Image created by AI

Unraveling the Network of Fraud: How Two Students Exposed Vulnerabilities in South Africa’s Financial Systems**

Published January 12, 2025
1 months ago

In a striking revelation that stunned South Africa, two first-year computer science students from Stellenbosch University, Joel Cedras and Veer Gosai, delved into the country’s Social Relief of Distress (SRD) grant system only to unearth extensive vulnerabilities leading to massive fraud. Their discovery has prompted significant security overhauls across financial and telecommunication sectors.





The students began investigating after noticing fraudulent activities involving their identities being used to claim R370 monthly grants. Their inquiry led them to uncover a chain of security lapses not only within the South African Social Security Agency (Sassa) but extending to banks, a cellular provider, and prominently, the compromised online SRD grant system’s Application Programming Interface (API).


Diving deeper, Cedras and Gosai's tests revealed alarming details. By exploiting poorly secured APIs, they could access data at an alarming rate. A specific test involving individuals born in February 2005 indicated a nearly 91% application rate for the SRD grants against those birth records, a number considerably higher than the concerning national youth unemployment rate of 60.2%.


Their investigation attracted unexpected attention when the hacking group N4aughtySec, claiming responsibility for diverting approximately R185 million through falsified grant payments, approached them. This group alleged further exploitation of vulnerabilities in major credit bureaus such as TransUnion and Experian, although these agencies have denied such breaches.


Amid these revelations, it was uncovered that non-compliance with financial and communication regulatory mandates contributed significantly to these fraud schemes. Particularly, flaws in banking verification processes (FICA) and mobile virtual network operator (MVNO) registrations (RICA) facilitated illegal activities. The banks and mobile services involved have since taken corrective measures to enforce stricter compliance and verification processes, including biometric checks.


Following the exposé, enhancements to security protocols were immediately implemented. Sassa revoked third-party access to its grant application systems, and major financial entities like TymeBank began vigorous audits of potentially compromised accounts.


The implications of these disclosures extend beyond financial losses, stirring nationwide concerns over data security and identity protection. The proactive measures taken by implicated companies and regulatory bodies reflect a concerted effort to restore public trust and fortify systems against similar exploits.


Leave a Comment

Rate this article:

Please enter email address.
Looks good!
Please enter your name.
Looks good!
Please enter a message.
Looks good!
Please check re-captcha.
Looks good!
Leave the first review