Skip to main content

Onus Is Still On IDA To Keep Our SingPass Safe

The announcement that 1,200 SingPass were compromised and that quarter of them had their unauthorized password reset raised the question about cyber security. However, it seems from media reports that the blame is on end users. IDA should also take the responsiblity of the safety of our SingPass details.

A FireEye spokesperson suggested that the breach was probably from a malware in a user's device and that it allowed the perpetrator to access 1,200 SingPass. This raises a strong probability that the communication between device and database server may be not as strong as thought. Furthermore, it could highlight that the database server is not as strongly encrypted as a full section was 
accessed via a single malware.

Media reports noted that IDA was receiving complains over the weekend from SingPass users receiving unauthorized password reset letters and CrimsonLogic only raised the matter with IDA on Monday evening. This resulted in the "hastily" arranged press conference on Wednesday. Given that letters take a day to be delivered within Singapore, the unauthorized reset was probably done on Thursday and/or Friday. From this approximated timeline, it took a week from the unauthorized entry for IDA to hold a press conference.

If there were a spike in password reset, there should have been an alert to inform CrimsonLogic. It seems that either there is no such alerts or the level of requests to reset password on a daily basis is so hight, the spike turned into a false positive.

If the former is the reason, there should be concerns as spikes in unusual activities are not resulting in alerts to take prompt action. If it is the latter, IDA should reexamine how passwords are set.

The estimate period of time IDA took to alert the public is also of a concern. If this was a real hack and data compromise, lots of information would have fallen in the wrong hand. 

The delay in implementing third factor authentication is also a concern. What made the situation worst was that reports  highlight the delay as only one vendor bid for the tender. Surely, security of individual data should be critical to call for a new tender? 

Hopefully, IDA can and will learn from this incident. While CrimsonLogic has assured that no data was compromised, there should be more security and encryption especially in how the data is communicated from end to end and how it is being stored.


Anonymous said…
This happens only once in 50 years. But the Mat keeps making stupid comments almost everyday
Unknown said…
Even if this is an "innocent" breech" this incident would have alerted real hackers to probe for other weaknesses. Although I am not an IT-security guy, I can think of two simple weaknesses.

First: Using our IC No as a default ID already simplifies half the task for hacking since its not difficult to obtain lists of valid ICs, with the check alphabet. eg just get hold of a bunch of entry forms for supermarket lucky draws. So only need to guess the password.
Secondly: Get entry into the sign-in database of a large corporation in SG eg telcos, banks etc with large online user base. Take the IC numbers, telephone numbers and passwords, cover tracks and exit. Use this list to hack into SingPass. Many users tend to used the same password so there will be a reasonable hit rate that the attack will not attract suspicion.

Conclusion: letting us use IC No is an user friendly idea but since IC numbers are not randomly generated, the security regime need to be thought through even more rigourously such as making in compulsory for those who retain the IC as default to register their handphone to receive an SMS code for transaction validation. (and for the occasion when you lose your phone and urgently need to use Singpass, allow you to register your home phone or alternative mobile to receive a call from theif call centre etc.

Popular posts from this blog

Why is Ramly Burger banned in Singapore?

Yahoo Singapore ran an article of the Ramly Burger by highlighting that it is ban in Singapore.

Yet, the writer from Makansutra failed to address the most important issue of why the Ramly meat patty is banned in Singapore.

A search online easily did highlight that the famous Malaysian meat patty is banned by the AVA but didn't go into details.

Wrote Arlina Arshad for The Straits Times in January 2004,

"But the importing of beef and beef products from Malaysia is not permitted, said theAgri-Food and Veterinary Authority (AVA).

Selling and supplying them without a permit is also an offence, and offenders can befined as much as $50,000 or jailed two years, or both, said the AVA."

In May of the same year, another article highlighted that a man was even charged in court for "smuggling" the Ramly burger in 2004.

"The AVA said that meat products processed in Malaysian food factories which it had notapproved were banned here.Suzali was yesterday jailed for four month…

Did She Run Or Did She "Just Fake It" For Adidas?

Andrea Chong, a Adidas appointed influencer, posted a photo of herself in the middle of the Standard Chartered Singapore Marathon 2015 and captioned how she was "all smiles" during the run.

Unfortunately for Andrea or the PR agency, one of her readers checked her bib number #75148  at the Marathon's website only to find it to belonging to somebody else.

That somebody else is Kuvin Kuar, a intern at Edelman PR and the bib number had a status "DNF" or did not finished.

This raised the first red flag as one of the rules stated that "A Participants is strictly not allowed to transfer his or her race entry to another party".

This cascaded into perceptions that Andrea herself did not even start or complete the race and was only "planted" by Adidas or the PR agency, Edelman PR, to look pretty in the marathon.

Marketing Magazine noted that Adidas declined to comment about the incident which lead to further speculation that Andrea was possibly just …

Muthu The Firefighter Isabelle in 3.412 minutes

You can call her Muthu the firefighter if you bump in today’s featured blogger Isabelle at the popular night club.Social PR chats with Isabelle to find out why she likes cows so much.Who are you? Ie what is your blog name and your real name. Why did you come up with the blog title?I am Isabelle.But you might also know me by my more provincial sounding Chinese name "Xiaoyun". Or "Muthu the firefighter" if you bump into me in clubs when I am high or not thinking staight.My blog "Isabelle Neo" is named after me and "weecloud" is just a word play on my chinese name.What are you? In ten (or so) words, you would describe your blog as: …I am a dreamer and an escapist with a quirky take on life. I blog about topics that interests me, in particular food, fashion, beauty, entertainment and travel. In addition, you also get to view the daily humdrums of (my) life through my eyes.  Editorial Deadline? Ie when should PRs NOT call?I was a public relations exe…