Zit Seng's Blog

A Singaporean's technology and lifestyle blog

SingPass Hack Needs To Be Better Managed

DSC04198No IT system is perfectly secure. It’s not about if you get compromised or hacked, but when. You still need to do a great job securing your IT systems, but equally important these days is having a great recovery plan in case that worst case scenario does play out.

Yesterday, we learnt that SingPass accounts were used illegally to make fraudulent work pass applications. It follows exactly one month after the Infocomm Development Authority of Singapore (IDA) revealed that 1500 SingPass accounts “may have been accessed without permission”.

I was overseas when the SingPass news came out, otherwise I would have wanted to write my two cents on it. The information that came out from IDA was sketchy at best. There were so many important and pertinent questions that IDA did not address.

What exactly did they mean by “user IDs and passwords may have been accessed without permission”? Did the hackers have the actual passwords? If they (hackers) had the actual passwords, why did they need a password reset? What was the impact of a password reset? Could the new passwords resulting from a password reset be accessed by the hackers? Otherwise why would the hackers bother with a password reset? How was it determined that an account was illegally accessed? How far back have the illegal accesses been happening? Could my account also have been accessed, but no one (including myself) yet know about it? How does IDA know not more SingPass accounts were illegally accessed?

There’s much more to the incident than publicly revealed. IDA was quick to say that “no evidence to suggest the SingPass system has been compromised and there are no known losses”. They did not find any evidence, hence in the absence of such finding, they concluded that the system was not compromised. No data was lost, simply because they did not know of any being lost.

Let’s be clear on this. It’s not easy to know that data was lost. This is virtual information. Stealing data does not actually involve physically removing an item or subsequently denying your access or use of it. It’s not like your Mont Blanc pen was stolen. Data has been stolen simply because someone else has come to know about it, when that someone is not supposed to know about it.

So now we hear that some of those SingPass accounts were in fact fraudulently used to carry out other government e-services transactions. Wow. A bunch of questions immediately came to mind:

  1. When exactly did those transactions take place?
  2. If it was before IDA learnt that SingPass accounts had been illegally accessed, then why were there no proactive measures taken to verify activities on those accounts? They did know which accounts were compromised eh. Why do we only know about the incident now?
  3. If after, how could the accounts be misused? Didn’t IDA reset the passwords immediately? If they did, then how could the accounts still be used?

It seems that IDA’s recovery plan is about denial. No, nothing was compromised, nothing was lost. In fact, the message they are sending out is that business is as usual. Nothing to see, let’s just move on.

On the one hand, you reveal that 1500 SingPass accounts were illegally accessed. On the other, it’s business as usual.

You will get hacked. Oh yes, I’m using the term hack loosely, the way our media and much of the world prefers to use it. As I mentioned earlier, organisations need to prepare for this scenario. They need to communicate, they need to be transparent in sharing information, and they need to take concrete action steps to correct the problem and prevent the same and similar problems from recurring.

IDA barely communicated. We did not get pertinent information. What steps did IDA take? I’m not sure. Perhaps, it’s this advisory they put out.

For every individual, the incident underlines the importance of taking personal responsibility for cyber security.” — Ms Jacqueline Poh, IDA’s Managing Director

It is your own fault that your account got hacked.

In my fair opinion, I think there are so many things that IDA should have done, not the least of which should include verification of all transactions of suspect accounts that occurred during the exposure window. IDA says they did reset passwords of all affected accounts.

SingPass is an extremely important national authentication system. On the one part, the Singapore Government already mandates all banks to implement Two Factor Authentication (2FA). Why, oh why, does SingPass not do 2FA?

While the 2FA use in the banking sector may be mandated by the Monetary Authority of Singapore, it’s not like IDA doesn’t have their own 2FA programme. You may have heard of the National Authentication Framework. It’s an IDA programme that involves 2FA devices with OneKey. Why not rollout OneKey 2FA in SingPass?

Even without 2FA devices, we could still fall back with One-Time Passwords sent via SMS?

I don’t disagree that individuals also need to take responsibility for IT security. This is not an excuse, however, for organisations to pass the buck.

IDA needs to be more proactive about improving security. Telling us that SingPass improvements are coming along is good news, but that we’ll have to wait till 3rd quarter of 2015 is terrible. What do we do in the next one year or so?

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.