SingPass security to be raised after breach

SINGAPORE — Changes will be made to the SingPass system to beef up its security to the standards for online banking here, including possibly allowing users to set their user names, as well as adding an extra layer of verification with two-factor authentication (2FA), the Infocomm Development Authority of Singapore (IDA) said.

The measures, which come in the wake of a recent breach of 1,560 SingPass accounts, will be in place by the third quarter next year, the authority added in a statement late last night.

“We are currently in the process of refining the SingPass system and users can look forward to an enhanced version to be ready by Q3 of 2015,” said the IDA.

The use of 2FA to protect SingPass had been considered as early as 2012. The IDA put out a tender for it in August that year and in June last year, but no awards were made both times.

The use of a one-time password — a unique code sent to either a mobile number set by a user or to a security token each time he logs in — has been a standard security feature imposed on banks for Internet banking transactions since 2006.

Allowing users to set their own log-in names is also common for online banking systems. Currently, SingPass log-in names are NRIC numbers.

In its statement, the IDA added that it is exploring 2FA protection for e-government transactions, “particularly for those involving sensitive data”.

The recent security breach to SingPass, made public by the IDA on Wednesday, saw 1,560 accounts being cracked.

These users’ account profiles were illicitly updated to be tied to a disproportionately small pool of Singapore-registered mobile numbers. Among the affected users, 419 accounts had their passwords successfully reset without their permission.

How it happened is still being probed, although the IDA had stressed that there is no evidence at this point suggesting the SingPass system had been compromised.

In an update yesterday, it said the affected users would have received notification letters about their password being reset by 7pm yesterday.

The IDA also urged SingPass users to strengthen their passwords while the police investigate the case.

SingPass, which now has more than 3.3 million users, can be used to perform more than 340 online transactions with 64 government agencies. Examples include accessing Central Provident Fund and income tax accounts.