- Singapore Press Holdings / Facebook
Ex-presidential candidate Tan Kin Lian is calling for better security measures on SingPass, after he was locked out of his account when someone tried to hack into it using personal details he published on Facebook.
It all started on Monday (May 27), when the former CEO of NTUC Income posted his NRIC, phone number, email and date of birth on his Facebook page, and challenged people to try and log in to his SingPass account.
SingPass is an online account management that gives Singaporeans access to Singapore Government e-services.
“Why am I posting this? I find that the paranoia about the privacy of NRIC and contact details to be overblown,” Tan said.
“Whenever there is a data breach and the NRIC or contact details are stolen, it seemed to be a big issue. I do not think so,” he added.
Within a few hours, Tan said in a Facebook update that he had been locked out of his SingPass account after someone made six failed attempts to log in with the wrong password.
Someone else had also used a bot to register his email address in over 200 mailing lists, Tan said.
In a series of Facebook posts, Tan said that the Government Technology Agency (GovTech), who manages SingPass, should change its procedure of blocking users from logging in after multiple login failures. Referring to upcoming changes which prohibit the copying and collecting of NRICs, he also suggested that the NRIC number should remain a public form of identification instead.
“Is there any risk if GovTech does not block the SingPass account? No, there is no risk. The hacker has failed to break the password after 6 attempts. Even if the hacker tries 1,000 times, he will probably still not get the right password,” Tan wrote.
“Even if he gets the right password, he will not be able to access the account, because there is a 2FA layer that is quite strong,” he said.
He also suggested that instead of blocking access to a SingPass account, GovTech should block access from the device where the failed attempts have been made.
He said in the same post: “Making NRIC private will cause a lot of problem and cost to the businesses and the economy. The NRIC should be a public ID. It is an advantage that a few countries have, over those that do not have a national ID. Why throw away this advantage?”
Tan revealed that he changed his SingPass ID after the incident to prevent further login attempts. “I have to write down my new SingPass ID and password, in case I forget it. With countless passwords to manage, and being forced to change them at regular intervals, it is difficult to keep track,” Tan said.
While acknowledging that he had publicly revealed his details first, Tan said that it was equally simple for other people who have their NRIC as their SingPass ID to get locked out as well.
In the same post, he said: “It is easy for mischievous actors to get the NRIC of residents. They have to provide the NRIC on all types of services. It is a means of identifying a person.”
“It is better for GovTech to recognize that NRIC will be used for many purposes and cannot be kept secret or private,” Tan added.
In his latest update on Tuesday (May 28), Tan once again reiterated that the blocking of SingPass accounts after six failed login attempts was “wrong and unnecessary”.
He also said he would not be filing a police report, but would be willing to assist the relevant agencies if they decided to act “against abuse of computers”. “I do have some spare time, as I am semi retired,” he added.
- Singapore paid hackers across the world over US$11,000 for finding 26 bugs in government systems
- Here’s what the security company in the SingHealth data breach plans to change about its operations
- Asking for your NRIC number unnecessarily will be illegal starting next year – here’s what you need to know