Two-factor authentication should be rolled out

News broke yesterday that the personal data of some 1,500 residents here may have been accessed illegitimately.

A mass security incident on such a scale must raise the question: Is it time to speed up the introduction of additional security checks for a national system that has more than 3.3 million registered users and supports 57 million e-government transactions?

Piecing together what might have happened from the account given by the Infocomm Development Authority (IDA) yesterday, it seems that whoever were the perpetrators could have used brute force attack to gain access. This means trying out a range of easy passwords on random accounts, or running malware on users' computers.

The security incident is still under investigation and it is too early to make any conclusions yet.

But what seems clear is that a second layer of defence involving the use of a one-time password (OTP), known as two-factor authentication (2FA), would likely have been a far stronger defence against illegal access.

In a 2FA-protected system, a user cannot just enter a user-id and a password to gain access to his account. A one-time password is sent to his mobile phone or generated by a special token. This second password must be entered before he is granted access.

So even if the perpetrators were able to randomly guess a user's weak password, he would not be able to access a 2FA-protected account unless he received the second password by mobile phone or generated it on a physical token.

In August 2012, the IDA actually put out a tender for a new SingPass system that would provide 2FA to protect access to e-government services.

But the tender attracted only one bid, which was from Assurity Trusted Solutions, a subsidiary of the IDA. There was no award for the tender for reasons that were not disclosed publicly.

In June last year, another 2FA tender was put out. This time, the IDA asked for an enhanced SingPass system that could support "any 2FA services that government agencies might choose to subscribe to in future".

No decision on this tender has been announced.

Given the latest incident, the public will want a decision to be made soon.

After all, SingPass is the mother of all passwords, and is the passport to all kinds of citizen records.

With SingPass access to someone's account, one will know how much he earns, where he stays, and even what car he drives.

To counter increasingly sophisticated hacking techniques, the Monetary Authority of Singapore has already required all financial institutions in Singapore to implement 2FA protection systems.

But it has gone one step further, requiring the security tokens for generating OTPs to be upgraded from a one-button device to a namecard-sized one with a numerical keypad. These keypad tokens are needed for creating unique OTPs that contain transaction details so they cannot be intercepted by hackers easily.

Sensitive citizen information should be protected in a similar fashion. Financial losses may be substantial if a high level of protection is not in place for online banking systems. But one can argue that it is equally damaging to lose one's personal data.

The need has become more urgent, especially considering the alarming increase in the wave of attacks against various websites belonging to both governmental and private organisations.

Standard Chartered Bank and the Singapore Art Museum have had their confidential private databases accessed, and personal information of their customers stolen.

Of course, the flip side to all of this is that even with the strongest systems, careless users can still fall victim to hackers and data thieves.

Too often, people are blase about password security, setting weak passwords that are too easy to guess at. Others fail to do the required housekeeping and change their passwords regularly.

It is not clear what is causing the delay in 2FA roll-out.

Asked about this yesterday, Ms Jacqueline Poh, managing director of IDA, would only say: "We continue to explore the use of 2FA for e-government transactions, particularly for those involving sensitive data."

She added that there are "multiple levels of security" such as captcha and snail mail notification for the resetting of SingPass.

Whatever the solution may be, the IDA needs to take a closer and more urgent look at the issue.

itham@sph.com.sg

This story was first published in The Straits Times on June 5, 2014.