SingPass breach not due to system flaw: MCI Minister

Officials have concluded that the SingPass breaches discovered last month were not due to any system vulnerability. -- PHOTO: ST FILE
Officials have concluded that the SingPass breaches discovered last month were not due to any system vulnerability. -- PHOTO: ST FILE

Officials have concluded that the SingPass breaches discovered last month were not due to any system vulnerability.

"No vulnerability was uncovered," said Minister for Communications and Information Yaacob Ibrahim in Parliament on Monday. This conclusion was made after the different layers of protection at the network and application layers were scanned.

"The perpetrator may have obtained the users' SingPass credentials through other means," said Dr Yaacob.

He was responding to questions from Mr Zaqy Mohamad, a People's Action Party MP in Chua Chu Kang GRC, on the outcome of the investigation. Non-Constituency MP Yee Jenn Jong of the Workers' Party also asked if efforts were made to determine if the security breach is larger than the 1,560 accounts reported.

The Police are still investigating how the majority of the accounts were breached. But last Friday, the Ministry of Manpower (MOM) and the Infocomm Development Authority (IDA) said that three tampered accounts were fraudulently used to make six work pass applications.

The work passes have since been cancelled, although it is not known who applied for the work passes and when the applications were made.

The IDA had said that cyber attacks that try to guess passwords by "brute force" could be one way of gaining access. Brute-force attacks crack passwords by systematically trying every possible combination of letters, numbers and symbols until it works.

Dr Yaacob noted that the widespread use of simple passwords make it easy for hackers to crack passwords.

To questions on how security can be improved, he said that IDA is exploring mandating more frequent password changes for SingPass accounts. A new SingPass system to be launched by the third quarter of next year (2015) will see to this. Users may also be allowed to set their own usernames instead of using their NRIC numbers.

Government agencies will also soon require two-factor authentication for e-government transactions involving sensitive data, pending an announcement later in the year. This involves entering a one-time password, sent as a text message to one's mobile phone, to access e-government services.

SingPass secures residents' access to 340 e-government services, including those for filing income tax returns and checking Central Provident Fund (CPF) account balances.

The security scare was first discovered when SingPass operator CrimsonLogic, a local e-government solutions provider, received calls from 11 users to say that their SingPass passwords had been reset - even though they had not requested it.

They were notified by official letters, which usually reach users within four days of them resetting their passwords.

Following an investigation, the IDA found an anomaly: a suspiciously large number of SingPass accounts had been linked to a much smaller pool of the same mobile phone numbers.

A cellphone number is tied to each SingPass account so that the password can be reset online.

A one-time PIN is sent to the pre-registered cellphone number for keying into the SingPass website to authenticate a password reset request online.

The one-time PIN is designed to make it harder for hackers to breach SingPass accounts, as they would need to have the account holder's cellphone, ID and SingPass to reset any password.