IP addresses are NOT logged in this forum so there's no point asking. Please note that this forum is full of homophobes, racists, lunatics, schizophrenics & absolute nut jobs with a smattering of geniuses, Chinese chauvinists, Moderate Muslims and last but not least a couple of "know-it-alls" constantly sprouting their dubious wisdom. If you believe that content generated by unsavory characters might cause you offense PLEASE LEAVE NOW! Sammyboy Admin and Staff are not responsible for your hurt feelings should you choose to read any of the content here. The OTHER forum is HERE so please stop asking.
Updated: 06/04/2014 18:58 | By Channel NewsAsia
Some 1,500 SingPass accounts potentially accessed without authorisation
SINGAPORE: More than 1,500 SingPass users may have had their IDs and passwords accessed without their permission. The Infocomm Development Authority of Singapore (IDA) was notified on Monday (June 2) by the SingPass operator, Crimson Logic, that a number of users had received a SingPass password reset notification letter, even though they did not request a password change. SingPass is a single-factor authentification system for all government e-services in Singapore.
It was announced on Wednesday (June 4) that IDA's preliminary investigations show that 1,560 users' IDs and passwords were potentially accessed, of which 419 passwords were reset. Password reset notification letters were sent to the registered address of SingPass account holders.
"SYSTEM NOT COMPROMISED" The IDA has filed a police report on Tuesday, but the authority's checks so far show there is no evidence to suggest the SingPass system has been compromised and there are no known losses. Passwords of all affected users have been reset, and the IDA is in the process of notifying them. IDA also says it is looking at using the two-factor authentication (2FA) system, for e-government transactions.
ADVICE FOR SINGPASS USERS Said Ms Jacqueline Poh, the Managing Director for the Infocomm Development Authority of Singapore: "For every individual, the incident underlines the importance of taking personal responsibility for cyber security."
The Government strongly urges all SingPass users to take the necessary precautions to enhance their cyber security: Use strong passwords of more than eight characters with numerical figures or capital lettersInstall anti-virus software and update these regularly
OPERATOR'S RESPONSE A statement by eGovernment solutions provider Crimson Logic reiterated that the SingPass system was not compromised. "We are working with IDA and the relevant authorities to investigate the matter. Our investigation has indicated that the SingPass system is not compromised nor breached. For users who notice suspicious activities regarding their SingPass, we strongly encourage them to reset their password immediately."
SingPass has 3.3 million users, and covers more than 340 e-services for 64 government agencies. These include services for the Central Provident Fund (CPF) Board, the Inland Revenue Authority of Singapore (IRAS) and the eCitizen online portal.
For Singapore citizens and Permanent Residents, the SingPass ID is commonly their identity card (NRIC) numbers. Employment Pass Holders are eligible for the SingPass as well. There were 57 million SingPass transactions in 2013.
IDA looking at two-factor authentification for SingPass system
SINGAPORE: The Infocomm Development Authority of Singapore (IDA) is looking at using two-factor authentication (2FA) for e-government transactions. This follows its announcement on Wednesday (June 4) that it has filed a police report, after it was notified that some 1,500 SingPass users may have had their IDs and passwords accessed without permission.
IDA was alerted to the unauthorised access on Monday (June 2). 11 SingPass users had told authorities they received letters informing them they had reset their passwords when they had not.
A further probe found 1,560 accounts possibly affected. A discrepancy was detected between the number of mobile numbers used for the immediate reset of one-time passwords and the number of SingPass accounts that they were tied to.
Users who change their password will be given a one-time password sent to their mobile phone numbers for verification. However, the 11 users who tipped off authorities did not receive such notifications, as the numbers logged in their SingPass accounts had been changed to other local numbers.
In total, 419 SingPass password reset notification letters had been sent out as well in relation to the incident. The passwords of all 1,560 potentially affected users have been reset, and IDA is in the process of notifying them.
Mr Chong Rong Hwa, a Staff Malware Researcher from FireEye told Channel NewsAsia the SingPass details could have been stolen from users' computers. "Or, the hackers themselves may have gotten the (SingPass) user name which is your IC number. From there, they can actually easily guess the passwords. If the users have a very weak password, they can actually break into their accounts easily."
Another cyber security expert, Mr Anthony Lim, a member of the Application Security Advisory Council of the International Information Systems Security Certification Consortium (ISC²) said concerned SingPass users should change their passwords.
"When you change your password, any password or database of passwords that anyone has, immediately becomes obsolete. Secondly, when you change your password, and today we're encouraged to make it more complicated -- add question marks and full stops and capital letters or numerics. Then it gets harder for anyone to trace any pattern of a password. That's why we say never use your birthday, never use your identity card number, never use your dog's name, unless you change dogs."
IDA reviewing use of IC numbers as IDs for SingPass
SINGAPORE: The Infocomm Development Authority of Singapore (IDA) says it is "refining" the SingPass system, a day after it revealed that it has filed a police report over unauthorised access to up to 1,560 SingPass accounts.
A statement from the IDA on Thursday (June 5) said: "As part of this continued effort to improve the system, we are also exploring further measures such as allowing users to set their own usernames in the new system instead of their NRIC numbers and two factor authentication (2FA) for e-government transactions, particularly for those involving sensitive data."
All affected users have been sent notification letters as of 7pm on Thursday.
"We would like to assure all users that the SingPass system was not compromised and the vast majority of over 3 million SingPass users are not affected by this incident," the IDA statement said.
Separately, the operator of SingPass has confirmed that there is a safety net against brute force attempts at unauthorised access. Crimson Logic says after six failed attempts to log into SingPass, you will be locked out.
To regain access, you would need the following:Mobile phone authentication, including answering two security questions Go down in person to the CPF building
This implies that the unauthorised access may not have been a matter of people having weak passwords that could be easily guessed. Still, the Government and experts have advised users to set strong, complex passwords, to better protect their online accounts and personal data.
Said the IDA: "We encourage SingPass users to strengthen their passwords to ones that are alphanumeric with 8-24 characters, preferably with capital letters and symbols, to better protect their SingPass accounts." - CNA/ek
