How the SRD grant system has been defrauded
Poor systems enabled it
- We have previously reported that the Social Relief of Distress (SRD) grant system is being defrauded.
- Here we explain how weak computer systems at the South African Social Security Agency (SASSA), Shoprite and TymeBank allowed large numbers of fraudulent grant applications to be made.
- Shoprite and TymeBank have taken measures to reduce the risk of fraud. SASSA says it has also taken steps to reduce fraud. Their responses are at the bottom of this article. But concerns remain.
The SRD grant was introduced during the Covid pandemic to assist people in dire need. About nine-million of these R370 grants are paid out monthly now. It is potentially the basis for a universal basic income grant.
Activist Israel Nkuna has for years been warning of fraudulent applications for the SRD grant, and that these fraudulent applications have been squeezing out legitimate applicants by using their ID numbers without permission. GroundUp too has reported this problem. Then in October we published an article by Stellenbosch University students who discovered a massive number of fraudulent applications for the SRD grant, and evidence that at least some of these fraudulent applications were succeeding.
Since then it has become clearer to us how the SRD grant system has been defrauded at scale. It involves six steps.
- First, obtain ID numbers and their associated names from one of the various large leaks of South African data.
- Second, open improperly verified accounts with Shoprite or TymeBank, or possibly some other banks as well. This could be done on a laptop or phone without leaving one’s home. Shoprite and TymeBank have in recent months tightened up their bank account application processes, so fraudsters can no longer continue to do this.
- Third, obtain improperly verified sim cards. This is easily done by simply going to a local dodgy cellphone shop. But until recently it could even be done entirely online by registering free electronic SIM cards through me&you mobile. This too has since been stopped.
- Fourth, use the ID number, telephone number and bank account obtained in the first three steps to apply for an SRD grant.
- Fifth, wait for the grant to be paid into the account opened in step two. As far as we can tell every month SASSA sends ID numbers of applicants to the banks, SARS and NSFAS to check if applicants pass the means test. If the applicant isn’t paying income tax, doesn’t receive money from NSFAS and has income to their bank account less than R625 per month, the grant is paid.
- Sixth, launder the SRD money by transferring it out of the bank account. There are various ways to do this, which we do not describe here.
Doing the above for one SRD grant is not worth the effort. But a determined fraudster or group of fraudsters could make dozens or even hundreds of applications a day. At one point it was possible to carry out the entire process described above using only a laptop. It would also be possible to write a computer program to automate the process, but such sophistication would be unnecessary: going to a shop to buy sim cards and manually making lots of applications would be very profitable.
As far as we can tell it is no longer possible – or at least no longer easy, to make new fraudulent applications. But it’s likely that many fraudulent applications made for years after the grant was introduced are still passing the monthly means test and receiving SRD grants.
SASSA needs to act
SASSA, together with companies that have received large numbers of SRD grants like TymeBank and Shoprite, can take at least these steps to prevent this fraud:
- Insist banks only accept SRD grants for biometrically verified people who have been validated with a fingerprint or facial scan.
- Remove third-party access to the SASSA grant application system, except to authorised institutions that have a legitimate need to access the system. (SASSA says it has now done so.)
- Limit the number of requests a single computer device can make to the SASSA website so that programs making tens, hundreds or thousands of requests to it per second fail. (SASSA says it has now done so.)
- Audit all current SRD grant applications to identify the scale of the fraud, remove fraudulent applications — identifying these might be difficult — and insist that suspicious applications undergo verification. (SASSA says an audit “would not assist”. But TymeBank says it is “conducting an analysis of transacting behaviour on accounts opened prior to August 2024 that receive grant payments to identify those that are non-legitimate grant beneficiaries”.)
While we do not have enough information to quantify it, we suspect the scale of SRD fraud is very large. Not only does this bleed money from the social grant system, every fraudulent application using someone else’s ID potentially denies a legitimate SRD grant recipient the possibility of getting the grant because their ID number is being used by someone else. At best, someone who is a victim of ID fraud has to navigate their way through a horrible bureaucratic process to undo the fraudulent application.
Response by SASSA
SASSA is aware of fraud risk within the social grants space and works closely with various stakeholders within the financial sector as well as law enforcement to mitigate this risk and apprehend those responsible for this criminal activity.
With regards to the banks mentioned, SASSA works with all banks that are willing to cooperate with us, however it would not be appropriate for us to comment on fraud within an individual bank’s environment.
Should you have any additional information regarding fraud, we would encourage you to either share this data with our Fraud department, or directly with SAPS. Details of opened cases can be provided to you should you wish to go directly to SAPS.
Response specific to recommendations proposed by Goundup
(GroundUp’s recommendations are in italics.)
Insist banks only accept SRD grants to biometrically verified people who have been validated with a fingerprint or facial scan.
SASSA unfortunately can’t manage a bank’s operations, or direct how they choose to engage with their clients. However, we do factor in a bank’s risk profile into our fraud risk mitigation measures.
Remove third-party access to the SASSA grant application system, except to authorised institutions that have a legitimate need to access the system.
SASSA implements strict firewall and access policies for any third party or authorised institutions with which it interfaces with for the purposes of data sharing or access to its environment and databases.
Limit the number of requests a single computer device can make to the SASSA website so that programs making tens, hundreds or thousands of requests to it per second fail.
SASSA has implemented Content Security Policy (CSP) as an added layer of security that helps to detect and mitigate certain types of attacks and data injection attacks. This provides controls that allow only approved sources of content that browsers should be allowed to load on the page as well as blocking unauthorised requests, including
- High-frequency requests that exceed normal user behavior.
- Requests with invalid or partial data (e.g., incorrect combinations of ID numbers and phone numbers).
- Requests from suspicious or known malicious IP addresses.
Audit all current SRD grant applications to identify the scale of the fraud, remove fraudulent applications — identifying these might be difficult — and insist that suspicious applications undergo verification.
An audit would not assist in identifying fraudulent applications if the fraud in case is identity theft, as all records of the applicant would match that of the alleged victim. The process that SASSA currently follows is to flag any suspected fraudulent application, and then require biometric confirmation if the applicant is the real person. The biometric identification does however pose a challenge to many applicants (which is the main reason we are not using it for all applicants). Thus, at this stage it’s too early to report on whether those applications that are suspected of fraud and not responded to, are genuine fraud cases, or if they are merely access challenges. The process has already commenced as reported on numerous occasions, which GroundUp has also published articles on.
Unfortunately, fraud has a negative impact on victims, and as such additional verification steps are required. SASSA has also reprioritised significant resources to be able to equip its local offices with self help kiosks by the new financial year. This will enable us to assist applicants who do not have access to the necessary technology.
Response by Shoprite
Fraudulent SRD grant applications are no longer possible via a Money Market Account. All new accounts are now biometrically onboarded.
To safeguard our customers’ money, all suspicious transactions are reported, and accounts are immediately blocked. An account can only be unblocked pending the successful submission of additional verification documents.
SASSA has removed third-party access to the grant application system. We would welcome any additional safety measures and checks implemented by SASSA to further combat any fraudulent activities pertaining to SRD grants.
Response by TymeBank
From August 2024, TymeBank no longer allows SASSA grant recipients to receive grant payments into non-biometrically verified TymeBank accounts. If they would like to use their TymeBank Account to receive a grant, they must upgrade their account and complete the biometric verification process and KYC (Know Your Client).
Over the past few months, we’ve been reaching out to account holders who still have non-biometric accounts to get them to upgrade their accounts biometrically. At the same time, we are conducting an analysis of transacting behaviour on accounts opened prior to August 2024 that receive grant payments to identify those that are non-legitimate grant beneficiaries. This project is expected to be completed shortly. By the end of January 2025, those accounts that are non-biometrically verified will be suspended, pending successful biometric verification.
We continue to work closely with SASSA to combat fraud within the social grant system.
© 2024 GroundUp. This article is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.
You may republish this article, so long as you credit the authors and GroundUp, and do not change the text. Please include a link back to the original article.
We put an invisible pixel in the article so that we can count traffic to republishers. All analytics tools are solely on our servers. We do not give our logs to any third party. Logs are deleted after two weeks. We do not use any IP address identifying information except to count regional traffic. We are solely interested in counting hits, not tracking users. If you republish, please do not delete the invisible pixel.