Man jailed for selling SingPass account details to syndicate
Man jailed for cracking passwords of SingPass account holders and selling details to China-based syndicate
If you do not make the effort to think of a good password, you are inviting trouble from hackers, cyber security experts here warned.
This is especially crucial if the password is for your SingPass account, which can reveal sensitive information such as your Central Provident Fund (CPF) account, your address and how much you earn.
Yesterday, a former administrative assistant was jailed five years and two months for cracking the passwords of 293 SingPass account holders and selling the details to a China-based syndicate to produce sham Singapore visa applications.
This happened after James Sim Guan Liang, 39, realised that some people used their NRIC number as their SingPass password. (See report.)
Mr David Freer, vice-president of Intel Security's Asia Pacific Consumer business, said cyberattacks happen daily and it may be inevitable that your account is targeted.
To protect yourself, ensure that you use a strong password - one that has at least eight characters and contains numbers, symbols and upper and lowercase letters for best effect - and different ones for your various online accounts, he said.
"The first line of defence for keeping your online data safe is your password. You should always use a complex and hard-to-guess password," he said.
Mr Freer added that passwords should be changed every three to six months.
In January, password management firm SplashData analysed more than 20 million passwords that were leaked globally over the last year and published the worst ones.
The list was topped by "123456", "password" and "qwerty" - the first six letters on the top row of a regular keyboard.
New entries on the list, now in its fifth year, include pop culture references like "star wars", "solo", and "princess", following the release of the latest Star Wars movie.
Mr Chooi Ker Ming, Fortinet Singapore's network security consultant, said hackers look for passwords that give the highest returns-on-investment.
"Instead of investing in a costly high-powered server for brute force password cracking, they usually do a scan with a general server and take out the easiest targets.
"The low-hanging fruits - accounts with the easiest-to-break passwords such as '1234567' or 'password' - are compromised first," he said.
This becomes especially dangerous if that account is your SingPass account, considered "very valuable" to hackers, said Mr Freer.
"Through an illegally gotten password, cybercriminals are able to find out a person's address, how much he earns, how much money he has in his CPF account, who he is married to and more.
"Such information enables them to carry out more serious crimes, or sell the information within the black market," he said.
Mr Chooi also advised Internet users to use e-services that have a second layer of security such as two-factor authentication (2FA), a process involving a one-time password (OTP) that is randomly generated and delivered via SMS or through a token.
From July 5, SingPass users will require an OTP to transact with the CPF Board, Inland Revenue Authority of Singapore, Ministry of Manpower and Accounting and Corporate Regulatory Authority.
Said Mr Chooi: "With 2FA, you don't have to worry about password changes, since the OTP generated is valid for a particular transaction only."
The low-hanging fruits - accounts with the easiest-to-break passwords such as '1234567' or 'password' - are compromised first.
- Mr Chooi Ker Ming, Fortinet Singapore's network security consultant
About the case
Former administrative assistant James Sim Guan Liang, 39, was sentenced to five years and two months' jail yesterday for cracking SingPass accounts and selling them to a China-based syndicate.
He faced 886 charges, mostly under the Computer Misuse Act, and pleaded guilty to 73 of them in January. The rest were taken into consideration.
Court papers said he spent thousands of hours on his computer to crack the passwords of 293 SingPass accounts.
All his victims had used their NRIC number as their password.
The Chinese syndicate he sold the credentials to used the information to apply for sham visas for foreigners to enter Singapore. Some of them later committed crimes here.
Yesterday, District Judge Low Wee Ping said in sentencing that the number of charges were staggering and he could not regard Sim as a first-time offender even though this was his first brush with the law.
Noting that Sim had unlawfully accessed the computer systems of the Media Development Authority (MDA) and the Central Provident Fund Board (CPF) 577 times to harvest information, the judge said: "It is no different from breaking into a home 577 times."