Channel NewsAsia

IDA looking at two-factor authentification for SingPass system

Infocomm Development Authority of Singapore looking at 2FA system for SingPass, after more than 400 passwords were apparently reset without authorisation.

SINGAPORE: The Infocomm Development Authority of Singapore (IDA) is looking at using two-factor authentication (2FA) for e-government transactions. This follows its announcement on Wednesday (June 4) that it has filed a police report, after it was notified that some 1,500 SingPass users may have had their IDs and passwords accessed without permission.

IDA was alerted to the unauthorised access on Monday (June 2). 11 SingPass users had told authorities they received letters informing them they had reset their passwords when they had not.

A further probe found 1,560 accounts possibly affected. A discrepancy was detected between the number of mobile numbers used for the immediate reset of one-time passwords and the number of SingPass accounts that they were tied to. 

Users who change their password will be given a one-time password sent to their mobile phone numbers for verification. However, the 11 users who tipped off authorities did not receive such notifications, as the numbers logged in their SingPass accounts had been changed to other local numbers.

In total, 419 SingPass password reset notification letters had been sent out as well in relation to the incident. The passwords of all 1,560 potentially affected users have been reset, and IDA is in the process of notifying them.

Mr Chong Rong Hwa, a Staff Malware Researcher from FireEye told Channel NewsAsia the SingPass details could have been stolen from users' computers. "Or, the hackers themselves may have gotten the (SingPass) user name which is your IC number. From there, they can actually easily guess the passwords. If the users have a very weak password, they can actually break into their accounts easily."

Another cyber security expert, Mr Anthony Lim, a member of the Application Security Advisory Council of the International Information Systems Security Certification Consortium (ISC²) said concerned SingPass users should change their passwords.

"When you change your password, any password or database of passwords that anyone has, immediately becomes obsolete. Secondly, when you change your password, and today we're encouraged to make it more complicated -- add question marks and full stops and capital letters or numerics. Then it gets harder for anyone to trace any pattern of a password. That's why we say never use your birthday, never use your identity card number, never use your dog's name, unless you change dogs." 

Tweet photos, videos and updates on this story to  @channelnewsasia