By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
TechgoonduTechgoonduTechgoondu
  • Audio-visual
  • Enterprise
    • Software
    • Cybersecurity
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
    • Cellphones
    • Tablets
  • PC
  • Telecom
Search
© 2023 Goondu Media Pte Ltd. All Rights Reserved.
Reading: Commentary: SingPass security issues highlight need for two-factor authentication
Share
Font ResizerAa
TechgoonduTechgoondu
Font ResizerAa
  • Audio-visual
  • Enterprise
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
  • PC
  • Telecom
Search
  • Audio-visual
  • Enterprise
    • Software
    • Cybersecurity
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
    • Cellphones
    • Tablets
  • PC
  • Telecom
Follow US
© 2023 Goondu Media Pte Ltd. All Rights Reserved.
Techgoondu > Blog > Enterprise > Commentary: SingPass security issues highlight need for two-factor authentication
EnterpriseInternet

Commentary: SingPass security issues highlight need for two-factor authentication

Alfred Siew
Last updated: July 29, 2014 at 3:17 PM
Alfred Siew
Published: June 5, 2014
4 Min Read
SHARE

singpass screenshot

Yet another high-profile security problem has hit e-government services in Singapore, just months after several of the country’s websites were vandalised by hackers.

This time, more than 1,500 SingPass online accounts used to check retirement account balances and file taxes could have been accessed without users’ consent.

In other words, cyber criminals could have logged in to these accounts, stolen information and already covered their tracks by the time the authorities were alerted on Monday.

No loss has been reported, according to them, but how would a user know if someone has taken a screenshot of all their details?

Revealed to the public yesterday, this breach of security is perhaps the most serious yet for e-government services here. This despite the authorities saying the system was not compromised and going on to caution users to secure their passwords.

Rather than point the finger at users, the Infocomm Development Authority (IDA) should have taken the advice from many quarters of the industry to beef up security for the SingPass system over the years.

It could have done with some of the security measures already commonly used for trading shares online or transferring funds through a bank.

This so-called two-factor authentication (2FA) requires users to log in with an additional password flashed on a physical token. Banks and other financial institutions in Singapore have been using the technology for years now, again after several high-profile break-ins in the past.

For some reason, the SingPass system doesn’t use this. It still only requires users to log in with their IC number and a password on its website.

That makes it relatively easy for a hacker to guess the password and get access. He can do this by running an automated script to try logging in with thousands of combinations, for example, with birthdays, names or addresses.

The authorities only found out the problem after some users received letters informing them they had reset their passwords, when they had not. Some got SMSes telling them the same. Piecing things together early this week, the IDA deduced that there was potentially unauthorised access.

At the time of writing, neither the SingPass nor the IDA website had posted any warnings on their homepages. Surely, they can do better to inform citizens that their accounts may well be compromised.

Yesterday, IDA managing director Jacqueline Poh said the IDA “continues to explore” the use of 2FA in e-services, especially those with sensitive transactions.

Presumably, the government believes that information such as one’s CPF (Central Provident Fund) balance isn’t sensitive enough to warrant more security, then? What about the filing of taxes?

If users have their personal data stolen, can the IDA simply say that they had not secured their computers or protected their passwords? In a similar scenario, a non-government organisation could have been hauled up by the authorities for not better protecting user information, under a stricter data protection regime today.

The irony is that the IDA owns a subsidiary called Assurity, which has been pushing for the adoption of such 2FA security in Singapore. Unveiled in 2011, it could have started issuing tokens to users by now, possibly preventing the issue today.

Why SingPass hasn’t been beefed up is truly a mystery. It has been an easy target all these years and finally, now, users are facing the consequences.

New Linksys EA8100-AH Max-Stream router is exclusive to StarHub in Singapore
Hands on: Lutron wireless light switches and sensors
Imperva opens network, security ops centre in Singapore to boost Asia-Pacific presence
Pay for your Singapore Airlines tickets via PayPal
S’pore employees feel their workplaces do not empower them digitally: Microsoft
TAGGED:2FAcyber crimee-governmentIDASingpassthink

Sign up for the TG newsletter

Never miss anything again. Get the latest news and analysis in your inbox.

By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Whatsapp Whatsapp LinkedIn Copy Link Print
Avatar photo
ByAlfred Siew
Follow:
Alfred is a writer, speaker and media instructor who has covered the telecom, media and technology scene for more than 20 years. Previously the technology correspondent for The Straits Times, he now edits the Techgoondu.com blog and runs his own technology and media consultancy.
Previous Article Laptop-tablet combos go fanless with Intel Core M chip at Computex
Next Article 5-inch Nokia XL landing in Singapore, faces tough fight
Leave a Comment

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay Connected

FacebookLike
XFollow

Latest News

Promising speed and better coverage, Singtel 5G+ targets premium users
Mobile Telecom
May 15, 2025
Fujifilm GFX100RF review: Fun medium-format street photography camera
Imaging
May 14, 2025
Looks over AI? Samsung pitches slimmed-down Galaxy S25 Edge
Cellphones Mobile
May 13, 2025
Stunning AI advancements could transform healthcare, education and agriculture globally: Bill Gates
Internet
May 7, 2025

Techgoondu.com is published by Goondu Media Pte Ltd, a company registered and based in Singapore.

.

Started in June 2008 by technology journalists and ex-journalists in Singapore who share a common love for all things geeky and digital, the site now includes segments on personal computing, enterprise IT and Internet culture.

banner banner
Everyday DIY
PC needs fixing? Get your hands on with the latest tech tips
READ ON
banner banner
Leaders Q&A
What tomorrow looks like to those at the leading edge today
FIND OUT
banner banner
Advertise with us
Discover unique access and impact with TG custom content
SHOW ME

 

 

POWERED BY READYSPACE
The Techgoondu website is powered by and managed by Readyspace Web Hosting.

TechgoonduTechgoondu
© 2024 Goondu Media Pte Ltd. All Rights Reserved | Privacy | Terms of Use | Advertise | About Us | Contact
Join Us!
Never miss anything again. Get the latest news and analysis in your inbox.

Zero spam, Unsubscribe at any time.
 

Loading Comments...
 

    Welcome Back!

    Sign in to your account

    Username or Email Address
    Password

    Lost your password?