Skip to main content

Onus Is Still On IDA To Keep Our SingPass Safe

The announcement that 1,200 SingPass were compromised and that quarter of them had their unauthorized password reset raised the question about cyber security. However, it seems from media reports that the blame is on end users. IDA should also take the responsiblity of the safety of our SingPass details.

A FireEye spokesperson suggested that the breach was probably from a malware in a user's device and that it allowed the perpetrator to access 1,200 SingPass. This raises a strong probability that the communication between device and database server may be not as strong as thought. Furthermore, it could highlight that the database server is not as strongly encrypted as a full section was 
accessed via a single malware.

Media reports noted that IDA was receiving complains over the weekend from SingPass users receiving unauthorized password reset letters and CrimsonLogic only raised the matter with IDA on Monday evening. This resulted in the "hastily" arranged press conference on Wednesday. Given that letters take a day to be delivered within Singapore, the unauthorized reset was probably done on Thursday and/or Friday. From this approximated timeline, it took a week from the unauthorized entry for IDA to hold a press conference.

If there were a spike in password reset, there should have been an alert to inform CrimsonLogic. It seems that either there is no such alerts or the level of requests to reset password on a daily basis is so hight, the spike turned into a false positive.

If the former is the reason, there should be concerns as spikes in unusual activities are not resulting in alerts to take prompt action. If it is the latter, IDA should reexamine how passwords are set.

The estimate period of time IDA took to alert the public is also of a concern. If this was a real hack and data compromise, lots of information would have fallen in the wrong hand. 

The delay in implementing third factor authentication is also a concern. What made the situation worst was that reports  highlight the delay as only one vendor bid for the tender. Surely, security of individual data should be critical to call for a new tender? 

Hopefully, IDA can and will learn from this incident. While CrimsonLogic has assured that no data was compromised, there should be more security and encryption especially in how the data is communicated from end to end and how it is being stored.


Comments

Anonymous said…
This happens only once in 50 years. But the Mat keeps making stupid comments almost everyday
Unknown said…
Even if this is an "innocent" breech" this incident would have alerted real hackers to probe for other weaknesses. Although I am not an IT-security guy, I can think of two simple weaknesses.

First: Using our IC No as a default ID already simplifies half the task for hacking since its not difficult to obtain lists of valid ICs, with the check alphabet. eg just get hold of a bunch of entry forms for supermarket lucky draws. So only need to guess the password.
Secondly: Get entry into the sign-in database of a large corporation in SG eg telcos, banks etc with large online user base. Take the IC numbers, telephone numbers and passwords, cover tracks and exit. Use this list to hack into SingPass. Many users tend to used the same password so there will be a reasonable hit rate that the attack will not attract suspicion.

Conclusion: letting us use IC No is an user friendly idea but since IC numbers are not randomly generated, the security regime need to be thought through even more rigourously such as making in compulsory for those who retain the IC as default to register their handphone to receive an SMS code for transaction validation. (and for the occasion when you lose your phone and urgently need to use Singpass, allow you to register your home phone or alternative mobile to receive a call from theif call centre etc.

Popular posts from this blog

Will mrbrown's post on Mr Tan Kin Lian's thermometer app "misadventure" promote technology ageism?

I am not ashamed to say I support Mr Tan Kin Lian as a presidential candidate because I believed in what he stood for. And when Mr Tan posted his "misadventure" with a thermometer app, I did shake my head in disbelief that he did that. Source:   http://www.mrbrown.com/blog/2013/07/we-could-have-had-him-for-president.html Thinking twice, there could be a possibility that Mr Tan misunderstood how this app work. Most  thermometer app take data from various weather stations to display the temperature on it. Yes, the technology savvy will do a #facepalm when they read the post and mrbrown's post demonstrated it perfectly. Wrote mrbrown , "Maybe the former Presidential-hopeful didn't realize he needed to upgrade to the Pro version of the app. Then his iPhone would not only measure temperature, it would also measure current PSI (PM2.5 included), tell you if you are having your period, and cook instant noodles. Good thing he didn't try to measure boil

How UOB's Paper Trail Amplifies IT Greatest Security Threat

UOB required you to do everything on paper. If you want to change your mobile number for your banking account with them or for your credit card, you need to fill up a form. Yet, this paper trail represented a potential security fail for the bank - Human Error. So a bitcoin expert walked into UOB to open a bank account. The bank employee had to print a form from a online pdf document to fill in this bitcoin expert's particulars. When it came to entering the bitcoin expert's email, that's when the forgotten art of handwriting was the most obvious of the digital generation. Wrote Robert Capodieci, My name is Roberto Capodieci, as most of you know. and my email address is very obvious to decode. It is not a p4l_l337_s0u1@gmail.com, but it is a more obvious roberto@capodieci.com, thing that, right after reading my name in the same form, should come out easy. Still, a data entry personnel of the UOB bank (or of a service provider the UOB bank uses) entered it as roberto

NEL Train Fault Shouts Lack Of Crisis Communication

The North-East Line train fault of 11 April 2018 was my virgin experience of a rush hour train fault since I moved to Punggol. One would have thought that with the number of train faults experienced by the North-East Line operator, SBS Transit, they would have improved the communications and handling of train faults. However, my personal experience told another story. First, there were no announcements at the Punggol LRT stations of the train fault even though SBS Transit manages them. The train fault was reported as early as 7.10am as I had a friend who was also stuck in the train. I boarded the LRT at Coral Edge around 7.30am and I didn't hear of any announcement nor was there any signage to inform me o the train fault at Punggol Station. Second, the announcement kept saying that there would be a 15 minutes delay, but 15 minutes passed and the trains, on both side, wasn't moving. If the announcement would be more frank to say it will be a longer delay, commuters would