Crooks fishing for data via SingPass?

Cyber crooks who may have gained unauthorised access to 1,560 SingPass accounts could be out to discover sensitive data about their victims, in the hope of hatching elaborate scams to target them.

While the motivations behind the tampering with the Government's single-sign-on system have not been established, security experts said the incident, which also resulted in 419 passwords being reset, was worrying.

The Infocomm Development Authority of Singapore (IDA), meanwhile, said on Wednesday that no losses - monetary or otherwise - have been reported so far, and that the SingPass system had not been compromised.

It could have been the users' end that had been compromised, with the IDs and passwords being stolen through malware installed on their computers or because the passwords could be easily guessed.

David Siah, country manager of TrendMicro, said: "SingPass is like a 'master key' to many government e-services, from the Central Provident Fund to income tax. It's like a key which unlocks all the doors in your house."

There are over 3.3 million registered SingPass users currently. Through the service, they can access 340 government e-services from 64 agencies.

Senior forensic consultant Ali Fazeli of Infinity Forensics said that, through the SingPass account, personal information such as "names, income status, contact information, addresses and medical history" can be acquired.

This can subsequently be used to commit "identity theft", whereby cyber criminals pretend to be legitimate users by using their information, noted Mr Fazeli.

Hypothetically, he said, the crooks could log into the Inland Revenue Authority of Singapore's system and check details of the victims' Giro accounts.

Subsequently, they could call the victims' banks to try and reset the passwords for the victims' banking services. To verify users' identity, banks could ask about their Giro history, which the crooks would have.

James Aruldoss, former president of the Association of Certified Security Agencies, said the implications hinge on how much identity thieves can leverage on the data obtained from the SingPass accounts.

"Some organisations such as finance institutions or loan companies have additional safeguards to authenticate their customers, so the impersonators are stopped in their tracks," he noted.

Mr Siah said that victims could also be targeted through phishing scams.

"With more personal knowledge being exposed, cyber criminals can (create) a social profile of you with a high degree of accuracy...and e-mail you pretending to be someone else," he noted.

This could result in victims opening malicious attachments, which would download malware that could monitor activities on the victims' computers.

T. Mogan, security director of Dragnet, said the perpetrators may be "playing the fool" and just want to see how far they can get into the users' accounts.

Sui Jin Foong, systems engineering director, ASEAN, of Juniper Networks, said the world of cyber crime extends beyond Singapore's geographical boundaries.

"Certain digital assets, like credit card information, can be sold to multiple sources," said Mr Sui.

adrianl@sph.com.sg

Get MyPaper for more stories.