A total of 1,560 SingPass accounts were tampered with and 419 users said their passwords were changed against their will, leaving many Singaporeans baffled by the lack of security.
In response, Infocomm Development Authority of Singapore said it will continue to explore — not implement, mind you — the use of two-factor authentication (which requires the user to log in with an additional password flashed on a physical token).
IDA has been exploring this option since 2011. No one knows for certain why it is still twiddling its thumbs after four years.
It even put up two tenders for a better SingPass system in 2012 and 2013. But tender was never awarded.
Tech commentator Alfred Siew (of techgoondu.com) also highlighted that IDA owns a subsidiary called Assurity, which has been pushing for the two-factor authentication security system since 2011.
Yet Assurity is left out of the picture with no explanation given.
Worse, users were not aware of the password change until four days later. This is alarming in a country that pays a lot of attention to cyber security.
Azhar Aziz from Vulcan Post said SingPass requires users to key in a security PIN sent to their mobile phones when they want to change their passwords. But none received the text message.
Siew also said that the hackers might have taken screenshots of the users’ details when the SingPass accounts were breached.
He noted in his website: “In a similar scenario, a non-government organisation would have been hauled up by the authorities for not better protecting user information, under the current data protection act?”
On the other hand, IDA said that users must enhance their own cyber security in the wake of the shocking security breach.
But how do they do this if SingPass only requires users to login in with their IC numbers and passwords.
“That makes it relatively easy for a hacker to guess the password and get access,” Siew said, no matter what passwords are used.
This is developing into a mess and IDA has a lot of answering to do.