Jun 12, 2014

    SingPass scare is a timely wake-up call

    THERE is nothing like a good scare to make people sit up and pay attention to the issues that they would normally brush aside and think: "This happens to other people, not to me."

    The eBay password hack last month and the scare over the possible compromise of SingPass IDs and passwords earlier this month have shown that when personal - and potentially valuable - information is at risk, security is taken far more seriously.

    Whether we like it or not, cybercrimes, like the traditional crimes of old, are here to stay.

    When faced with a cybercrime or potential cyberthreat, the first question is whether the organisation had done enough to prevent it from occurring. This is particularly true for organisations people put their trust in, such as financial institutions and government bodies.

    In the wake of the incident involving the SingPass system, media reports have focused on the need for multi-factor authentication.

    Password-related cybercrimes are among the most common, and rescues in response to these crimes likely centre on "actionable intelligence", a term used by cyber-security experts.

    One example of such actions involves the detection of an offending source that has been logging onto a password-secured website, and is requesting password changes for more than two accounts in quick succession. This is based on the assumption that a single source (a household, in this instance) typically would not require a password reset for more than two people at one time.

    Once detected, the affected organisation needs to "suspend" the source and investigate to determine if the password reset requests made are legitimate. By doing this, damage from such attacks can be limited.

    Even if the threat is unsuccessful or just imagined, it often helps to put security issues in stark focus.

    While the Infocomm Development Authority has confirmed that the SingPass system was not compromised, it has still led to questions about whether such sensitive information is sufficiently well-protected.

    Perhaps we have sacrificed security for convenience in having such a simple password system for these accounts?

    In an era when cybercrimes are getting more intricate and complex, it is crucial that organisations enforce a more complex password system for their end users, and insist that account holders use a mix of uppercase and lowercase letters, along with numbers and wild-card characters like "*" and "!".

    Strict enforcement of this can reduce the success rate of password-stealing cyber criminals. Recent studies have shown that it can take a hacker as few as 10 minutes to crack a six-letter, lowercase password.

    A mix of lowercase and uppercase letters, numbers and symbols increases this period to an average of 18 days.

    Even a nine-character, all lowercase password containing only letters would, on average, take four months to crack if intelligently devised. But with an appropriate mixture, the time required becomes decades and centuries, not just months.

    To add another layer of security, public-sector organisations could take a leaf from the book of our local banks and consider two-factor authentication.

    This includes a physical token that generates unique number codes upon every activation, or SMS alerts with unique number codes.

    This will further remove the element of predictability, and make it that much more difficult for cyber criminals to figure out the algorithms of the system.

    Cybercrimes will only become more sophisticated as technology develops. While technology makes the world more convenient, it also makes the world more dangerous.

    Therefore, it is everyone's responsibility, not only that of the organisations with whom we entrust our personal data, to ensure that our information is well protected and, in the event of a breach, that quick and effective solutions are employed, and that we learn from it.

    In the case of SingPass, the breach may have been contained this time, but the threat continues to be a real and present danger. If we do not learn from this situation, we may not be as lucky next time.


    The writer is cyber-risk services leader at Deloitte Asia Pacific. This is an excerpt of an article that first appeared in The Straits Times.