Commentary

Inactive SingPass accounts a security risk?

About half of all 3.3 million account holders have not registered for SingPass' new two-factor authentication (2FA) feature when the July 4 sign-up deadline passed.

The Infocomm Development Authority (IDA), which administers SingPass, said last week that only 400,000 of these are regular SingPass users, and it is working on getting them on board with a deadline extension.

The remaining 1.3 million people who have yet to register are "irregular", meaning they have not used SingPass or used it only once in the past year for accessing e-government services. Hence, some people may never need to take action for 2FA, although they will still be allowed to sign up with the deadline extension.

The news comes as a relief especially to the elderly, who have a SingPass account but do not use it, or know what to do to with the 2FA feature.

But letting so many accounts exist with no 2FA protection presents a huge security risk. If they are not active, why not disable them?

When queried, IDA said: "To ensure that dormant accounts are not exposed to cyber threats, IDA deactivates accounts that have been inactive for three years or more."

Inactive accounts are arguably the weakest links.
Inactive accounts are arguably the weakest links. PHOTO: ISTOCKPHOTO

IDA also said it uses a layered approach to mitigate risks involving the use of fraud analytics tools. They work by requesting more information to be entered when an inactive account is used from a new machine, or when wrong passwords are entered thrice in a row. Changes made to personal information such as address or password will trigger a notication letter to SingPass users' registered address.

Even so, three years is a long time for criminals to harvest inactive accounts for nefarious purposes.

Allowing a long period of inactivity runs contrary to recent efforts to tighten SingPass security and the huge drive to get everyone signed on to 2FA within a year of the new feature's launch.

Inactive accounts are the bane of the business world as no one would know any better if these accounts had been hijacked.

Mr Paran Chandrasekaran, CEO of Britain-based cyber security specialist Scentrics, said that inactive accounts have more "credibility" than fake ones.

They are good entry points to a wealth of information. SingPass accounts can be fraudulently used to apply for work permits or register a business for nefarious purposes.

The June 2014 discovery of 1,560 breached SingPass accounts - of which three were fraudulently used to make applications for work passes - is a good reminder.

"One of the greatest things about SingPass is also one of its greatest weaknesses; it serves as a log-in point for almost all e-government portals in Singapore," said Mr Dick Bussiere, Tenable Network Security technical director in Asia-Pacific.

Without 2FA, identity thefts become easier as SingPass operates like other simple password schemes: people enter a password with their NRIC number to access over 200 e-government services, including income statements.

Some users adopt passwords that are easy to remember, like birth dates, which hackers can easily uncover. Using one's NRIC number as a username is also insecure, as the string of seven digits is predictable. The numbers, some of which are already in databases, can be harvested.

With 2FA, however, it is harder to break into accounts by brute force, as the feature requires two levels of authentication. One is the user's usual SingPass password. The second is a one-time password generated at random by a device called a token, or sent to the account holder's mobile via SMS with every log-in attempt.

Security experts believe that inactive accounts should be disabled quickly to minimise cyber risks. Google, for instance, deactivates accounts that are inactive after nine months, and some banks disable accounts after two years of inactivity.

Mr Steve McWhirter, Check Point Software Technologies vice-president of Asia Pacific, Middle East and Africa, suggested that the Singapore Government could deactivate accounts that have been inactive for a year.

Yet, experts are also mindful that governments have to work differently from commercial organisations. Indeed, those studying overseas or who have just entered the workforce after two years of national service may not have touched their SingPass accounts in at least two years.

Deactivation will bring about inconvenience when citizens need to access e-government services urgently.

Moreover, IDA allows only one month of access to e-government services without 2FA should an inactive account suddenly "wakes" up. This one-month period ensures no disruption to e-government transactions while the individual enrols for 2FA.

It is hard to ascertain the level of risks that inactive SingPass accounts are subject to without detailed information on mitigation measures.

Inactive accounts are arguably the weakest links in the recent move to 2FA.

A version of this article appeared in the print edition of The Straits Times on July 13, 2016, with the headline 'Inactive SingPass accounts a security risk?'. Print Edition | Subscribe