Smart Nation Easy to bring down the SingPass system
It is easy for a malicious person to bring down the SingPass system.

He needs to engage a team of people working outside Singapore. They can get 10,000 NRICs (available from the SingHealth data breach, lucky draw, or many other sources). They may even generate the NRIC using the algorithm to get the right check character. 

They go to the SingPass website, enter the NRIC and the password. It will be rejected as the pssword is wrong. They try six times and the SingPass account is blocked. They do it with 10,000 accounts. 

Imagine the trouble that the SingPass helpdesk will face in helping these 10,000 owners to unblock their account. 

The malicious actor can contine to block these accounts (after they are unblocked) or move to other accounts. 

Somebody suggested that the malicious actions can be done by a bot (automated script). It is easy to write the script.

What can GovTech do to prevent this malicious act?

a) Do not block the SingPass account after 6 failed attempts. Instead, notify the owner about the attempt but keep the account open.

b) Have a way to identify the IP address of the devices that are committing this operation. Notify the police so that they can try to trace these devices. At the same time, block these IP addresses from continuing their operations.

Tan Kin Lian

Vote - do you agree with my proposed method to deal with this malicious act?



 

Add Comment

---