Tech

From passwords to biometrics: How SARS is racing to reinforce its digital tax perimeter

Vernon Pillay|Published

.

Image: RON

A surge in unauthorised access to SARS eFiling accounts has exposed deep fissures in South Africa’s tax infrastructure.

Now, the South African Revenue Service (SARS) and the Office of the Tax Ombud (OTO) are racing to shore up defences—and regain public trust.

The crisis: 16,000 profiles compromised

A recent Sowetan exposé claims that 16,000 SARS eFiling profiles have been hijacked.

According to the report, victims have faced substantial financial exposure, including fraudulently filed returns or diverted refunds.

Yet, in their joint response, SARS and the OTO dispute parts of the narrative, especially because the article predates the release of the OTO’s draft report (scheduled for 1 October 2025).

They assert the report contains factual inaccuracies and argue that it failed to reflect the full picture of emerging policy and technical responses.

Still, the OTO acknowledges investigating the surge in complaints over the past year, particularly from individual taxpayers and practitioners.

SARS Commissioner Edward Kieswetter has affirmed that the revenue service “remains committed” to engaging publicly around the findings, even as it works behind the scenes to regain control of the institution’s digital perimeter.

What SARS is doing

To its credit, SARS has already deployed several security enhancements in response to rising cyber threats. But whether they’re sufficient, or well implemented is another question.

1. Two-factor authentication (2FA) and stricter password rules

SARS introduced more rigorous password criteria (minimum length, complexity, exclusion of personal info, avoiding sequential/repetitive characters) and a visible password strength meter.

More critically, 2FA is now enforced for all individual eFiling profiles.

The second authentication factor typically comes as a one-time pin (OTP) dispatched via SMS or email.

2. Biometric facial recognition on registration

As of November 2024, new eFiling registrations (for personal income tax) require facial recognition biometric verification.

SARS claims the system adheres to ISO/IEC 30107-3 presentation attack detection standards (to guard against spoofing).

Registration via the SARS MobiApp or self-service kiosks also uses the same biometric checks. 

However, existing users without biometric verification aren’t always compelled to revalidate (unless they are registering anew).

3. Controlled updating of security contact details

SARS requires OTP validation when users change their email or cellphone number stored as security contacts, and enforces that these are up to date.

This measure helps ensure that account recovery or secondary confirmation flows still go to a valid address/number.

4. Moving toward passwordless / push-based login

SARS documentation suggested ongoing plans for passwordless authentication (for example, login via push notifications to a registered mobile device) in addition to traditional 2FA methods.

 If successfully rolled out, this could reduce risks associated with credential theft or phishing.

5. Public messaging, warnings, and user vigilance

SARS has published media releases reminding taxpayers to guard against phishing, never click unverified links, and immediately flag any irregularities via official channels.

 The agency also emphasises that its digital platforms “conform to internationally recognised standards.”

Gaps, risks, and unanswered questions

Even with those measures in place, several potential blind spots remain:

The first issue revolves around legacy accounts and vetting. It’s unclear whether all existing eFiling users were retroactively enrolled in enhanced security protocols (especially biometric or push-based methods).

Another issue revolves around execution & monitoring: Rolling out biometric recognition at scale is nontrivial; how robust is SARS’s monitoring for fraudulent attempts (spoofed images, deepfakes)?

In terms of incident response and forensics, there’s limited public detail about how SARS will track, audit, or remediate cases where a breach is confirmed.

Why this matters

Tax revenue systems like SARS are prime targets for cyber adversaries. The allure is strong: the potential to reroute refunds, file bogus returns, or manipulate taxpayer records. When integrity is compromised, the fallout isn’t just financial, it’s institutional credibility.

In that sense, SARS is not battling a narrow IT problem; it’s defending a pillar of public trust and governance.

FAST COMPANY