.
“Phase 1 of the investigation consisted of a comprehensive audit into the SRD application system administered by SASSA to determine the extent to which the system was exposed to Fraud.”
“The findings of this audit will serve as input as a basis for Phase 2, which will be an investigation into alleged fraud and weaknesses in the broader social grant system that results in ineligible beneficiaries receiving social grants,” said the Department of Social Development.
Subsequently, SASSA’s Final Report on the Vulnerability Assessment (VA) and Penetration Testing (PT) of the SRD online system administered revealed several key findings.
It exposed the existence of “unidentified, malicious websites with .org and .co.za domain names that purport to be the authentic SRD application websites that are used to harvest applicants’ information for fraud purposes.”
Additionally, the report identified “that the SRD web application has weaknesses, such as unencrypted communications, that present threats to the security of the platform and the safety of users. These weaknesses are classified as medium risk by the Final Audit Report.”
As such, the final audit recommended launching a public communication campaign to warn beneficiaries and applicants about fake sites aimed at defrauding them.
Moreover, Minister Tolashe has assured the committee of her commitment to addressing the vulnerabilities and weaknesses identified in the system.
