|Enough to make you see red|
Faces at Crimson Logic turned red when they first discovered that SingPass account holders found password reset notification letters in the mail even though they had made no such requests. Account holders whose personal data, such as contact information, employer details and remuneration records, were in the custody of Crimson Logic, the appointed operator of the SingPass single-factor authentication system for all government e-services in Singapore.
IDA investigated, and discovered 1,560 user profiles were illegally accessed. At least 419 fell for the ruse, and their passwords were reset. Affected SingPass users had their account profiles modified and linked to a small pool of Singapore-registered mobile numbers - IDA refused to tell how many. The mobile number can be used in a two-factor authentication procedure. When the victim changes his or her password, this number will serve to "verify" the request. This is obviously too technical for IDA, "We continue to explore the use of two-factor authentication for e-government transactions, particularly those involving sensitive data..." Nothing much has changed at IDA, ever since the very first chief executive famously said that although she knows zilch about technology, she can always hire someone who does.
The Managing Director for IDA, Ms Jacqueline Poh, is treating the incident as "a shot across the bow" and advised all individuals to "examine themselves" and take personal responsibility for their own cyber security, to borrow the phraseology used by one Arthur Fong about foreign intrusion. IDA has filed a police report, and since they are insisting that the SingPass system has not been compromised or breached, IDA must be saying the stolen addresses and IDs were looted from virtual personal premises. And not filched from the highly secured and firewalled database of the Crimson Logic operator. Go figure.