Saturday, June 01, 2019

Risk of relying solely on fingerprint access

Someone said.

Fingerprints are 2FA: your fingerprint + your phone. Your fingerprint is stored on a chip onboard your phone and hence only works on your device. Apple, Google and Samsung do not have your fingerprint.

Therefore, in order to use your fingerprint to authenticate on the app, you need 1. something you are (biometrics) and 2. something you have (your handphone). That's the two factors in many banking apps- your phone and your fingerprint.

To elaborate, the 2 factors in "2FA" should comprise one item each from the 3 following categories: something you have (eg your phone or a token), something you know (eg a PIN or password) or something you are (eg fingerprint or iris scan).

The MAS Technology Risk Management Guidelines stipulate that financial institutions should provide 2FA for online financial systems, so I would have been surprised if your bank app did not have 2FA. I would add that while fingerprints aren't foolproof, authentication systems are always a compromise between security and convenience, and "fingerprint + handphone" 2FA is usually thought to strike an acceptable balance.

My reply
If the phone is misplaced and somebody gets hold of it, and is able to bypass the fingerprint authentication, e.g. make a fingerprint mould, he can open the SingPass Mobile app and the bank app. I prefer that in addition to the fingerprint, the user has to enter a 6 digit pin.

Comment - I have uninstalled the banking app and move to the web app using 2FA on my hard token.

https://tklcloud.com/Feedback/feedback2.aspx?id=1573

Apply common sense in risk assessment

I use my common sense to carry out my risk assessment. I do not blindly rely on the experts, because some of them may make the wrong judgment.

https://tklcloud.com/Feedback/feedback2.aspx?id=1572

WOTC - Slow business in the Jewel

I asked this question in the Wisdom of the Crowd:

What is the cause of the slow business in the Jewel?

Here are the responses: (60 Votes)
53 % - We have too many malls and insufficient spending power. 
38 % - Our cost is too high for locals and tourists.
7 % - It will need some time for the business to grow and for tourist to know about it.
2 % - This is temporary and is due to global uncertainty.

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1360

CLick here to vote on the current issues: 
https://wisdomofthecrowd.sg/active_issue.aspx

WOTC - Global economic slowdown

I asked this question in the Wisdom of the Crowd:

What should be the govt's response to the global economic slowdown?

Here are the responses: (55 Votes)
53 % - Take some relief measures now; and implement others along the way.
38 % - Prepare a detailed contingency plan - do not act hastily.
5 % - Wait for further data before acting.
4 % - No need to panic; just pursue the current course.

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1361

CLick here to vote on the current issues: 
https://wisdomofthecrowd.sg/active_issue.aspx

Friday, May 31, 2019

Immigration and foreign workers

Should Singapore change our approach towards immigrants and foreign workers, and follow the practice adopted in Canada and Australia?

https://tklcloud.com/Feedback/feedback2.aspx?id=1571

Difficult to sell a HDB flat more than 40 years old

Miss X has a HDB flat in Telok Blangah. In Dec 2017, She bought another HDB flat in Chua Chu Kang as it was near to her workplace. She wanted to avoid the long travelling time of 1.5 hours each way to get to work and back. It could take longer if there is a MRT breakdown.

HDB gave her 6 months to sell her first HDB flat.

She engaged several agents to sell the flats at the then market valuation price of $322,000 (In Dec 2017). The property agent told her that the market price had dropped as her flat had passed the 40 year mark. Later, the market became worse after the minister announced that HDB flat will have no value at the end of 99 year lease.

Miss X could not sell her Telok Blangah flat within 6 months. She wrote to her MP and to HDB for assistance and extension of time. They did not reply to her. But they did not press her to sell the flat.

Miss X continued to look for a buyer. She was able to get a buyer willing to pay $292,000. She submitted the application for a transfer to HDB. HDB gave a lower valuation of $275,000 for the flat. The buyer opted out of the purchase, requested refund of the deposit that had been mutually agreed prior to the sales, due to Buyer worry of the high COV.

During this period, she had used several property agents. One had advised her to market at a much lower price of $280,000 to $290,000 for the flat in Jun 2018 but Miss X did not engaged his service.

The agent managed to convince some nearby neighbours to let him market below $250,000 !). At that price, she would have suffered a loss of about $30,000 which was too costly for her.

She was disappointed that the property agents only wanted to close the sale and get their commission. They did not care that the owner would be suffering a large loss.

https://tklcloud.com/Feedback/feedback2.aspx?id=1570

My experiment in releasing my NRIC

The Online Citizen publish this article about my experiment in making my NRIC publicly available.
https://www.theonlinecitizen.com/?s=tan+kin+lian

There are many people who took the opportunity in other platforms to bash me for being stupid to release my NRIC.

There are a few sensible comments from readers in TOC. You can read them below the article.

David Chang
Granted that he is right, is there a need to require members to constantly change their PWs? Tis good for nothing hacker of his probably could have been trapped n traced, given his high profile to prove his point at that pt in time. But too bad the G had lost tis opportunity to prove its army of cyber-watchman was even present.

Soccerbetting2
Obviously Mr Tan Kin Lian intentionally let his NRIC be known so that hacker will hack into his Singpass account and then he can prove the stupidity of the agency responsible for Singpass who blocked off hacker after six unsuccessful attempt is not a smart way of doing thing. Mr Tan Kin Lian really has an unique way of proving thing out and is a careful person.

thunder storm
A layman without giving much thought would perceive that NRIC if known is a big issue.
Using our brain instead of aNUS, we can see that the issue is not NRIC number. Reason is, our NRIC is found in countless organizations. Many people can have us show our nric as proof of our identity. Eg. You come to attend a Dog show. The organizer asks you to show nric . Or you visit a massage parlor for special services. They dictate you write down your nric.
You enter a singsong lucky draw. Your nric is given.
THERE IS NO WAY TO SECURE YOUR NRIC.
Lets use our Brains and not our aNUS to think.
Perception is for layman. Reality is for Intellectuals.
NRIC is as easily known as our Mobile number, home address .
To say NRIC is top secret is to say cars should be banned because a victim was killed when a car hit him.
Using our brains instead of our aNUS, we can tell that the problem is the operator of the car or the victim was not using his brains when moving around.
Its just like the escooter. Ban the escooter because an idiot banged a pedestrian? A layman would perceive so using his aNUS to think.

thunder storm
NRIC is no secret. So how can it be not allowed to display nric on a website?
Many things require us to produce our nric or write down our nric. Eg. Lucky draw , rent something, apply for say a lesson on dog handling, you buy something online, you want to collect it show your nric showing your face.
Is it a security concern? No. THE SECURITY CONCERN IS THE IT SYSTEM, HUMAN SYSTEM.
NRIC by itself is easily available. If just because someone has your nric is a security issue, then nric should be banned from being used for the already millions of uses.
Its like someone saying because usa in economic crisis, the problem is democracy is falling apart. Democracy is still better than dictatorship . And true democracy has never been practised in any country. So, its not true democracy that is falling apart. True democracy has never been practised because the govt of any country is given real power while the people not offiically given any power. Its power is only effected by the mob.
And govt will use its powers to restrict your power. Therefore democracy never been practised in real life. What is practised is pseudo democracy. One asian country practises what i call Dictatorship democracy

Kien Hsiu Chen
We know LKY NRIC, so what can you do??
Loan shark are not stupid to give you thousands just by NRIC. They too verify your Photo ID. It is a business. Not a stupid fool like you.
NRIC is meant to uniquely and conveniently to identify you. If NRIC is confidential, then your name is also confidential. Don't be paranoid. Even having your Credit Card number does not guarantee you getting cash. Please grow up!!

Soccerbetting2
Right, NRIC should be a confidential data and must not be revealed to others.However, if you want to go inside condominiums nowadays to visit your friends or relative and one of the condominiums that I know of is in North Oak condominiums that not only need you to fill up your NRIC on their quite newly installed digital system but take your face picture too. And that our privacy data being captured by their digital system. Just wonder what right has the NorthOak condominium management to capture our face with their digital system and record our NRIC and even phone number. If there is some crooks that manage to hack into their system and stole all the data and these hacker group use the data to apply for visa/mastercard and the bank approved especially with photos of the face even provided, then will the law protect us by hauling out the NorthOak condominiums management or other condominiums management to be charged to pay back for losses? Can Kasisviswanathan Shanmugam explain which side will the law protect if the hackers really did that with datas from condominiums? And does the condominium has the right to capture our photos, get our NRIC and phone number?

thunder storm
Tan Kin Lian is really a very creative person for his era or cohort. His thinking, his speeches, his deeds proved he is exceptional, different. Rare.
This incident helps to bring focus to some interesting issues about our nric and personal data and security.
I think our NRIC is all over the place. Many have our NRIC and market intelligence has our data and freely being sold all over the place .
Who has our data they wont say it.
Because we dont know who has our data does not mean no body has our data.
Just like many things in life.
Like how many Cronies are there ? Cronies wont raise their hands and say , here i am.
Like how many are corrupt? No one knows. Corrupt people wont raise their hands and say they are corrupt. Corruption index is a Perception Index.
What we are told may not be the truth.
GDP in other countries. Did you audit it? Which country can audit another country GDP ? Can IMF even audit any country GDP? They can have a educated guess at best.
GDP is not just a economic stat. Its more a Political report card. Will politicians fake the GDP to stay in power or for Elections results?
Currency manipulation. One country can claim it did not manipulate currency.
The world is a human pyramid. Majority are fools.

Easy to bring down the SingPass system

It is easy for a malicious actor to bring down the SingPass system. I hope that GovTech take the proposed actions in this feedback to prevent this risk.

https://tklcloud.com/Feedback/feedback2.aspx?id=1564

Lodging a police report

I took a 20 min walk to the Ang Mo Kio neighborhood police station to lodge my report on the scam concerning PayNow transfers.

It was a nice pleasant walk, and good exercise.

On the way, I realized that I could make my report online using my SingPass (don't worry, it is now working with a non-NRIC ID).

I thought - never mind. Let me see what the NPP is like.

I had to surrender my NRIC at the gate in exchange for a Visitor Pass. I objected - it is now illegal for any party to hold back another person's NRIC. Police - the police is exempted!

I think it is a bad idea, as the guard can clone my NRIC when I am away.

There were 3 police officers, 3 PCs and nobody else at the station. It must be a quiet day.

I lodged my report. Office - can I see your NRIC? I said - your guide at the gate kept it.

Officer - can I have other identification, driving licence? I showed my PA Passion card, which has the NRIC but no address.

The report took slightly more than 1 hour to complete. It was slow, but the inspector wanted to be careful. OK.

I gave a 5 marks feedback on the process and the officer. I have a general comment - Do not keep my NRIC at the gate. I need it to make a police report.

Now that the report had been lodged, I will wait to see if they wish to pursue the case (their management will decide tomorrow).

If so, the malicious actor might be getting a call from the Police quite soon. I hope that he enjoys himself (or herself) now, before the knock on the door.

https://tklcloud.com/Feedback/feedback2.aspx?id=1563

















Attractive book prizes

You can win these attractive book prizes on financial planning and developing your thinking.
https://wisdomofthecrowd.sg/show_prize.aspx

WOTC - Vote for non PAP candidate

I asked this question in the Wisdom of the Crowd:

Will you vote for a non PAP candidate who does not look impressive?

Here are the responses: (55 Votes)
47 % - I will vote for any candidate who is willing to stand against PAP.
38 % - I will only vote for a non PAP candidate that I can trust.
15 % - I will even vote for a monkey.
0 % - I will vote PAP because they can run the country.

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1359

CLick here to vote on the current issues: 
https://wisdomofthecrowd.sg/active_issue.aspx

WOTC - Vote non PAP

I asked this question in the Wisdom of the Crowd:

What is the key factor that will make you vote non PAP?

Here are the responses: (57 Votes)
51 % - Arrogance, lack of accountability and transparency.
30 % - Lack of trust in the PAP leaders
18 % - High cost of living and insecurity of jobs.
2 % - None. i will vote PAP.

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1358

CLick here to vote on the current issues: 
https://wisdomofthecrowd.sg/active_issue.aspx

Irrational fear of exposing bank account number

Singaporeans have an irrational fear of exposing their bank account numbers. They fear that a crook may use that account number to access their account and take money from them.

This fear is irrational for the following reasons:
https://tklcloud.com/Feedback/feedback2.aspx?id=1562

Thursday, May 30, 2019

How to improve the birth rate in Singapore

The birth rate in Singapore is the lowest in the world. The government has been trying to increase the birth rate through various measures, but the effort has been unsuccessful.

I wish to suggest the following measure be introduced to replace the current incentives.

http://tklcloud.com/Feedback/feedback2.aspx?id=396

Singapore is the most competitive country

Someone asked - how is it that Singapore can become the most competitive country in the world, when the ordinary people find it hard to make a living?

The answer is - being the most competitive is seen from the perspective of the business owners. They can make a lot of profit by operating in Singapore.

It is not the same as paying adequate wages to ordinary people. In fact, the businesses prefer to employ foreign workers that are willing to accept lower wages.

The local workers are squeezed out and have to accept lower wages to compete with the foreign workers. The local workers have to struggle to make a living.

Change bank statement and practice

When I send out an invoice, I show my bank account number. I asked my customer to pay me by bank transfer into that bank account.

I do not want to receive a cheque. If I receive a cheque, my staff has to go to the bank to bank it into our bank account. It takes the time of my staff - which is costly. I get my money later. If I receive a cheque, my staff has to go to the bank to bank it into our bank account. It takes the time of my staff - which is costly. I get my money later.

Fortunately for me, most of my customers make payment by bank transfer. They send the confirmation slip to me by email.

I do not see any risk in informing people of my bank account. There is no way that they can take money out of the bank account.

They cannot access my bank account using the account number. The bank access is for a login ID, password and 2FA.

I cannot see any risk that money will be taken out of my account.

The only inconvenience is that the payer does not tell me what the payment is for. In that case, I put the money aside and let the customer contact me.

It will be helpful if my bank allows me to return the unrecognized payment back to the sender. I do not know if this is possible.

It is useful for the bank to tell me the account number of the payer. But strangely, this information is hidden. I do not know why it should be hidden.

I probably have a record of the bank account of my customers. If the account number is shown, I will be able to trace the payer.

We need to change our banking statement and practice to encourage more payment by internet transfers.

I first gave my suggestion on this issue to Monetary Authority of Singapore more than five years ago. They ignore it. They told me that they have other ways to deal with this matter. So far, the progress has been very slow.

https://tklcloud.com/Feedback/feedback2.aspx?id=1558


















Wasteful way to collect payment

The manager of a security firm told me that she has to send an invoice monthly to the client and get the staff to call the client to chase for payment.

After a few calls, the client said that the cheque is ready.

The security firm sends the relationship manager to collect the cheque.

She said - it is okay to visit. It helps to build relationship.

This is how our SMEs spend their time. No wonder our SMEs are struggling with high cost of operations. To be viable, they have to increase their fees.

The clients then complain about the high cost of operations.

It escalates.

If the client pays by bank transfer, it would reduce the cost of operations.

How to build relationship? Give a phone call. Reply promptly to emails and act promptly on requests.

https://tklcloud.com/Feedback/feedback2.aspx?id=1557

WOTC - Vote non PAP

I asked this question in the Wisdom of the Crowd:

What happens if every politically conscious person vote non PAP?

Here are the responses: (54 Votes)
33 % - The PAP will be toppled at the next general election.
26 % - It will take 10 to 20 years before the PAP is toppled.
20 % - The PAP will still win most of the seats in Parliament.
20 % - There will be many people who will still vote PAP for many reasons, so the impact on PAP will be small.

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1357

CLick here to vote on the current issues: 
https://wisdomofthecrowd.sg/active_issue.aspx

WOTC - National service affects the birth rate

I asked this question in the Wisdom of the Crowd:

National service is a major factor in our low birth rate.

Here are the responses: (51 Votes)
55 % - Full time and reservist NS makes it more difficult for our males to get good jobs to start a family
22 % - I agree with this statement, as it causes our males to start work later.
20 % - I disagree with this statement, as it does not have any impact on the birth rate.
4 % - I disagree with this statement, as the skills learned in NS can compensate for the later entry into the workforce.

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1356

CLick here to vote on the current issues: 
https://wisdomofthecrowd.sg/active_issue.aspx

Wednesday, May 29, 2019

Bank account numbers should be used transparently

Two years ago, I met a senior manager of an insurance company. He told me - Mr. Tan, why do many people make payment by cheques? I came from Spain and throughout my life, i have never written any queue.

How did he make payment? By bank transfer.

Most suppliers happily provide their bank account number to their customers to make payment by bank transfer into their bank.

They write their bank account number in their invoice and in their website.

Someone told me that cheques are hardly used in China. They also make payments by bank transfer or by mobile phone payment.

More people are using bank transfer in Singapore today, but cheque payment is still very common.

Even the process of bank transfer in Singapore is quite cumbersome. The process is poorly designed.

One big issue is that MAS probably insist that the bank account no be kept confidential. I cannot understand the rationale. There is no risk about the bank account no being known.

Nobody can access the bank account by its number. They need to have the password and 2FA.

When I receive notification of bank transfer from my bank, it does not show the full bank account number. It only shows the last 4 digits. This is not helpful.

But Singapore is like this - inefficient, slow, costly. I do not know when MAS and the govt will wake up.

https://tklcloud.com/Feedback/feedback2.aspx?id=1556

Migrating to Canada

I do not like the manner in which Singapore issues work pass for foreigners to live and work in Singapore.

The authority does not carry out proper checks. They depend on documents submitted by the applicant and the employer.

My friend wants to migrate to Canada. I ask him how is the process adopted by Canada. He shared this information

https://tklcloud.com/Feedback/feedback2.aspx?id=1555

Unfair reporting by AsiaOne

I want to share this article in Asia One.
https://www.asiaone.com/…/ex-presidential-hopeful-tan-kin-l…

This article seeks to put the blame on me for sharing my NRIC, which I consider to be a public ID.

The article does not bring out the following points:

a) There is no need for GovTech to block my SingPass account just because a malicious actor tries to guess my password 6 times with my NRIC. Social media platforms, such as Facebook, Google and Twitter do not block the account because of malicious actors.

b) It is a crime under the Misuse of Computer Act for a person to act in this manner, i.e. to access a computer site using an unauthorized ID.

Why is Asia One, which is supposed to be a respectable website, and its journalist, fail to give fair coverage to me, as the affected party. Are they trying to damage my reputation?

Are they trying to protect the practice of GovTech?

Are they trying to condone the action of that malicious actor?

This episode makes me lose my confidence in fair coverage by AsiaOne and by the journalist Iylas.

I hope that they will rectify this slanted reporting and send an apology to me.

Tan Kin Lian

Gambling

My friend saw the article in the Straits Times about the NRIC episode.

He said - you are a public figure. Do not be seen gambling.

I replied - I do not mind being seen in the jackpot machine in Genting Dream. (We go on cruise together).

I am no hypocrite. If people can gamble on a cruise, so can I. There is nothing wrong about gambling - provided we can exercise self control.

This is how many elderly people pass their time and enjoy their retirement.

Sure, some people got into trouble with gambling. Most of them will give up when they lose more than they can afford. Some cannot, but that is life.

Actually, you can only see me in the casino watching other people play the jackpot machine or the gambling tables.

I do not participate, because it does not thrill me.

Of course, I now operate a speculative portfolio in the stock market. I do not pretend. It is also gambling.

Do not read this message that I am encouraging people to gamble. I do not encourage them.

But I do not try to tell them what they should or should not do. They can decide for themselves. They are old enough.

https://tklcloud.com/Feedback/feedback2.aspx?id=1552

Sharing a mobile number

I consider my mobile no to be a public information. I share it quite openly.

I know that it can be abused, but it does not deter me.

In the old days, our name, address and telephone number were published in a telephone directory.

It could invite thieves, robbers and crooks to access the information to commit crimes. Still, we were able to manage in the old days.

The nature of the risk changes in the online world. We face a different kind of risks, but they can be managed.

Here are a few things that happened after I shared my mobile phone. (Anyway, it was published in my Facebook profile for a long time.)

A malicious actor used my mobile phone to submit requests to many online services, such as applying for a loan, asking to sell a life insurance policy, making an enquiry, etc.

I received SMS and WhatsApp messages from these services asking for more details.

I just replied - it is a fake request. Please ignore it.

I must have received a few telephone calls from other services. I reject calls from unknown numbers.

It is a nuisance, but nothing much to bother about. I can handle them.

One kind person sent me a personal message. His mobile number was used in a sex website, as a pretty young girl. He received 100 calls from potential numbers. He had to change his number.

He advised me to remove my mobile no from my profile. I replied to him that I can manage the nuisance.

One day, a malicious actor will be caught and sent to jail for offenses under the "Misuse of Computer" law. They may be punished in the same manner as housebreakers and robbers. They will then realize the seriousness of their crimes.

I will continue to share my mobile no in my Facebook profile and to use it when I want people to contact me, including strangers.

If any malicious actor misuse my NRIC, email address or mobile number and I obtain his identity and proof, I will submit a police report to get that person prosecuted under the law.

Many people do not share my view. They do not need to tell me. I respect their decision. There is probably more than 1 million.

https://tklcloud.com/Feedback/feedback2.aspx?id=1551

WOTC - Foreign spouses

I asked this question in the Wisdom of the Crowd:

Should the govt relax its restriction on marrying foreign spouses?

Here are the responses: (50 Votes)
54 % - We should change our elitist approach and accept foreign spouses who are not well educated.
24 % - The govt should allow locals to marry foreign spouses who are willing to be homemakers.
12 % - Foreign spouses marrying low income locals can supplement the income by working in the service and retail sector.
10 % - The govt should keep its restrictions to ensure that foreign spouses are well educated.

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1355

CLick here to vote on the current issues: 
https://wisdomofthecrowd.sg/active_issue.aspx

WOTC - Purpose of POFMA law

I asked this question in the Wisdom of the Crowd:

Is POFMA an attempt by the govt to cause difficulty to its opponents?

Here are the responses: (56 Votes)
43 % - The govt is finding an excuse to write a law to obstruct its opponents.
32 % - The law is seriously flawed and one sided. 
18 % - This will cause the international reputation of Singapore to diminish further. 
7 % - The govt is sincere in creating POFMA to address a future problem. 

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1354

CLick here to vote on the current issues: 
https://wisdomofthecrowd.sg/active_issue.aspx

Improve efficiency and competitiveness

I visited China for the first time 30 years ago. It was a poor country. It was extremely backward. Singapore was twenty years ahead. We were a model of economic success for China and the rest of the world.

https://tklcloud.com/Feedback/feedback2.aspx?id=1549

Be aware and not gullible

A video is circulating in WhatsApp about small pineapples from Thailand. It said that these pineapples are mixed with cyclamic acid and rejected by a health authority.

Several people reacted to the video and said that they will throw away the pineapples that they bought recently.

Later, it was found that the video was 2 years old and affected only one brand of pineapple. Someone even thought that it might be circulated by a competitor.

I do not blindly believe in any videos or news that are being circulated. I usually ignore circulation of videos in chat groups.

I do not open chat group videos, unless the sender gives a short summary of its content.

We should also be aware about news spread in the mainstream media. They often have a purpose to "brainwash" the public on behalf of the establishment.

It is quite common for people to form opinion and judgment without checking the facts and understanding the issues. We should be aware and not so gullible.

https://tklcloud.com/Feedback/feedback2.aspx?id=1550

Tuesday, May 28, 2019

Improve efficiency and competitiveness

I visited China for the first time 30 years ago. It was a poor country. It was extremely backward. Singapore was twenty years ahed. We were a model of economic success for China and the rest of the world.

https://tklcloud.com/Feedback/feedback2.aspx?id=1548

Will populism affect the economy badly?

Someone asked me - Mr. Tan, I see the trend towards populism in many countries. I am afraid that this trend will be bad for the economy and for the social cohesion.

I gave him this reply.
https://tklcloud.com/Feedback/feedback2.aspx?id=1548

WOTC - Petition against POFMA

I asked this question in the Wisdom of the Crowd:

Should Singaporeans sign a petition to show disagreement with POFMA?

Here are the responses: (55 Votes)
53 % - We should sign the petition to register our disagreement.
35 % - There is no point in signing the petition, as the govt will ignore it. 
11 % - We should organize another protest in Hong Lim park.
2 % - The POFMA law is actually a good law.

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1353

CLick here to vote on the current issues: 
https://wisdomofthecrowd.sg/active_issue.aspx

WOTC - Legal action against Lee Wei Ling

I asked this question in the Wisdom of the Crowd:

Should LHL take legal action against his sister LWL?

Here are the responses: (62 Votes)
37 % - He can't take legal action as he had promised his father that he would take care of his siblings. 
32 % - He can use the fake news law to silence LWL.
23 % - He should take legal action against LWL for continuing to damage his reputation.
8 % - He should take legal action against LWL for continuing to post views on an ongoing case. 

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1352

CLick here to vote on the current issues: 
https://wisdomofthecrowd.sg/active_issue.aspx

Is change to PDPA act tied to problem faced with SingPass ID?

This is just my speculation. If it is true, we do have a big problem about the way that decisions are made by people in charge.

Let me explain the issue.

SingPass uses the NRIC as the ID to login. This is a practical approach. There is nothing wrong with using NRIC as the ID.

Somebody must have taken another person's NRIC and tried to hack the password many times.

GovTech decides to block the SingPass account after six attempts, based on the reason - for security.

I suspect that there are many cases of this nature. I do not have any statistics about it. It is just a gut feel.

It must have caused a lot of work to their staff in helping the owners to unblock their blocked account.

This is where my speculation comes in.

To solve this problem, they asked the Privacy and Data Protection Agency (PDPA) to make NRIC a secret and not a publicly used ID.

In my view, and if my speculation is correct, this is the wrong way to solve the problem.

Making NRIC private will cause a lot of problem and cost to the businesses and the economy.

The NRIC should be a public ID. It is an advantage that a few countries have, over those that do not have a national ID. Why throw away this advantage?

What can GovTech do about the unauthorised persons using another person's NRIC to log into SingPass?

They can try to catch the culprit and charge them under the Misuse of Computers Act.

If the offenders know that they are breaking the law, they will not continue it. There are ways to catch the culprits. GovTech can find their IP address and locate them.

I know that it may not be easy. It is not easy to catch a person who has committed a crime either.

If GovTech does not block the SingPass account, they will not face the problem of helping the owners to unblock them.

Is there any risk if GovTech does not block the SingPass account?

No there is no risk. The hacker has failed to break the password after 6 attempts. Even if the hacker tries 1,000 times, he will probably still not get the right password.

Even if he gets the right password, he will not be able to access the account, because there is a 2FA layer that is quite strong.

Of course, GovTech does not want the hacker to try 1,000 times as it will create a lot of load on their website.  But this is a separate issue.

I am sure that they have experts to prevent this kind of abuse. GovTech should just block the access from that device, and find a way to catch the culprit as it is an offense under the Misuse of Computer Law.

I believe that GovTech already has this means to stop this abuse.

For example, it is possible for a mischievous actor to create a bot and just keep trying with random NRIC and password to try to login.

We do not hear of this problem, because GovTech must be able to stop it.

There is no need to block the SingPass account. There is no need to change the PDPA law to stop the use of NRIC as a public ID.

As I said earlier, this is just my speculation.

Tan Kin Lian
Tan Kin Lian












Act against the offender

I publicise my NRIC and somebody misused it. In fact, that mischievous person is committing an offence under the misuse of computer law.

Several people blamed me for publishing my NRIC. They said that I should keep it a secret.

I do not agree. The NRIC should be a public ID to identify a person. It is used in many places. It is accessible to other people.

The correct way is to stop the offense, and to enforce the law.

Let me quote you an analogy.

A wealthy person wears an expensive watch. Someone robs him of the watch.

What do the other people say - oh, the wealthy person deserves to be robbed, because he wants to show off his wealth.

Another analogy.

Someone buys an expensive car. Another person felt jealous and scratches the car.

What do the other people say - oh, he deserves to have his car scratched , because he wants to show off his wealth.

This is the distorted logic of the people who commented that I allowed my NRIC to be known.

I hope that these people think about this issue, instead of launching another personal attack on me.

Tan Kin Lian

Offence to misuse another person's NRIC or email address

Some people think that it is fun to create mischief by misusing another person's NRIC to log into SingPass or to use the other person's email address to register into a mailing list.

They may not be aware that they are committing an offense under the Computer Misuse Act:

It is a crime for the mischievous person to try to access my account.

https://sso.agc.gov.sg/Act/CMA1993

Quote:
Unauthorised access to computer material
3.—(1) Subject to subsection (2), any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both.
(2) If any damage is caused as a result of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 7 years or to both.
[21/98]
(3) For the purposes of this section, it is immaterial that the act in question is not directed at —
(a)any particular program or data;
(b)a program or data of any kind; or
(c)a program or data held in any particular computer.

Unquote

This is similar to vandalism. The actor may think that he (or she) will not be caught by vandalising another person's property. But when he is caught and sent to jail, he will regret it.

The best way to stop this misuse and mischief is for the authority to catch the mischievous act and charge the person in court.

We need our law to be enforced, so that people will pay attention to it. If not, it becomes a useless law.

Tan Kin Lian

Tan Kin Lian

Monday, May 27, 2019

Stupid to block the SingPass account after six failed attempts

I want to share the latest information about my NRIC.

One mischievous person took my NRIC and tried to log into my SingPass. He tried six times but could not get through.

What happened?

GovTech, which is the agency responsible for SingPass, blocked my SingPass account and asked me to change my password.

I sent an email to GovTech to tell them that after I change my password, this mischievous person can try to log into my account again and make another six failed attempts to block my account.

It happened to me because I publicized my NRIC.

But this can also happen to anybody who uses the NRIC to apply for a lucky draw, or to visit a public building.

All it needs is for someone to have the NRIC No and make six attempts to get the SingPass account blocked.

There goes our Smart Nation. It is run by people who are not so smart.

I told GovTech - do not block my SingPass account if somebody tries it six times. Let him try 100 times or maybe 1,000 times. Why not just block his attempt using the same device?

If he manages to get the correct password, he still needs to go through my 2FA, which is now converted into my thumb print. This is already secure.

If GovTech is really smart, they will set up a sting operation to find out who is the person who is using another person's NRIC to enter a computer system. It is a crime to impersonate another person under the law.

Anyway, I told GovTech to review their process. The current procedure of blocking the account after six failed attempts is clearly, may I say, "stupid".

Govtech justify their action with this common excuse - for security. I do not see how they can make SingPass by secure by locking out people unnecessarily.

Tan Kin Lian

Retain the passport number on renewal

Someone said that the Singapore's passport number changes every five years with each renewal. This creates headache for many especially those working overseas.

https://tklcloud.com/Feedback/feedback2.aspx?id=1537

Accountant confused with 3M system

An accountant asked for my help. He was hospitalized for 7 days for a fractured ankle in a public hospital. He had to give his credit card.

On discharge, he was told to collect his medicine. He was not told about how much will be deducted from his credit card.

Someone told him that the bill can be paid by insurance and medisave. But he was not told by the hospital how to go about the process.
https://tklcloud.com/Feedback/feedback2.aspx?id=1536

NRIC identify but does not authenticate a person



Someone is worried that a third party who knows my NRIC, email address and mobile No can use my identity for online purchase and for signing petitions.

I replied that the third party will need to make payment for online purchase and to verify an online petition with the email link.

Anyway, the petition will probably be ignored by the party that it is addressed to.

A person's identity needs to be authenticated to have legal effect. A legal document will need to be duly witnessed, usually by a lawyer.

I consider the NRIC to be a unique number to identify a person as a supplement to the name, but it does not authenticate that person on its own.

I prefer the NRIC to be used in public to identify a person and not to be kept as a secret identity.








NRIC is not private

My NRIC is S0579729B. My email address in kinlian@gmail.com. My mobile is 81685845. My date of birth is 9 March 1948 (don't forget to send birthday greetings).

If you use my NRIC to access my SingPass, you need my password and 2FA. If you manage to hack into my account, you can check my health, education and tax record.

But you cannot access my bank account, as it does not use my NRIC.

Don't get caught - you can go to jail.

Why am I posting this? I find that the paranoia about the privacy of NRIC and contact details to be over-blown.

Whenever there is a data breach and the NRIC or contact details are stolen, it seemed to be a big issue. I do not think so.

Democratic systems are falling apart

Many countries with democratic constitutions follow the American or the UK system.

Both systems seem to be falling apart.

Here are my views.
https://tklcloud.com/Feedback/feedback2.aspx?id=1535


WOTC - Complaint over LKY's will

I asked this question in the Wisdom of the Crowd:

Should LHL ask the AG to drop the complaint against LHY's wife over LKY's will?

Here are the responses: (64 Votes)
83 % - The AG should not take up this complaint in the first place, as it is a private matter
16 % - It will be wise for LHL to ask AG to drop the complaint now, to avoid further damage.
2 % - He can't ask the AG to drop the case, as the AG acts independently of LHL.
0 % - LHL should ask the AG to continue the case to show that he is not fickle minded. 

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1351

WOTC - Reduce inflow of foreign workers

I asked this question in the Wisdom of the Crowd:

Should the govt reduce the inflow of foreign workers?

Here are the responses: (69 Votes)
48 % - We should allow inflow only for a small number of jobs that locals do not want to do.
42 % - The inflow should be reduced to make sure that locals can find jobs that pay adequately.
9 % - With the reduced inflow, employers have to pay higher wages to attract locals to do the work.
1 % - We should continue to allow the inflow of foreign workers to reduce the cost of doing business.

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1350

Sunday, May 26, 2019

Serious flaws in POFMA law

Do you agree that the POFMA law has the following flaws?

a) The Act allows the government to exempt certain people from the law. The government has already taken the decision to exempt ministers. Our law should apply to everybody and nobody, including the ministers, should be exempted.

b) Under the Act, any appeal against the decision of the minister has to be made to the minister in the first place, before it can be sent to the court. There is no time limit required by the minister to reply. The minister can sit on the matter forever, and prevent the appeal from going to court.


c) In other countries, a similar law is passed to address specific problems, such as terrorism and hate news against a racial or religious group. In Singapore, this law is targeted against "falsehoods". We fear that it can be used to restrict criticism of government policies and actions and create obstacles against people who hold different political views.

d) Under this law, any ministers (and there are 20 ministers in Singapore) can make a determination that a news is false and require the news item to be corrected or taken down. We suggest that this determination should be made by the court, rather than a minister. This will ensure that there is consistency in making the determination.

Appoint ministers from outside of Parliament

If we change the constitution to require the prime minister and ministers to be appointed outside of Parliament, it will achieve a significant impact.

Here are the benefits:
https://tklcloud.com/Feedback/feedback2.aspx?id=1534

A bad approach to create a retail electricity market

An elderly woman who lived near me met me at the bus stop.

She said - Mr. Tan, I agree with what you wrote about the retail electricity supply. As an elderly person, I do not know what to do choose my electricity supplier. Why don't the government just get Singapore Power to reduce the electricity price, instead of asking us to look for our supplier. I find life to be very complicated.

I assumed that she referred to my letter published in the Straits Times. I agreed with her.
https://tklcloud.com/Feedback/feedback2.aspx?id=1533

Abuse of power

Someone sent to me a list of happenings that he described as abuse of power in Singapore. He said that the abuse is as bad as what happened during the Najib government in Malaysia.

Do not overreach to data privacy issue

Someone said that many people are paranoid about data privacy and over-react to data breaches.
He is not suggested that the data should be freely exposed.
However, if there are hackers who took the trouble and risk to hack into a database and can get access to email address, contact number or NRIC, so what?

Wisdom of the Crowd

How to improve the democratic process

I wish to give my views about how to improve the democratic process around the world. I carried out several polls on different questions regarding this process, and wish to give my comments on the results of these polls.

I also like to make special reference to how my suggestions should be implemented in Singapore.
https://tklcloud.com/Feedback/feedback2.aspx?id=1530

WOTC - Is HDB flat a good investment?

I asked this question in the Wisdom of the Crowd:

Is a HDB flat a good investment?

Here are the responses: (61 Votes)
52 % - It should be treated as paying rental in advance, and not an investment.
44 % - It is a bad investment for the long term, as it will eventually have no value.
2 % - It is a good investment for the long term. 
2 % - It is a good investment for the first 30 years only.

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1349

WOTC - President Halimah's visit to China

I asked this question in the Wisdom of the Crowd:

What are your views about President's Halimah's visit to China?

Here are the responses: (64 Votes)
77 % - It is a wasteful visit as she does not hold any decision making power. 
11 % - It is nice that she has received a good reception from President Xi.
8 % - She should be accompanied by senior ministers of the cabinet. 
5 % - She plays an important role in rebuilding relations with China.

See the pie chart at: 
http://www.wisdomofthecrowd.sg/chart.aspx?ID=1348

Blog Archive