Friday, 6 June 2014

IDA to review login system for SingPass

Regulator exploring use of two-factor authentication for e-govt transactions
By Irene Tham, The Straits Times, 6 Jun 2014

THE current SingPass system, in which people use their identity numbers as their usernames for logging into some 340 government e-services, is under review, after it was revealed that accounts could have been tampered with.

In a statement last night, the Infocomm Development Authority (IDA) said it would be "refining" the SingPass system by the third quarter of next year.

The regulator said it is also "exploring" the use of two-factor authentication (2FA) for e-government transactions, particularly for those involving sensitive data, but did not elaborate further.

"As part of this continued effort to improve the system, we are also exploring further measures such as allowing users to set their own usernames in the new system instead of their NRIC numbers," said the IDA.

Police are investigating how 1,560 SingPass accounts were potentially accessed without the users' permission. But the IDA noted on Wednesday that cyber attacks that try to guess passwords by "brute force" are common and possibly on the rise. Brute-force attacks crack passwords by systematically trying every possible combination of letters, numbers and symbols until it works.

Better programming on faster and more powerful computers now allows more password guesses per second for gaining illegal access into systems, said experts.

Mr Sui Jin Foong, Asean systems engineering director of United States-based network security specialist Juniper Networks, said brute-force attacks have become more powerful as algorithms have improved and lists of common passwords have expanded.

"With advanced computers, hackers can even make more than 40 million password guesses per second," he said.

Brute-force attacks are bound to succeed as they try all possibilities - it is just a matter of time. How long the attacks take depends on how easily a password can be guessed. The wait is not very long with faster computers.

And these attacks thrive on predictability. With the username of the SingPass account being predictably the holder's identity card (IC) number, hackers hardly face a hard task when trying to break into an account, said experts.

They said IC numbers are easy to figure out as they follow a pattern: S, followed by seven digits and an alphabet letter. They are also easy to get, say, from lucky draw forms.

Mr Aloysius Cheang, Asia-Pacific managing director of global computing security association Cloud Security Alliance, recommends that a system be set to lock down an account after three failed password attempts. "This is the industry standard," he said.

The SingPass system, however, allows up to seven failed attempts, after which one's SingPass will be revoked.

Another way to counter brute-force attacks is the use of two-factor authentication, where a one-time password (OTP) is delivered on security tokens or via SMS to mobile phones.

"The level of difficulty in hacking a system increases exponentially with 2FA," said Mr Cheang. "We are talking about at least four times more difficult."

Experts recommend making passwords more complex too.

The IT services centre at the Chinese University of Hong Kong recommends passwords of at least eight characters - with random letters, digits and punctuation - as longer, more complex passwords are harder to crack.

For instance, an eight-character password with lower-case letters and numbers takes about 10 months to crack, it said.

A five-character password with only lower-case letters takes less than two minutes to crack, while one with lower-case letters and numbers takes 10 minutes.

Mr Sharat Sinha, Asia-Pacific vice-president of US-based network security firm Palo Alto Networks, advised users to combine several words or sets of information for their passwords. "The key thing is to avoid predictable words or numbers or personal information like birth dates or names," he said.

* Three SingPass accounts in security breach used to apply for work passes
By Irene Tham, The Straits Times, 5 Jul 2014

THREE of the 1,560 SingPass accounts that were last month discovered to have been breached were fraudulently used to make work pass applications.

The Ministry of Manpower (MOM) and the Infocomm Development Authority (IDA) confirmed this in a statement last night and said all six work passes have been cancelled.

MOM said it has since put in place "additional measures to strengthen and further safeguard its work pass transactions", but did not elaborate further. It also said the matter has been referred to the police.

It is not known who applied for the work passes and when the applications were made.

The Straits Times understands that the six foreign workers could have entered Singapore.

SingPass secures residents' access to 340 e-government services, including those for filing income tax returns and checking Central Provident Fund (CPF) account balances.

The security scare was first discovered when SingPass operator CrimsonLogic, a local e-government solutions provider, received calls from 11 users to say that their SingPass passwords had been reset - even though they had not requested it.

They were notified by official letters, which usually reach users within four days of them resetting their passwords.

Following an investigation, the IDA found an anomaly: a suspiciously large number of SingPass accounts had been linked to a much smaller pool of the same mobile phone numbers.

In all, 1,560 accounts were involved, and 419 users eventually had their passwords reset.

A cellphone number is tied to each SingPass account so that the password can be reset online.

A one-time PIN is sent to the pre-registered cellphone number for keying into the SingPass website to authenticate a password reset request online.

The one-time PIN is designed to make it harder for hackers to breach SingPass accounts, as they would need to have the account holder's cellphone, ID and SingPass to reset any password.

While investigations into how the other SingPass accounts were breached are still ongoing, the IDA said it will "refine" the SingPass system by the third quarter of next year.

The IDA will implement two-factor authentication for e-government transactions, particularly for those involving sensitive data, and let users set their own usernames instead of using their NRIC numbers.

Meanwhile, IDA is urging SingPass users to strengthen their passwords to alphanumeric ones with at least eight characters and include capital letters and symbols.

1,560 SingPass accounts possibly tampered with
Some had passwords reset; no evidence system was compromised: IDA
By Kenny Chee, The Straits Times, 5 Jun 2014

About a quarter of them even had their confidential passwords reset, with some realising this only when they received letters in the mail informing them of the change.

The passwords of all affected users have since been reset and there have been no reported losses, including monetary ones, so far, the Infocomm Development Authority (IDA) said yesterday.

"From our checks, there is no evidence that the SingPass system has been compromised," said IDA's managing director Jacqueline Poh, revealing the extent of the incident at a press conference.

SingPass, short for Singapore Personal Access, was launched in 2003 as a single common password for users to access a variety of government services online.

Currently, 64 government agencies use SingPass for citizens and residents to access more than 340 "e-services". These include checking on information such as Central Provident Fund account balances and income tax records.

Last year, there were over 57 million SingPass transactions.

While there has been unauthorised access to SingPass accounts before, these were one-off cases.

IDA said it was first notified on Monday of the security scare by SingPass' operator CrimsonLogic, a local e-government solutions provider.

Eleven SingPass users told the company at the weekend they had received a SingPass letter informing them their passwords had been reset, even though they had not requested it.

Such letters automatically arrive within four days of a user resetting his or her password.

IDA immediately investigated the matter and found an anomaly.

A suspiciously large number of SingPass accounts had been linked to a much smaller pool of mobile phone numbers.

This was a sign that crooks may have somehow logged into SingPass accounts, changed the mobile numbers associated with them and reset the accounts.

In all, 1,560 accounts were involved, and 419 users eventually had their account passwords reset. On discovering this, IDA lodged a police report on Tuesday morning.

Asked if it could have been an inside job, IDA said that police investigations are still ongoing. However, it noted that cyber attacks that try to guess user passwords by "brute force" are common and possibly on the rise.

"Users should ensure that they use strong passwords to access not only SingPass, but all the other e-services they subscribe to," said IDA's Ms Poh, adding that users should also install anti-virus software and update software regularly. She said strong passwords contain a combination of numerical figures and capital letters, and are at least eight characters long.

The IDA added that it will continue to strengthen all government e-services as part of ongoing efforts to improve security.

IT security experts said the information from a SingPass account is valuable to cybercrooks.

Said Trend Micro country manager for Singapore David Siah: "A SingPass account is a gold mine. It doesn't really transact like a bank account, but it gives you access to a lot of platforms. CPF data access would be one that is worrying, and other platforms that hold financial information."

Wide access to government services

SingPass provides access to e-Government services and transactions in more than 70 ministries and statutory boards, including:
- Central Provident Fund (CPF) for employers to make contributions to employees and for citizens to view their CPF records.
- Inland Revenue Authority of Singapore to file income tax returns or pay income and property taxes.
- Immigration and Checkpoints Authority for passport services.
- Housing Board for loan or flat subletting application, payment of parking fines, and to buy and sell Housing Board flats.
- Manpower Ministry to apply for a work permit to hire foreign domestic workers here or payment of foreign worker levy.
- Land Transport Authority to pay road tax and traffic fines.
- Defence Ministry for NSmen to check their medical records and apply for an exit permit.
- Urban Redevelopment Authority for season parking services.
- Singapore General Hospital to request medical reports for making insurance claims and to make medical appointments.
- Ministry of Education for payment of school fees.
- Registry of Marriages to file a notice of marriage.
- National Parks Board to book barbecue pits in parks.

Users, experts want more layers of protection
Some suggest adding two-factor authentication, used by banks here
By Hoe Pei Shan, The Straits Times, 5 Jun 2014

SINGPASS users and security experts want more levels of protection, following yesterday's news that more than 1,500 accounts could have been accessed illegally.

Many SingPass users said they were concerned at the scale of the tampering, given that the password system allows citizens access to some 340 e-government services, and thus, a trove of personal information.

Several have asked why the Infocomm Development Authority (IDA) did not incorporate secondary levels of authentication for services that require SingPass logins, to make it tougher for non-authorised access.

"We rely on technology heavily these days, and the ability to access government services is very vital, not less than that of access to our banking accounts," said transport planner Alan Neo, 29, who uses SingPass to manage his national service (NS) account.

"No system is impregnable, but bringing extra security measures like secondary authentication to the SingPass system would be welcomed."

Advertising executive Benjamin Yue, a 26-year-old who uses his SingPass primarily to manage his taxes, said users "entrust the Government to have safe levels of security to effectively monitor these sticky situations". "I would be very worried if someone else accessed my account... it's a breach of privacy," he said.

Security experts like Mr Ng Kai Koon, director of government affairs (Asia-Pacific and Japan) at Symantec Corp, suggested the IDA add a process called two-factor authentication (2FA) - a standard protection for e-banking here - to more SingPass platforms with confidential data.

These could include access to Central Provident Fund (CPF) and NS accounts, he said.

"2FA is a good solution in ensuring a more secure system," said Mr Ng. "Even if the Government had restrictions in resources and time, we need to step back and think about the critical systems that need to be protected."

In the meantime, all users should take steps to strengthen their SingPass passwords and adopt "good cyber hygiene" - keying in passwords only on secure devices and networks and logging out from accounts, he added.

"SingPass is a critical system for Singaporeans and is used for quite a number of daily transactions, so certainly this is a good wake-up call to the users as well to take better care of their accounts," said Mr Ng.

Legal counsel Gabriel Gn will be changing his password to one that is harder to crack, "just in case". "I am very worried my account might have been hacked, as the fact that SingPass is so useful is also what makes it so dangerous," said the 28-year-old, who uses SingPass to check on his CPF monies and NS account.

He added that generally, Singaporeans have not been very exposed to Internet fraud: "We have been quite blessed in that sense."


What should I do if I was one of the 419 who received notifications about passwords that were reset without authorisation?

IDA should have re-reset your password for you. Use your new IDA-issued password to log in, and change your password to one that is strong.

How do I know if I am one of the 1,560 account users who could have been affected?

If you were one of the 1,560, IDA would have reset your password. IDA is also notifying all who were potentially affected.

If I am an unaffected SingPass user, what should I do?

Change your password to a strong one incorporating numbers and letters, and a mix of upper and lower casing. Also ensure that you type in passwords only on secure devices and networks. Remember to always log out of accounts that require passwords.

Two-factor authentication should be rolled out
By Irene Tham, The Straits Times, 5 Jun 2014

NEWS broke yesterday that the personal data of some 1,500 residents here may have been accessed illegitimately.

A mass security incident on such a scale must raise the question: Is it time to speed up the introduction of additional security checks for a national system that has more than 3.3 million registered users and supports 57 million e-government transactions?

Piecing together what might have happened from the account given by the Infocomm Development Authority (IDA) yesterday, it seems that whoever were the perpetrators could have used brute force attack to gain access. This means trying out a range of easy passwords on random accounts, or running malware on users' computers.

The security incident is still under investigation and it is too early to make any conclusions yet.

But what seems clear is that a second layer of defence involving the use of a one-time password (OTP), known as two-factor authentication (2FA), would likely have been a far stronger defence against illegal access.

In a 2FA-protected system, a user cannot just enter a user-id and a password to gain access to his account. A one-time password is sent to his mobile phone or generated by a special token. This second password must be entered before he is granted access.

So even if the perpetrators were able to randomly guess a user's weak password, he would not be able to access a 2FA-protected account unless he received the second password by mobile phone or generated it on a physical token.

In August 2012, the IDA actually put out a tender for a new SingPass system that would provide 2FA to protect access to e-government services.

But the tender attracted only one bid, which was from Assurity Trusted Solutions, a subsidiary of the IDA. There was no award for the tender for reasons that were not disclosed publicly.

In June last year, another 2FA tender was put out. This time, the IDA asked for an enhanced SingPass system that could support "any 2FA services that government agencies might choose to subscribe to in future".

No decision on this tender has been announced.

Given the latest incident, the public will want a decision to be made soon.

After all, SingPass is the mother of all passwords, and is the passport to all kinds of citizen records.

With SingPass access to someone's account, one will know how much he earns, where he stays, and even what car he drives.

To counter increasingly sophisticated hacking techniques, the Monetary Authority of Singapore has already required all financial institutions in Singapore to implement 2FA protection systems.

But it has gone one step further, requiring the security tokens for generating OTPs to be upgraded from a one-button device to a namecard-sized one with a numerical keypad. These keypad tokens are needed for creating unique OTPs that contain transaction details so they cannot be intercepted by hackers easily.

Sensitive citizen information should be protected in a similar fashion. Financial losses may be substantial if a high level of protection is not in place for online banking systems. But one can argue that it is equally damaging to lose one's personal data.

The need has become more urgent, especially considering the alarming increase in the wave of attacks against various websites belonging to both governmental and private organisations.

Standard Chartered Bank and the Singapore Art Museum have had their confidential private databases accessed, and personal information of their customers stolen.

Of course, the flip side to all of this is that even with the strongest systems, careless users can still fall victim to hackers and data thieves.

Too often, people are blase about password security, setting weak passwords that are too easy to guess at. Others fail to do the required housekeeping and change their passwords regularly.

It is not clear what is causing the delay in 2FA roll-out.

Asked about this yesterday, Ms Jacqueline Poh, managing director of IDA, would only say: "We continue to explore the use of 2FA for e-government transactions, particularly for those involving sensitive data."

She added that there are "multiple levels of security" such as captcha and snail mail notification for the resetting of SingPass.

Whatever the solution may be, the IDA needs to take a closer and more urgent look at the issue.

No comments:

Post a Comment