SingPass should be secured swiftly

I was on leave last week and watched from the sidelines as I read that more than 1,500 SingPass accounts may have been breached. SingPass is Singapore's universal online access to e-government services, which include those for filing income tax returns and checking CPF account balances.

I decided to do some checking on my own. Three sets of numbers, which kept appearing in news reports, seemed confusing to me.

The first number concerned the 1,560 accounts which the Infocomm Development Authority (IDA) said "were potentially accessed without the users' permission".

Of these, 419 had their passwords reset and, therefore, stood an even higher chance of having had their accounts hacked into.

Then, there were the 11 (from the group of 419) who complained to Crimson Logic, the company which operates the SingPass system on behalf of the Government, that they had received letters informing them they had reset their passwords, even though they had not done so.

I did some digging and figured out what I thought the IDA was saying.

To understand the situation better, it is first necessary to understand how SingPass works. When SingPass was launched in 2003, users who forgot their passwords had to do one of two things to reset their passwords.

The first was to submit an online request to have the password reset. Within a week or so, the system would send a letter by post to the user, to inform him of his new password.

The second method was to visit, in person, one of the several SingPass counters in some community centres in Singapore to get an instant password reset.

Neither was convenient. So, in 2007, a third option was added - to request for an immediate online password reset.

To do this, a user has to first activate the reset feature by entering his mobile phone number. This is necessary so that when he actually does request for a password reset, a one-time PIN would be sent to the pre-registered mobile number.

He would then have to key in this PIN into the SingPass website before he can reset his password online.

This "second-factor" authentication was designed to make it harder for hackers to breach SingPass accounts, as hackers would need to have the account holder's mobile phone on hand, in addition to his ID and password details.

The current situation started with the 11 users who received the password reset letters and notified Crimson Logic.

Crimson Logic conducted checks and found that there was a large group of SingPass accounts - 1,560 to be exact - which had an unusually high ratio of connection to a limited pool of mobile phone numbers.

It is not uncommon for one mobile number to be connected to multiple SingPass accounts, as sometimes, the most tech-savvy member of a household would sign up for the password-reset feature for the entire family.

The IDA would not say how high the number of connections had to be before it registered as an anomaly, but in this case, too many of the 1,560 accounts were linked to too few mobile phone numbers. This made the accounts suspect.

The police are still investigating, said the IDA, so it cannot be sure if these accounts were actually hacked into.

The 419 accounts (from the group of 1,560) stand an even higher chance of having been illegally accessed (hacked, cracked, breached, compromised - they all mean the same thing) because there were actual requests made for these accounts to have the passwords reset.

Again, it is not conclusive at this stage that it was one or several hackers who did this, as investigations are still ongoing.

The IDA has repeatedly said "there is no evidence that the SingPass system itself has been compromised".

However, if these accounts had been broken into, one of two things could have happened.

- Some hackers could have correctly guessed the SingPass passwords of the accounts concerned, using various hacking and social engineering techniques.

- Hackers could have breached the SingPass database which stores this information.

The IDA maintains that there is no proof that the database had been broken into.

The best thing to do now is to wait for the police to complete their investigations.

Personally, I would stop using SingPass until the authorities get to the bottom of the matter.

More can be done to make the SingPass system more secure.

I recall that my World Of Warcraft account was often suspended because of suspicious activities which indicated hackers were trying to break into my account.

However, after I added the second-factor authentication via a token, the number of such incidents fell to zero.

Use of second-factor authentication via SMS or a token is a good additional safety feature and the IDA has said it will look into it and launch it by the third quarter of next year. Experts have also suggested this was the right thing to do.

IDA also said it is looking to let users set their own usernames. Currently, a SingPass username is one's NRIC number. This is another feature which came under criticism in the wake of last week's incident.

Many contest entry forms require information such as one's NRIC number and address.

Adding second-factor authentication to the SingPass system may be more complex than it seems because it requires integration with hundreds of different Web services from the more than 70 Government agencies.

However, in an age when hackers are out to farm for detailed user information, and at a time when many users already see fit to protect their Gmail and World Of Warcraft accounts with second-factor authentication, SingPass accounts are definitely ripe for the picking by hackers.

The authorities should proceed with the new changes with the utmost urgency.

ginlee@sph.com.sg

This article was first published on June 11, 2014.
Get a copy of Digital Life, The Straits Times or go to straitstimes.com for more stories.