Several netizens have slammed Singapore Power (SP) Group for its poor web security, in the wake of the massive Singhealth data hack that affected 1.6 million patients whose names, NRIC numbers, addresses and medical records were stolen.
SP Group is a government-linked utilities company that runs the country’s power and gas supply. The corporation is wholly owned by Singapore sovereign wealth fund, Temasek, which in turn is wholly owned by the Singapore government.
As the aftermath of the Singhealth data breach continues to reverberate in Singapore, some locals have flagged an SP Group webpage for employing lazy captcha web security that hackers can easily surpass.
The webpage that netizens flagged is a page that SP Services account holders have to fill out if they forget the password to their account. The page requires account holders to provide their SP Services account number, postal code and their NRIC, Work Pass, or FIN number.
The page then requires visitors to enter a captcha password but the captcha password only comprises of numbers and is very easily readable.
A captcha (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) is a type of challenge–response test used in computing to determine whether or not the user is human. While a typical captcha takes users an average of 10 seconds to solve, the captcha employed by SP Group is far less sophisticated and can be input after a glance.
Criticising the dated security measure, some netizens felt that such “awful” measures “provide NO security whatsoever,” while others asserted that the measure is a lazy stab at web security.
Expressing that the current captcha would possibly only prevent spambots and would not deter dedicated hackers, Singaporeans asked why SP Group did not employ superior captcha software to better protect account holders especially since such software is readily available:
[Click on images to enlarge]