Tuesday, May 28, 2019

Is change to PDPA act tied to problem faced with SingPass ID?

This is just my speculation. If it is true, we do have a big problem about the way that decisions are made by people in charge.

Let me explain the issue.

SingPass uses the NRIC as the ID to login. This is a practical approach. There is nothing wrong with using NRIC as the ID.

Somebody must have taken another person's NRIC and tried to hack the password many times.

GovTech decides to block the SingPass account after six attempts, based on the reason - for security.

I suspect that there are many cases of this nature. I do not have any statistics about it. It is just a gut feel.

It must have caused a lot of work to their staff in helping the owners to unblock their blocked account.

This is where my speculation comes in.

To solve this problem, they asked the Privacy and Data Protection Agency (PDPA) to make NRIC a secret and not a publicly used ID.

In my view, and if my speculation is correct, this is the wrong way to solve the problem.

Making NRIC private will cause a lot of problem and cost to the businesses and the economy.

The NRIC should be a public ID. It is an advantage that a few countries have, over those that do not have a national ID. Why throw away this advantage?

What can GovTech do about the unauthorised persons using another person's NRIC to log into SingPass?

They can try to catch the culprit and charge them under the Misuse of Computers Act.

If the offenders know that they are breaking the law, they will not continue it. There are ways to catch the culprits. GovTech can find their IP address and locate them.

I know that it may not be easy. It is not easy to catch a person who has committed a crime either.

If GovTech does not block the SingPass account, they will not face the problem of helping the owners to unblock them.

Is there any risk if GovTech does not block the SingPass account?

No there is no risk. The hacker has failed to break the password after 6 attempts. Even if the hacker tries 1,000 times, he will probably still not get the right password.

Even if he gets the right password, he will not be able to access the account, because there is a 2FA layer that is quite strong.

Of course, GovTech does not want the hacker to try 1,000 times as it will create a lot of load on their website.  But this is a separate issue.

I am sure that they have experts to prevent this kind of abuse. GovTech should just block the access from that device, and find a way to catch the culprit as it is an offense under the Misuse of Computer Law.

I believe that GovTech already has this means to stop this abuse.

For example, it is possible for a mischievous actor to create a bot and just keep trying with random NRIC and password to try to login.

We do not hear of this problem, because GovTech must be able to stop it.

There is no need to block the SingPass account. There is no need to change the PDPA law to stop the use of NRIC as a public ID.

As I said earlier, this is just my speculation.

Tan Kin Lian
Tan Kin Lian

No comments:

Blog Archive