Saturday, 7 June 2014

SingPass Security Breach

Singapore Says 1,560 Online Identification Accounts Breached

The Singapore government said its online identifications issued to residents to access services including personal income tax filings and pension savings statements may have been tampered with.

The investigations showed 1,560 SingPass accounts may have been breached with their passwords accessed without the users’ permission, the Infocomm Development Authority of Singapore said yesterday in an e-mailed statement. A total of 419 of the accounts triggered password reset notification letters to be sent to the account holders, it said.

The authority was notified by the SingPass operator three days ago, and a police report was filed on June 3, it said. The security breach may affect Singapore’s reputation as an Asian financial center. The city is the region’s largest wealth management center with about $800 billion in offshore assets, according to Boston Consulting Group.


OVER 1500 ACCOUNTS COMPROMISED?
Over 1,500 SingPass accounts potentially accessed without authorisation

SINGAPORE: Over 1,500 SingPass users may have had their IDs and passwords accessed without their permission. The Infocomm Development Authority of Singapore (IDA) was notified on Monday (June 2) by the SingPass operator that a number of users had received a SingPass password reset notification letter, even though they did not request for a password change.

IDA's preliminary investigations show that 1,560 users' IDs and passwords were potentially accessed, of which 419 passwords were reset. Password reset notification letters were sent to the registered address of SingPass account holders.

The IDA has filed a police report on Tuesday, but the authority's checks so far show there is no evidence to suggest the SingPass system has been compromised. Passwords of all affected users have been reset, and the IDA is in the process of notifying them.


1,560 SingPass user accounts breached

More than 1,500 SingPass accounts have been cracked, possibly exposing these users’ sensitive personal information, such as where they live and how much they earn.


Although no losses have been reported so far and there is no evidence at this point to suggest that SingPass’ system has been compromised, about one-quarter, or 419, of these users have had their passwords illegally reset, said the Infocomm Development Authority of Singapore (IDA) yesterday.

SingPass was set up for Singapore residents — aged 15 and above — in 2003 to perform more than 340 online transactions with government agencies. Examples of these transactions include accessing Central Provident Fund accounts, filing income taxes and checking medical records. There are now more than 3.3 million SingPass users.

related: SingPass security to be raised after breach

read more

4 questions we want to ask IDA about the SingPass Security breach

The Infocomm Development Authority (IDA) told the media yesterday that 1,560 SingPass accounts could have been accessed illegitimately.


SingPass is a password that was set up for every citizen in 2003 to access the 340-plus e-government services from 64 government agencies.

IDA said it was notified on June 2 by its contractor, CrimsonLogic, that a number of SingPass users had received a SingPass reset notification letter although they did not request for any password reset. A police report was lodged on June 3.

read more

Assume some Accountability, IDA!

More than 1,500 SingPass accounts could have been accessed illegitimately, potentially threatening the security of citizens’ data from how much they earn and where they live to their car number and children’s names.

In a hastily-called press conference late Wednesday evening, the Infocomm Development Authority said that there was “no evidence to suggest that the SingPass system has been compromised.”

To me this is just a poor attempt to play with words.


The SingPass Affair: What is happening, IDA?

A total of 1,560 SingPass accounts were tampered with and 419 users said their passwords were changed against their will, leaving many Singaporeans baffled by the lack of security.

In response, Infocomm Development Authority of Singapore said it will continue to explore — not implement, mind you — the use of two-factor authentication (which requires the user to log in with an additional password flashed on a physical token).


IDA has been exploring this option since 2011. No one knows for certain why it is still twiddling its thumbs after four years.

read more

IDA: 1,560 SingPass IDs & passwords illegally accessed

The Infocomm Development Authority of Singapore (IDA) has filed a police report on Tuesday (3 Jun) alleging that 1,560 SingPass users may have had their IDs and passwords accessed without their permission.

IDA was notified on Monday (2 Jun) by the SingPass operator, CrimsonLogic, that a number of users had received a SingPass password reset notification letter, although they had not requested for a password change.

IDA’s preliminary investigations show that 1,560 users’ IDs and passwords were potentially accessed, of which 419 passwords were reset. Password reset notification letters were sent to the registered address of SingPass account holders.

read more

A Breach Should Be Called A Breach

You know respect for the prime minister has hit an all time low when, despite blustering and making ugly faces in parliament to insist that a spade should be called a spade, the Infocomm Development Authority of Singapore (IDA) is ignoring him and refusing to own up to a breach in security.

Faces at Crimson Logic turned red when they first discovered that SingPass account holders found password reset notification letters in the mail even though they had made no such requests. Account holders whose personal data, such as contact information, employer details and remuneration records, were in the custody of Crimson Logic, the appointed operator of the SingPass single-factor authentication system for all government e-services in Singapore.

IDA investigated, and discovered 1,560 user profiles were illegally accessed. At least 419 fell for the ruse, and their passwords were reset. Affected SingPass users had their account profiles modified and linked to a small pool of Singapore-registered mobile numbers - IDA refused to tell how many. The mobile number can be used in a two-factor authentication procedure. When the victim changes his or her password, this number will serve to "verify" the request.

read more

SINGPASS BREACHED DESPITE IDA'S $1.2BILLION SPENDING ON ICT, APPOINTMENT OF NEW FT CEO


Yesterday, IDA explained that over 1,500 SingPass accounts had been compromised and citizens’ private personal data may have been accessed without authorization.

In a statement, IDA pointed the blame at SingPass users saying that the security breach was due to users selecting easy-to-guess passwords such as birthdays and names.

While over 1,500 accounts were accessed illegitimately, authorities insisted that the whole system has not been compromised.

related: IDA: Over 1500 SingPass Accounts Have Been Accessed Illegitimately

read more

1,500 SingPass accounts compromised

I have waited for a very long to see this day and I am not being perverse. This is just the way things are with cyber security.

Very often it is not the hackers and thieves that are brilliant but users do incredibly dumb things. I recall I could often break into my friends university computer accounts.

Those were the early days and people do even dumber things then. Some would even share their passwords with you!

read more

Singpass Security Breach

– Vulcan Post: Something’s Just Phishy About the SingPass Account Breach
– Techgoondu: SingPass security issues highlight need for two-factor authentication
– The Independent, SG: The SingPass Affair: What is happening, IDA?
– Small steps for Social PR: Onus Is Still On IDA To Keep Our SingPass Safe
– DKSG: 1560 SingPass accounts hacked
– Chemical Generation Singapore: Our Not So Safe Singpass
– Loh and Behold: Assume some Accountability, IDA!
– Spore Hall of Shame: After Singpass got hacked, IDA put blame squarely on users
– Mothership: 4 questions we want to ask IDA about the SingPass Security breach

read more