TraceTogether check-in at venues is better, (cyber) safer

The new system is more effective for contact tracing and provides better cyber hygiene.ST PHOTO: LIM YAOHUI

SINGAPORE - By the end of the year, Singapore will be switching to a new Covid-19 management tool: TraceTogether-only SafeEntry.

This system is more effective for contact tracing and provides better cyber hygiene, making the switchover a no-brainer.

TraceTogether-only SafeEntry combines what are now two separate systems: TraceTogether, to identify those in close contact with Covid-19 patients; and SafeEntry - which digitally checks in visitors at most venues - to determine which premises have been visited by those infected with the coronavirus.

Once the integrated TraceTogether-only SafeEntry system is fully rolled out, no one will be able to use their phone cameras or the SingPass mobile app to scan the SafeEntry QR code to enter cinemas, restaurants, workplaces, schools and shopping malls. And venue operators will not scan barcodes on NRICs to allow people entry.

With the above-mentioned check-in methods discontinued, people will have to use their TraceTogether app for scanning the SafeEntry QR code, or TraceTogether token, which sports a unique QR code, for scanning by venue operators.

Since SafeEntry is already mandatory at most venues, combining the two technologies is a convenient way to also compel people to use TraceTogether, which is voluntary at present.

Why is this move necessary?

It is to get at least 75 per cent of the population to participate in digital contact tracing. This is the minimum adoption rate required for TraceTogether to perform the way it was designed to.

The TraceTogether smartphone app and wearable token work by exchanging Bluetooth signals with one another to identify who has been within 2m of a Covid-19 patient for longer than 30 minutes.

This information makes for speedy contact tracing to curb the spread of Covid-19. Without it, Singapore would not be able to host more travellers, business activities and social gatherings under phase three of its reopening.

QR code scams

Cyber hygiene is where it gets really interesting: QR code scanning with a phone camera makes one vulnerable to scamming.

The authorities have not warned the public against using their smartphone camera to scan the SafeEntry QR code. But scanning the SafeEntry QR code using the phone camera is unsafe.

A hacker intent on harvesting a database of NRIC and phone numbers can easily replace the SafeEntry QR code with a rogue code that points users to a fake online form. This is not something a smartphone camera can detect or prevent.

It is easy to replace QR codes since they are publicly displayed.

QR code scams have become a concern of late, as people are becoming more dependent on digital tools. The entire nation became used to the idea of scanning a QR code after SafeEntry use was mandated at most venues in May.

Now, people are scanning a QR code to pay for their bubble tea or download location maps, discount coupons, product information and restaurant menus. But most users are not conscious of the dangers associated with QR codes. This is practically a gift to cybercrooks.

For instance, QR codes can be encoded with malicious links to reroute users to fake websites, where they are asked for sensitive information such as banking credentials.

Malicious links may also bring users to malware-infested websites where snooping programs can be unknowingly downloaded.

Recognising this problem, the Cyber Security Agency (CSA) of Singapore has warned the public about the perils associated with scanning QR codes.

"It is easy for an attacker to print and superimpose his own malicious QR codes on top of the legitimate QR codes," CSA posted on its website. "You might become the victim of a phishing operation if you input your login credentials after scanning a QR code."

Entering venues using the SingPass app helps to get around the QR code safety issue, but the app is bloated and slow. Plus, the SingPass app does not have the Bluetooth capabilities of TraceTogether.

Enter TraceTogether-only SafeEntry.

The TraceTogether app is able to validate the QR code it scans. When it comes across an unsanctioned QR code, the app will alert users with: "This doesn't seem like a SafeEntry QR code."

Token users, however, need not scan anything. The token sports a unique QR code for scanning by venue operators.

As at Nov 1, about 570,000 tokens had been given out and 2.7 million TraceTogether app downloads registered.

The authorities plan to produce 2.7 million tokens or more, if demand goes up.

It is in everyone's interest to switch over to the new TraceTogether-only SafeEntry system and to do so quickly.

Not only will its use curtail huge opportunity costs from delayed travel and business activity resumption - or worse still, another circuit breaker - the new system will also plug existing cyber hygiene gaps that could lead to massive data leaks.