JOHANNESBURG - Two unofficial websites have been found to be fraudulently representing the South African Social Security Agency.
The sites mimic the official Sassa platform and harvest personal information from unsuspecting beneficiaries.
This ultimately leads to identity theft.
Sassa has been advised to have the bogus sites shut down.
This was revealed on Wednesday when the agency and the Social Development Department briefed Parliament on the ongoing investigations into the Social Relief of Distress (SRD) system.
The probes were instituted after two first-year Computer Science students from Stellenbosch University, Joel Cedras and Veer Gosai, uncovered serious flaws in the SRD grant system.
When their applications for grants were rejected, they found their IDs had already been used without their knowledge.
According to cybersecurity specialist Stanly Machote, the first vulnerability that investigations identified was the malicious websites.
Machote said the case of Cedras and Gosai showed identity theft is linked to the fraudulent websites.
Among other vulnerabilities identified are authentication mechanisms, server misconfiguration, data encryption and missing security headers.
Machote says these weak points are opportunities for attackers to exploit the system.
“Despite being classified as medium risk, there are significant threats that could lead to unauthorised access, data bridges, service disruptions or reputational damage if vulnerabilities are exploited.
“As a result, key areas of concern include a lack of encryption, unprotected data, and a weak authentication policy.
“Medium threat levels indicate that the likelihood of an attack is moderate but the consequences of a successful exploit could still be impactful, especially data exposure or manipulation.”
Aside from shutting down unofficial sites and further investigating the masterminds behind these sites, Machote said Sassa must enhance login security, implement strict access controls and insider threat mitigation, and enhance mobile money and cash send verification.
At the same time, multiple applicants per cellphone number should be limited to reduce fraud and identity manipulation.
By Zandile Khumalo