No vulnerability in SingPass system: Yaacob

SINGAPORE — The SingPass breaches discovered last month were not due to system vulnerability, although the Government is going ahead with steps to tighten security, including possibly mandating that passwords for accounts be changed more frequently.

Speaking in Parliament yesterday, Minister for Communications and Information Yaacob Ibrahim also urged users to do their part in protecting themselves from such incidents; for example, by using stronger passwords and ensuring the anti-virus software on their computers is always updated.

“Investigations revealed there were no vulnerabilities uncovered within the system, but having said that ... the system can be strengthened,” Dr Yaacob said in response to a question from Chua Chu Kang GRC Member of Parliament (MP) Zaqy Mohamad on how confidence could be restored in the SingPass system.

The perpetrators could have obtained the account information by guesswork because of the “widespread usage of simple passwords” or through malware installed on their computers. Malware, short for malicious software, enables cybercriminals to steal information such as passwords or bank details from users’ computers by logging keystrokes.

About a month ago, the Infocomm Development Authority of Singapore (IDA) announced that 1,560 SingPass accounts had been compromised. Their account profiles were illicitly updated to be tied to a disproportionately small pool of mobile numbers that had been registered in Singapore.

Last week, the Ministry of Manpower (MOM) and the IDA revealed that three of the compromised accounts had been fraudulently used to apply for six work passes.

Dr Yaacob yesterday revealed that this was not the first time SingPass accounts have been breached. “We have not seen any attacks on SingPass accounts in the past but there have been one or two breaches, especially in the applications of work permits, and the MOM discovered them even before the latest breach and cancelled them immediately,” he said.

To strengthen security, government agencies will be required to implement two-factor authentication for online services involving sensitive data or transactions, Dr Yaacob said, adding that more details on its implementation will be available later this year.

He also said users would be allowed to choose their own usernames instead of the default NRIC or FIN numbers currently. “We are also exploring mandating more frequent password changes for SingPass accounts. This may mean a slight increase in the number of cases where users cannot immediately use some e-services because they forgot their password. We seek the public’s understanding and patience in this,” he said.

When asked by Workers’ Party non-constituency MP Yee Jenn Jong if the implementation of the two-factor authentication would lead to costs that might be borne by users, Dr Yaacob replied that this would not be the case.