When the Singapore Personal Access (SingPass) was launched in March 2003, it was viewed as a novel idea which gave Singaporeans the convenience to access personal data and information all under one roof. For the first time, residents could handle transactions with about 370 e-services provided by various government agencies.
The response was huge and within 3 years, the number of transactions jumped three-fold from 4.5 million in 2003 to 18.9 million in 2006. To cater to the rise in demand, the website upgraded its services in 2007 and beefed up its security by requiring users to first answer questions about themselves correctly, before receiving a code on their pre-registered mobile phones and another code on the online screen during password reset.
Five years later in 2012, SingPass introduced not one but 3 security improvements. Among the changes was how users will be required to change their passwords to comply with its new guidelines of alphanumerics text and containing 8-24 characters. Registered users will also need to enter a randomly-generated security code after any failed login attempts.
With all the necessary security steps in place, anyone would be confident of the virtual fortress enacted by SingPass. Nonetheless, just a day ago, the Infocomm Development Authority of Singapore (IDA) announced that over 1,560 SingPass users – less than 1% of the total 3.3 million users – may have had their accounts breached. Out of this figure, 419 have had their passwords changed illegally.
So the question now is: What went wrong?
There’s seriously something fishy going on here. It is not easy to have your account password reset without your authorisation. To do an immediate reset online, the culprit must have information on the user’s mobile number and home address.
Moreover, the culprit must also be able to crack the account holder’s security questions. This is possibly easy to do considering how advanced bots are or can be trained to be. Random generated security codes are a thing of the past, only useful in identifying if the person attempting to access your information is a human or robot. Once again, bots can be utilised to circumvent this.
What is alarming (and fishy) in this latest breach of online privacy is how the users were not aware of the password change earlier. They only realised the breach when password reset letters came and that was about 4 days after the request was made.
SingPass has a security mechanism which requires users to key in a security PIN sent to their registered mobile phones. The PIN is sent almost seconds after the user has passed an earlier stage of correctly answering security questions. It is obvious that the affected 1,560 users in this latest fiasco did not receive the PINs. If they did, it would already be a cause of concern and would be reported to the system.
So how did the hacker insiduously get hold onto the mobile phone data? Was it stolen? The only thing comforting to note is that IDA has filed a police report for this case.
Going forward, IDA and SingPass should have moved abreast with or one step ahead of the advancement in cyber-phishing techniques.
Think about it – why would banks move away from the mechanism of random generated codes and mobile PINs, and into a more remote ibanking authentication device. The concept of the latter, to me, is similar to going down the bank to withdraw money for instance. You have complete control of what you are doing in ‘real-time’. There is no way a cyber criminal can get hold onto your security device unless you lost it.
Singaporeans need to know that although financial transactions may not be often made via SingPass as compare to e-commerce sites, there are other personal information which hackers can exploit. The easiest example is your email or home address. Your data could be sold to a third party for advertising purposes.
Moving forward, I’d prefer SingPass implementing a remote two-factor authentication system similar to what we see used by banks. It is commendable that the website teaches its users about online security on its website; it should continue to do so. That said, I’d also suggest the system advise Singaporeans to NOT use the same password for SingPass with other websites too.
Whatever it is, the latest SingPass incident has put a dent on public trust towards the system. It is a pity considering how the website has gone to great lengths to educate its users on cyber security. No virtual fortress is infallible indeed.