No vulnerabilities in SingPass system

[SINGAPORE] The government has concluded that there were no vulnerabilities in the SingPass system after investigating last month's breaches of some 1,560 accounts.

Speaking in Parliament yesterday, Communications and Information Minister Yaacob Ibrahim suggested that the perpetrator could have obtained the users' SingPass credentials through other ways.

He cited two possibilities. One was the "widespread" usage of simple passwords, the other could be the fact that malware was installed in the users' computers.

Dr Yaacob was responding to questions by three MPs - Zaqy Mohamad (Chua Chu Kang), Non-Constituency MP Yee Jenn Jong and Nominated MP Mary Liew - who wanted more information on the data breach and the steps taken to improve the security of SingPass accounts.

Last Friday, the Manpower Ministry (MOM) and the Infocomm Development Authority of Singapore (IDA) jointly announced that three of the 1,560 compromised SingPass accounts were used to apply for six work pass applications.

"We have not seen any attacks on the SingPass account in the past, but there have been one or two breaches, especially in the applications of work permits and (MOM) discovered it even before the latest breach and they cancelled it immediately," said Dr Yaacob.

He urged SingPass users to have stronger passwords and to update the anti-virus software in their computers so as to better protect their sensitive personal information.

Touching on the planned revamp of the existing SingPass system, which will be ready by the third quarter of 2015, Dr Yaacob said the new system will require users to set "even stronger" passwords and possibly to have them change their passwords more frequently, he said.

IDA is also looking at allowing users to define their own usernames instead of using their current identity card numbers.

"In addition, the new SingPass will come with more advanced analytics capability to identify anomalies in login transaction patterns so as to mitigate any potential security risks," said Dr Yaacob.

There are also plans to introduce a stronger authentication process using second-factor authentication (2FA) for government e-services involving sensitive data or transactions.

The relevant agencies are currently discussing this initiative, and will announce the implementation timeline later this year.

Dr Yaacob said that 2FA was not introduced earlier because the three million SingPass users have varying levels in terms of using the internet.

While it was important to have that balance between the ease of use and practicability, he noted that more Singaporeans today are in favour of using 2FA.

SingPass was introduced back in 2003 to give users access to some 340 e-government services, such as to check their Central Provident Fund (CPF) balances and to file their annual income tax returns.