Cape Town - Two first-year Stellenbosch University (SU) computer science students appeared before the Portfolio Committee on Social Development to elaborate on how they discovered weaknesses in the SA Social Security Agency’s (Sassa) social grants system and alleged rampant fraud related to the Social Relief of Distress (SRD) grant application process.
The students, Veer Gosai and Joel Cedras, found that their ID numbers were used to apply for the SRD grant, which led to a broader investigation into the fraudulent use of student IDs to access the grants meant for the most destitute in the country.
The students briefed the committee on their testing of the system and how they came about their findings with the Department of Social Development, of which Sassa is an entity, in the National Assembly, yesterday.
During her opening remarks, Social Development Minister Sisisi Tolashe said the SRD grant makes up R35 billion, and covers an average of eight million adults each month.
“We are conscious of the fact that our significant budget makes us a very attractive target for fraudsters, some of whom have made a career out of trying to steal this money by forming very sophisticated syndicates of cybercriminals to target this large budget.
“Of course, Sassa is fully aware of this risk, so they have put strong systems in place to detect and prevent fraud, and also investigate and prosecute any cases that are found to have managed to defraud the system.”
She said while the allegations by the students were concerning, these were still only allegations at this stage since the students had not provided the department or Sassa with any reports or evidence to support the allegations.
Cedras said that in February this year, he tried to apply for the SRD grant but found that an application already existed.
About three weeks ago, he spoke to Gosai about this and found that he too had an application for the SRD grant which he did not apply for.
The pair then decided to conduct a campus survey asking participants to enter their ID numbers to check whether or not they had an SRD application active.
“If an application was found, we then asked whether or not they created that application themselves,” Cedras said.
“We generated ID numbers using the ID algorithm and fed these into the SRD system.
“This system tells you whether or not an ID has an application or not and these results were then aggregated and from here we drew conclusions.
“We also compared these numbers with various relevant figures such as Stats SA birth data and unemployment figures.
“We ended up identifying three complications in this process.”
The three issues identified were that there was no form of authentication on Sassa’s SRD portal; they suspected fraudulent applications; and that it was too easy to apply for the SRD grant, thus easily enabling fraudsters to apply for the grant.
He said throughout the process, legal methods were used to gather their findings, which included the public Sassa SRD portal.
“As part of our on-campus informal survey, we asked 60 people that we know to verbally participate in our survey. What they did was, they entered their ID numbers into the portal and checked whether or not they had an application.
“Of the 60 people, 58 of them had active applications and of those 58, 56 of them did not make the applications themselves.”
Gosai said wider tests were then done, testing all 280 000 possible ID numbers of people born in February 2005.
“The data and results we got from this, was that we received positive impact from the public Sassa system, that there were 74 931 active applications for people born in February 2005.
“From Stats SA, we were told that there were 82 097 born for that year. That correlated to an application rate of just over 91%,” Gosai said.
Another mass scale test was then conducted testing the first possible 1000 ID numbers for people born from the 1960s to 2006.
“What we found from this was, there was an average application rate of about 52%, but when we look at the data from 1960–2001, there was a 50% application rate versus the application rate for people born from 2002–2006 was 90%.
“This is relevant because people born from 2002–2006 turned 18 when the system was implemented and are the most vulnerably targeted people that we think were being targeted in this system.”
In his case, the active Sassa application linked his ID number to a bank account he did not open.
“And from this, I was paid two Sassa grants to my personal ID number that was stolen by the scammers and fraudulently transferred to their bank accounts.”
In Cedras’s case, he turned 18 in December and in the first week of January this year, a bank account was made in his name and a Sassa application with his ID was created.
shakirah.thebus@in.co.za