Perhaps the worst thing that can happen after the recent SingPass security breach is to assume it cannot happen again.
This idea that everything is working fine is foolhardy, after news last week that three of the 1,560 compromised SingPass accounts were used to apply for work permits.
Thus it’s disappointing to hear the government saying there are no vulnerabilities with the existing SingPass system. In Parliament yesterday, Minister for Communications and Information Yaacob Ibrahim instead repeated the advice to users to strengthen their passwords and be more security-savvy.
What message does he send to government agencies, then? That their practices have so far reflected a good awareness of security issues when delivering their e-services?
Unfortunately, by telling everyone that SingPass is okay, the government does not seem to be recognising the threats that many experts have told them over the years, and which users are also telling them now.
For starters, the SingPass system is vulnerable. All security systems are, to a degree. SingPass is a concern because of two factors.
It only requires a simple login and password to get in and perform sensitive transactions such as paying taxes, bidding for Gebiz tenders and of course applying for work permits.
Plus, the default username is a user’s IC number, which is easy to get hold of. And IC numbers are sequential, which makes them easy to guess.
Together, these situations present a relatively easy opportunity for hackers to exploit. When the government says that SingPass isn’t vulnerable, it may be right to say that no one had hacked into the system. But you don’t need to – you just have to guess what the username and password are.
Now, then, should users be blamed for being sloppy? Surely, they have to be more aware of online security.
But it’s also time for government agencies to wise up to the realities of cyber threats. Access to sensitive information or transactions should be protected by more than a simple login and password, like with SingPass.
That is actually a guideline from the Monetary Authority of Singapore (MAS). In its latest technology risk advisory, it tells financial institutions to use two-factor authentication at login for all types of online financial systems and “transaction-signing” – an additional security layer – for authorising transactions.
The reason? To protect the integrity of customer account data and to enhance confidence in online systems. (see report here).
Did government agencies have to follow such a comprehensive set of guidelines, before they put out the current 340 e-services available through SingPass?
Because if they did, a number of services on SingPass now might not pass the test. Logging in to pay taxes or check your CPF account balance? No second layer of authentication needed. Applying for work permit? No challenge again after logging in with a password.
Unfortunately, with the rather uneven understanding of cyber threats in different government agencies, you could end up with some adopting more stringent practices while others just resort to less robust systems, such as SingPass.
This is why it is not okay to assume everything is working fine. Government agencies rolling out e-services have to be subject to the same stringent guidelines that govern the private sector.
It’s ironic that the government is tasked to protect the private data of citizens through a new data protection law, but finds itself behind the curve when it comes to the very tools to protect that data.
The ageing SingPass system is still used for sensitive transactions and access to information that would have been deemed private, when banks, securities firms, hospitals and even polytechnics have begun using hardware tokens to secure that access.
And the biggest irony is that a company wholly owned by the Infocomm Development Authority has been giving out these tokens free to Singaporeans and permanent residents since 2011. By the end of this month, Assurity would have deployed some 600,000 of its OneKey tokens.
These can be used for different services. So, one token can be used to log in to various government e-services, as well as private online services like to trade shares, for example.
Why hasn’t any government agency used OneKey instead of just SingPass? Did they think it was easier to stay with SingPass?
Perhaps in 2003, when it was first rolled out, the worry was that people won’t take to e-services if they were too cumbersome to use. It’s time government agencies changed that mindset.
Some of them will be deploying tougher security measures such as an additional layer of security, while the SingPass system itself will be revamped by the third quarter 2015, Yaacob said yesterday.
For many users, that cannot come earlier. Each time they log in with a simple username and password, they face risks that could have been reduced had government agencies been more aware of the threats online.
Now is certainly not the time for them to let their guard down and assume everything is okay.