SASSA warns of fake SRD grant application websites

The Department of Social Development and its entity the South African Social Security Agency (SASSA), have found that unidentified, malicious websites with .org and .co.za domain names that purport to be the authentic Covid-19 Social Relief of Distress grants (SRD) application websites are being used to harvest applicants’ information for fraud purposes.

The Department has warned the public of fake sites and links for applications for the Covid-19 SRD grants. The correct and authentic application platform for all applications for the SRD grants is https://SRD.sassa.gov.za   The following links: https://srd-sassa.org.za  and https://srdsassagov.co.za  are fake and are used to collect data from unsuspecting applicants, stealing personal information from applicants of the grant of R370. 

This was revealed in parliament last Wednesday, February 26, when the Portfolio Committee on Social Development received an update into the investigation on alleged weaknesses. They also found fraud in the application and payment system of social grants. 

The Minister of Social Development Sisisi Tolashe instituted an investigation into vulnerabilities of the applications and systems used by SASSA for the payment of social grants. The Portfolio Committee on Social Development had made recommendations to conduct an investigation on alleged vulnerabilities after claims of fraud in the application system of the SRD were made by two students from the University of Stellenbosch.

“Phase 1 of the investigation consisted of a comprehensive audit into the SRD application system administered by SASSA to determine the extent to which the system was exposed to fraud,” the Department of Social Development said in a statement. “The findings of this audit will serve as input as a basis for Phase 2, which will be an investigation into alleged fraud and weaknesses in the broader social grant system that results in ineligible beneficiaries receiving social grants.” 

The Final Report on the Vulnerability Assessment (VA) and Penetration Testing (PT) on the SRD online system administered by SASSA made the following findings, among others:

- That there are unidentified, malicious websites with .org and .co.za domain names that purport to be the authentic SRD application websites that are used to harvest applicants information for fraud purposes

- That the SRD web application has weaknesses, such as unencrypted communications, that present threats to the security of the platform and the safety of users. These weaknesses are classified as medium risk by the Final Audit Report.

The Final Audit recommends a communication campaign warning beneficiaries and applicants about the unofficial and fake sites that are used to harvest their information for fraudulent purposes.

The department said SASSA has developed an action plan to respond to the recommendations of the Final Audit Report. It has the following activities: 

- It has replaced the HTTPS: method with a POST method to protect communications between the applicant and the server that processes their information.

-To implement a Rate Limit to limit the abnormal number of requests made to the SRD application system

- Update outdated software, and

- Implement regular patch updates and introduce biometric. 

In the long term, and within 18 months, SASSA will take down the fake websites and other content that violates its brand, copyright or right to information and privacy. Minister Tolashe has assured the committee of her commitment in addressing the vulnerabilities and weaknesses identified in the system.