Security report released after hackers break into major South African financial system WRITTEN By Jan Vermeulen

[Nat Quinn]

Security report released after hackers break into major South African financial system WRITTEN By Jan Vermeulen

Cybersecurity specialist Stanly Machote and auditing firm Masegare & Associates have presented the findings of their investigation into massive fraud in South Africa’s welfare system to Parliament.

This comes after two independent security researchers, Joel Cedras and Veer Gosai, uncovered that fraudsters had stolen people’s identities and registered for the Social Relief of Distress (SRD) grant in their names.

Cedras and Gosai were first-year computer science students at Stellenbosch when they discovered, investigated, and reported the issue last year.

Soon after publishing their first report about the security flaws, hacking group N4aughtySec said they stole $10 million (R175 million at the time) from taxpayers through SRD grant fraud.

N4aughtySec further alleged that it had gained privileged access to South Africa’s entire financial system through weaknesses in the credit bureaus.

The SRD grant is a lockdown-era welfare mechanism administered by the South African Social Security Agency (Sassa) that pays R370 per month to citizens and refugees who have no other source of financial support.

Although the SRD grant’s stated purpose was to provide money for people in distress during the Covid-19 lockdown from 2020 to 2022, it has since become a de facto basic income grant.

During their initial investigation, Cedras and Gosai found evidence of many thousands of fraudulent SRD grants registered in Sassa’s system.

After digging further, they found that the fraud relied on flawed systems at a mobile virtual network operator and certain banks to obtain the cellphone numbers and bank accounts needed to register for and receive the grants.

Specifically, they found that fraudsters were using phone numbers issued by Me&you Mobile and bank accounts from TymeBank and Shoprite.

Upon investigating Me&you Mobile’s system, Cedras and Gosai found that the operator offered a simple online system through which anyone could register and obtain an eSIM within minutes.

It did not appear as though Me&you Mobile validated any personal know-your-customer data uploaded for RICA compliance, as the two students provided garbage documents that were never challenged.

Following their report, Me&you Mobile disabled its online eSIM ordering system.

Similarly, TymeBank and Shoprite changed their systems after the fraud came to light so that SRD grants could only be paid into biometrically verified accounts.

Sassa vulnerabilities confirmed

Stanly Machote addresses the Parliamentary Portfolio Committee on Social Development

In response to the allegations of this fraud, the Department of Social Development appointed Masegare & Associates to conduct a thorough review of the SRD grant system.

According to the department, the investigation focused on identifying and mitigating potential vulnerabilities, ensuring the security of beneficiary data, and safeguarding public resources.

Speaking to the Parliamentary Portfolio Committee on Social Development, Machote said the final report highlighted significant vulnerabilities and weaknesses within the SRD grant systems.

Curiously, despite overwhelming evidence that the system had already been exploited, their assessment classified the vulnerabilities as a medium threat level, indicating a moderate risk of exploitation.

Machote presented a host of issues that their system assessment revealed, including vulnerabilities related to authentication, server misconfiguration, data encryption, and missing security headers.

The vulnerabilities and other problems identified are summarised below.

1. API vulnerabilities — There was no rate limiting. The API allowed an unlimited number of queries, which was exploited to check the application status of thousands of ID numbers without restriction.

2. Data exposure — The API exposed sensitive details, such as whether a person applied for an SRD Grant or not.

3. Anomalous application rates — Unusually high application rates were identified for individuals born in certain years, suggesting possible fraud or identity misuse.

4. Potential payments to non-beneficiaries — SRD grants appeared linked to applications with ID numbers of people who never applied, raising concerns about unauthorised applications and potential misallocation of funds.

5. Unofficial websites — Unofficial websites are actively harvesting personal information from unsuspecting Sassa beneficiaries. The presence of these sites poses significant risks, including phishing, credential harvesting, financial losses for beneficiaries and Sassa, misleading information, and legal and compliance risks.

6. Multiple applications per cell phone number — Allowing multiple applications with the same number increases the chances of impersonation and fraudulent claims.

7. OTP-based authentication risks — OTP reliance makes the system vulnerable to SIM swap fraud.

8. Limited use of biometrics Only using biometrics in suspected fraud cases allows low-profile fraudulent claims to go undetected.

9. Cellphone ownership validation — The system may not detect cases of shared or reassigned cell phone numbers, leading to disputes or misuse.

10. Lack of clear encryption protocols — A lack of clear encryption protocols for sensitive data increases the risk of data breaches.

11. SRD portal security — The SRD Portal security is vulnerable to automated attacks where hackers can repeatedly guess passwords or login patterns, which can lead to unauthorized access to user data and administrative controls.

12. Server configuration risks — Misconfigurations in the server allow unauthorised access to internal systems, which could expose critical data and make the system a target for malicious activities.

13. Weak content security policies — The system does not properly restrict untrusted scripts from running, making it susceptible to harmful code execution.

14. Directory enumeration risks — Certain directories on the server are accessible to an attacker by way of brute force attacks, increasing the risk of exposing sensitive files such as system configurations or database credentials.

15. Missing security headers — Important security controls that protect users’ information during web browsing are not implemented, increasing the likelihood of data leakage and misuse.

16. Weak encryption standards — The website’s encryption configuration does not meet the highest security standards, leaving communications vulnerable to interception or manipulation.

17. Unencrypted communications — Communications between the website and its users is not adequately encrypted, exposing sensitive data to potential interception.

South African taxpayers getting robbed

Veer Gosai and Joel Cedras presenting to the Parliamentary Portfolio Committee on Social Development, 23 October 2024

Sadly, the Department of Social Development’s officially sanctioned investigation into Sassa’s security problems did not reveal much that Cedras and Gosai had not already disclosed.

It’s also worth noting that Cedras and Gosai were not compensated for their work. However, the report cost around R280,000 — money the two students would no doubt have appreciated and could have put towards their education.

Crucial details remain unaddressed, such as the number of fraudulent applications in the system and whether there was truth to N4aughtySec’s claims that they had stolen R175 million.

Even more importantly, it is unclear how vulnerable the system still is and whether fraudulent claims are still being paid out.

Acting Sassa CEO Themba Matlou assured MPs that the system was secure and that further steps were being taken to address the vulnerabilities identified.

“The system is secure. We’ve reconfigured the server after receiving the report, but obviously, there’s still work to be done,” he said.

 

SOURCE:Security report released after hackers break into major South African financial system – MyBroadband

[Author]

Posts