Monday, May 27, 2019

Stupid to block the SingPass account after six failed attempts

I want to share the latest information about my NRIC.

One mischievous person took my NRIC and tried to log into my SingPass. He tried six times but could not get through.

What happened?

GovTech, which is the agency responsible for SingPass, blocked my SingPass account and asked me to change my password.

I sent an email to GovTech to tell them that after I change my password, this mischievous person can try to log into my account again and make another six failed attempts to block my account.

It happened to me because I publicized my NRIC.

But this can also happen to anybody who uses the NRIC to apply for a lucky draw, or to visit a public building.

All it needs is for someone to have the NRIC No and make six attempts to get the SingPass account blocked.

There goes our Smart Nation. It is run by people who are not so smart.

I told GovTech - do not block my SingPass account if somebody tries it six times. Let him try 100 times or maybe 1,000 times. Why not just block his attempt using the same device?

If he manages to get the correct password, he still needs to go through my 2FA, which is now converted into my thumb print. This is already secure.

If GovTech is really smart, they will set up a sting operation to find out who is the person who is using another person's NRIC to enter a computer system. It is a crime to impersonate another person under the law.

Anyway, I told GovTech to review their process. The current procedure of blocking the account after six failed attempts is clearly, may I say, "stupid".

Govtech justify their action with this common excuse - for security. I do not see how they can make SingPass by secure by locking out people unnecessarily.

Tan Kin Lian

No comments:

Blog Archive