4 questions we want to ask IDA about the SingPass Security breach

Hi IDA, we are a bit concerned.

Martino Tan| June 05, 12:53 PM

The Infocomm Development Authority (IDA) told the media yesterday that 1,560 SingPass accounts could have been accessed illegitimately.

SingPass is a password that was set up for every citizen in 2003 to access the 340-plus e-government services from 64 government agencies.

IDA said it was notified on June 2 by its contractor, CrimsonLogic, that a number of SingPass users had received a SingPass reset notification letter although they did not request for any password reset. A police report was lodged on June 3.

 

I am not a techie and I don’t want anybody to get hurt. But I’ve got four questions to ask, because this incident raises several questions for IDA.

 

1. When was IDA going to announce to the public about the breach? Could IDA have informed the public earlier?

According to TODAY, the breach surfaced over the weekend (1 June) when 11 SingPass users received letters informing them that they had requested for a password reset, though they had not.

But it might have occured earlier. In fact, the breach could have occurred as early as four days before (28 May). This is because if the password was reset, the SingPass Password Reset Notification Letter would be sent to the user via post within 4 working days. (according to SingPass website)

However, both the Straits Times and TODAY observed that the press conference was "hastily-convened" yesterday. This gives one the impression that IDA was not prepared to inform the public yet. But this was three days after the breach (1 June).

What if the breach reaches beyond the 1,560 SingPass users? It might have caused widespread alarm among more SingPass users if they too receive letters for a password reset. I understand that IDA may not have all the answers but it could have informed the public earlier.

 

2. What took SingPass operator CrimsonLogic so long (at least 24 hours) to inform IDA?

The breach surfaced over the weekend but CrimsonLogic only flagged the problem to IDA on Monday evening.

 

3. Were the SingPass accounts compromised or even hacked?

IDA's words will not calm concerned SingPass users. IDA said that there was "no evidence to suggest that the SingPass system has been compromised". If I understand correctly, this means IDA have found no evidence that the accounts were compromised. But this does not mean that the accounts were not compromised.

 

4. Why wasn't two factor authentication rolled out? What was taking IDA so long to protect its fellow citizens against potential hacking?

Kudos to The Straits Times for their incisive commentary about the breach and why the two-factor authentication should be rolled out.  Former ST editor Bertha Henson also made a good point on her Facebook post - if the Monetary Authority of Singapore requires two-factor authentication for banking online, the government should do the same for its portals and have a second layer of checks for all citizens.

From ST commentary, we know two things:

1) IDA was aware that a two-factor authentication (those we use for online banking) was a stronger defence against illegal tampering; and 2) IDA put out two tenders for a new SingPass system in 2012 and 2013 but did not award the tenders.

When asked about the delay, IDA managing director Jacqueline Poh said, "We continue to explore the use of 2FA for e-government transactions, particularly for those involving sensitive data... In the meantime, we have put in place multiple levels of security such as captcha and sending letters to your residential addresses when SingPass passwords have been changed. These measures are already in our system.”

Dear IDA, I don't think you are addressing ST's question and our concerns.

 

Top photo from IDA's website.

If you like what you read, follow us on Facebook and Twitter to get the latest updates.