A Singapore press holdings portal

Singapore

Irene Tham
Friday, Jun 6, 2014

Singapore

IDA to review login system for SingPass

The Straits Times | Irene Tham | Friday, Jun 6, 2014

SingPass provides access to e-Government services and transactions in more than 70 ministries and statutory boards.

THE current SingPass system, in which people use their identity numbers as their usernames for logging into some 340 government e-services, is under review, after it was revealed that accounts could have been tampered with.

In a statement last night, the Infocomm Development Authority (IDA) said it would be "refining" the SingPass system by the third quarter of next year.

The regulator said it is also "exploring" the use of two-factor authentication (2FA) for e-government transactions, particularly for those involving sensitive data, but did not elaborate further.

"As part of this continued effort to improve the system, we are also exploring further measures such as allowing users to set their own usernames in the new system instead of their NRIC numbers," said the IDA.

Police are investigating how 1,560 SingPass accounts were potentially accessed without the users' permission. But the IDA noted on Wednesday that cyber attacks that try to guess passwords by "brute force" are common and possibly on the rise. Brute-force attacks crack passwords by systematically trying every possible combination of letters, numbers and symbols until it works.

Better programming on faster and more powerful computers now allows more password guesses per second for gaining illegal access into systems, said experts.

Mr Sui Jin Foong, ASEAN systems engineering director of United States-based network security specialist Juniper Networks, said brute-force attacks have become more powerful as algorithms have improved and lists of common passwords have expanded.

"With advanced computers, hackers can even make more than 40 million password guesses per second," he said.

Brute-force attacks are bound to succeed as they try all possibilities - it is just a matter of time.

How long the attacks take depends on how easily a password can be guessed. The wait is not very long with faster computers. And these attacks thrive on predictability.

With the username of the SingPass account being predictably the holder's identity card (IC) number, hackers hardly face a hard task when trying to break into an account, said experts. They said IC numbers are easy to figure out as they follow a pattern: S, followed by seven digits and an alphabet letter. They are also easy to get, say, from lucky draw forms.

Mr Aloysius Cheang, Asia-Pacific managing director of global computing security association Cloud Security Alliance, recommends that a system be set to lock down an account after three failed password attempts. "This is the industry standard," he said.

The SingPass system, however, allows up to seven failed attempts, after which one's Sing- Pass will be revoked.

Another way to counter brute-force attacks is the use of two-factor authentication, where a one-time password (OTP) is delivered on security tokens or via SMS to mobile phones.

"The level of difficulty in hacking a system increases exponentially with 2FA," said Mr Cheang.

"We are talking about at least four times more difficult." Experts recommend making passwords more complex too.

The IT services centre at the Chinese University of Hong Kong recommends passwords of at least eight characters - with random letters, digits and punctuation - as longer, more complex passwords are harder to crack.

For instance, an eight-character password with lower-case letters and numbers takes about 10 months to crack, it said.

A five-character password with only lower-case letters takes less than two minutes to crack, while one with lower-case letters and numbers takes 10 minutes.

Mr Sharat Sinha, Asia-Pacific vice-president of US-based network security firm Palo Alto Networks, advised users to combine several words or sets of information for their passwords. "The key thing is to avoid predictable words or numbers or personal information like birth dates or names," he said.

itham@sph.com.sg



Get a copy of The Straits Times or go to straitstimes.com for more stories.

No comments yet.
Be the first to post comment.