In October 2024, I discovered that my personal identity had been stolen. Someone had used my ID number to open a bank account and began collecting a R 370 grant from the South African Social Security Agency (SASSA) under the Social Relief of Distress (SRD) Grant. What initially seemed like an isolated case resulted in finding a larger issue. After looking deeper, An API vulnerability revealed that this was not an isolated issue and hinted that this could be an issue affecting thousands, if not millions of South Africans. This investigation made national headlines and ended up with me and my friend presenting our findings to the Parliament of South Africa

What you’ll learn in this talk

1. Understanding the SRD Grant & Its Context

• What the SRD Grant is, who it supports, and why it has become one of the most financially significant welfare programmes in South Africa.
• Context on the birth-rate and application-rate data, especially around the unusually high numbers in the 2001–2006 age group.

2. The API Vulnerability & Mathematical Modeling Behind the Finding

(I promise its not difficult to understand and pretty cool)
- Understanding the South African ID Number (YYMMDDXXXX08C) as a vector in the IT Industry
- How my own identity theft led me to explore how the SRD system works.
- What an API with no authentication revealed when compared to StatsSA Data

3. Two South African Banks With KYC Issues

• A grant has to be paid out to a the recipient's bank account (Grant registered on ID Number X → Can only be paid out to ID Number X)
• Fraud chain: Stolen Data + SIM Card → fraudulent bank account → SRD application → payout extraction

4. Applicational Fraud Vectors & KYC Limitations

• How is our data stored as a country? Where are scammers able to get enough data to open both a Grant and Bank Account
• Why is it not possible for fraud to be Zero
• Why is facial recognition not fully viable in South Africa (Context & Technological Limitations)
• Demo Example of Selfie Verification using Department of Home Affairs ID Photos

5. Outcomes, Government Response & What Still Needs to Happen

• After Presenting these findings to Parliament and the investigations that followed.
• What is happening in the world of fraud and cyber today

I look forward to sharing both the technical mechanics and the human story behind this investigation :)