Probe finds grant-card fraud at SA Post Office
A forensic investigation of a multimillion-rand fraud involving a welfare grant payment card has found that security features of the SA Post Office (Sapo) payment system have been irretrievably compromised.
Foregenix Compliance and Risk Services was appointed to investigate the fraud at Sapo’s Postbank by the Payments Association of SA, the paymentsystem management body recognised by the SA Reserve Bank, after an internal Post Office probe revealed that 250 pre-issued SA Social Security Agency (Sassa) cards had been tampered with to enable unlimited offline contactless transactions.
The report raises doubts about Sapo’s ability to safely manage the payments of grants to 10-million of SA’s most vulnerable people, after finding that the fraud committed appeared to have been “perpetrated fairly simply due to a lack of mitigating controls within the Postbank environment”.
“These failures have arisen
from a distinct lack of ownership and responsibility for information security best practice within the organisation. This represents a complete failure of good governance and best practice surrounding information security within Postbank,” Foregenix Compliance and Risk Services stated in that report, which Postbank and Sapo have rubbished as “sensationalist”.
The report will come as a blow to the Post Office, which signed a contract with Sassa for the payment of social grants at the end of 2018, after the Constitutional Court ruled that a previous Sassa contract with a firm called CPS was invalid.
The communications and digital technologies department, which provides regulatory oversight over Sapo, is fully behind efforts by Sapo and Postbank to eliminate fraud, spokesperson Nthabeleng Mokitimi-Dlamini said, adding that “officials who held key positions and [were] linked to the payment system at Postbank are on suspension pending finalisation of the investigation”.
The Foregenix report further found that Postbank must be considered “physically compromised”, as a result of certain cryptographic keys needed to ensure the security of Sassa card transactions having been exposed and compromised within months of the Post Office taking on the task of grant payment administration.
“Thus, in Foregenix’s opinion, Postbank is not currently capable of owning these tasks, unless a new experienced executive is appointed and made responsible for card processing, of which security key management is a critical and foundational aspect underpinning the entire operation,” Foregenix’s investigators said in the report.
Investigations have revealed that 10,000 such transactions had been authorised in January 2019 alone, as a result of the amounts involved being under payment limits.
It is apparent from the Foregenix report, and statements by the Post Office itself, that this fraud is ongoing.
According to a statement issued by Sapo just over two weeks ago: “Postbank, in collaboration with the Reserve Bank and the industry, are continuing investigations into the matter” while “developing solutions” to eliminate the wrongdoing.
THE REPORT RAISES SERIOUS DOUBTS ABOUT THE SA POST OFFICE’S ABILITY TO SAFELY MANAGE THE PAYMENTS OF GRANTS