Why the IDA SingPass breach is a “long time coming”

More than 1,500 SingPass accounts have been cracked, said the Infocomm Development Authority of Singapore (IDA) on Wednesday evening in a hastily convened press conference with members of the local press.

The breach apparently surfaced over the weekend when almost a dozen SingPass users raised the alarm after receiving letters informing them that they had requested a password reset despite not having done so.

Upon investigation, a total of 1,560 SingPass users were found to have had their account profiles illicitly updated to be tied to a “disproportionately small pool” of Singapore-registered mobile numbers, said the IDA. In addition, about 419 of these users have had their passwords reset without their knowledge.

SingPass was set up in 2003 for Singapore residents aged 15 and above to perform e-government services. Examples of transactions include accessing Central Provident Fund (CPF) accounts, filing income taxes, the NS portal for NSF and NS men, as well as checking medical records. There are now more than 3.3 million SingPass users, noted TodayOnline in its report on this matter.

SingPass: Fix the roof before it rains

I reached out to Wong Onn Chee, a respected security professional and the director of Singapore-based security firm Infotect Security Pte Ltd. An industry veteran who has spoken at prominent security events in the region, Wong had strong words regarding the SingPass breach. The security breach is a “long time coming,” Wong told me over WhatsApp. He noted how “IDA has a proven track record of patching the leaky roof when it rains, not before it rains.”

Harsh words indeed, but there is no denying the severity of the issue here. SingPass has been integrated into the very fabric of Singapore’s e-government initiatives, and access to an account could be abused to expose users’ sensitive personal information such as where they live and how much they earn.

Moreover, there are national security implications to consider too, given the possibility of finding out an Nsmen’s reservist dates and their training schedules by logging in through the NS portal.

Two factor authentication tech available since 2011

At the heart of this matter is the bizarre lack of two-factor authentication when authenticating to a government website using SingPass. Already, more sophisticated malware are known to circumvent certain types of two-factor implementations by infecting both PCs and mobile phones, rendering two-factor authentication the bare minimum–and not a luxury–for basic security today.

In comparison, Google rolled out two-factor authentication for Gmail and its other free services more than three years ago, at the start of 2011. On its part, Microsoft completed the mammoth task of offering two-factor verification for the 700 million user accounts across its various services a year ago in April 2013, and even Dropbox rolled out two-factor authentication in August last year.

For sure, the absence of two factor authentication is not due to the lack of technology, given that IDA owns Assurity Trusted Solutions Pte Ltd (Assurity), which launched the world’s first national second factor authentication device in 2011. Indeed, the Assurity website noted how the IDA “has been working closely with regulators of key sectors (e.g. banking and finance, government and healthcare) to coordinate their demands and align their requirements for strong authentication.”

Time to get SingPass fixed

So why wasn’t two factor authentication not deployed to protect SingPass? There is no question that SingPass was a brilliant and cutting-edge initiative when it was launched more than a decade ago. Unfortunately, the glaring lack of two factor authentication–years after the technology was available–have made it into a major security liability to Singaporeans.

In the interest of constructive dialogue, I will highlight some thoughts on how SingPass can be improved in my next blog. If you are an IT or security professional with ideas on that front, feel free to leave a comment below, drop me an email or send me a tweet.