What's behind breach? Is 2FA better?

What's behind breach? Is 2FA better?

There has been no evidence so far to show that the SingPass system was breached when 1,560 accounts were accessed illegitimately.

If this is so, the SingPass IDs and passwords could have been acquired from the users' end, say IT security experts.

This could have been done via malicious software that has been surreptitiously installed on the users' computers, when the users downloaded certain programs or visited particular websites.

Alternatively, the accounts could have been potentially accessed in what is known as a "brute force" attack, in which hackers repeatedly try different passwords.

This is especially efficient when users employ easy-to-guess passwords like "password" or "123456789".

But why did the perpetrators change the mobile numbers linked to these SingPass accounts or change the passwords?

Chong Rong Hwa, FireEye's staff malware researcher, said that SingPass is a gateway to other government services, some of which may require what is known as a two-factor authentication system.

In such a system, the hacker would need, for example, a number key sent to his mobile phone, to defeat the added layer of security.

Mr Chong said it could be possible that the hackers wanted to change the passwords so only they would have access to the accounts. So is the single-factor authentication system, which the SingPass uses, sufficiently robust?

Mr Chong believes that the two-factor authentication system, which is used by many banks, and involves generating a number key on a physical token, should be implemented in the "long run".

David Siah, TrendMicro's country manager, said it is an issue of "form and function", when it comes to why organisations choose to use single- or two-factor authentication.

In a single-factor system, users do not need to have their tokens with them all the time, which is more convenient.

Mr Chong noted that issuing tokens to the 3.2 million SingPass users is a massive undertaking, and the public will need to be educated on how to use them.

Jacqueline Poh, the Infocomm Development Authority of Singapore's managing director, said: "We continue to explore the use of two-factor authentication (2FA) for e-government transactions, particularly for those involving sensitive data.

"In the meantime, we have put in place multiple levels of security, such as captcha and sending letters to your residential addresses when SingPass passwords have been changed."

For now, IT experts said users would be wise to install anti-virus software and use stronger passwords.

adrianl@sph.com.sg


Get MyPaper for more stories.

This website is best viewed using the latest versions of web browsers.