lolloj - Fotolia
Cyber criminals targeting Singapore are undeterred by the increased probability of being caught now that the city state has significantly beefed up cyber security measures to combat illegal activities perpetrated online. And they appear to have their sights firmly fixed on Singapore’s businesses.
In July, the Cyber Security Agency (CSA) issued an advisory warning about phishing emails purported to be from firstname.lastname@example.org being sent to users. GeBIZ is a Government-to-business (G2B) public eprocurement business centre where suppliers can conduct electronic commerce with the Singapore government.
The fraudulent email advised GeBIZ trading partners to complete a one-time account update following the roll-out of the enhanced SingPass system. User credentials were stolen when users entered their user name and password on the phishing page.
In its recently released mid-year crime brief covering January to June 2015, the Singapore Police Force reported commercial crimes went up by more than 55% over the same period in 2014. This is despite the general crime rate for virtually all types of illegal activities lowering. Of the various commercial crimes, those involving e-commerce saw a large increase of nearly 66% when compared to the first six months of 2014.
“The growing trend of online crime is a cause of concern,” said David Chew, director of the commercial affairs department at the Singapore Police Force. “While we will do all we can to investigate, deter and disrupt the activities of these criminals, the public has an important role to play.”
Based on the latest half-year figures, online scams targeting buyers totaled 1,015 cases, up by almost 62% over the 2014 period, with the amount of money involved estimated at S$450,000. Meanwhile, online scam targeting sellers went up to 68 cases between January and June 2015, a 74% increase over the year before.
“Online transactions may be convenient but the public should always be alert and exercise due diligence when engaging in online transactions to avoid falling victims to scammers,” Chew said. He added that some scammers may even be linked to a criminal syndicate operating overseas.
The Singapore Police Force has been working with the National Crime Prevention Council since November 2014 on a series of anti-scam awareness campaigns, some of them tackling cyber extortion.
But protecting the city against shady characters lurking online poses a huge challenge for law enforcers when almost three quarters of Singaporeans are internet users, who spend an average five hours each day online on a desktop or laptop, and two hours a day on their smartphones and tablet PCs.
Singaporeans’ cavalier attitude towards the internet received a reality check two years ago when a Symantec report claimed that the city state has the highest per capita losses from cyber crime worldwide, with an average cost per victim pegged at S$1,448. It was the highest among the 24 nations surveyed and four times the global average.
“The cost of Singaporeans not knowing how, or worse, not bothering to protect themselves from online threats could be very high indeed,” said Infocomm Development Authority (IDA) managing director Jacqueline Poh during the National Infocomm Security Competition in September 2014.
“Since we assume you are not going to unplug yourselves from the benefits of being online, it is important for all of us to understand the various ways we can be hacked, so that we can avoid being victims,” she told student participants of a competition intended to encourage local people to adopt good cyber security practices.
The high-profile hacks of Target and Home Depot in the US that received wide press worldwide certainly increased awareness of cyber crime among Singaporeans. But the greatest impact was when the threat hit closer to home. Last year, hackers broke into the customer database of local karaoke company K Box, leaking mobile the phone numbers, ID numbers and addresses of more than 317,000 members.
Likewise, IDA revealed last year that 1,560 SingPass accounts have been breached, possibly exposing citizens’ data – including addresses, income and car registration numbers, among others. About a quarter, or 419, of these users had their passwords illegally reset.
SingPass is Singapore’s e-government services portal, set up in 2003.
Twelve months after the incident was reported, SingPass added a new security layer, with a two-step method of identity verification for users conducting sensitive transactions online. After logging in with their SingPass user ID and password, the additional second step saw users enter a one-time passcode, which can be delivered either through a token or SMS.
For a start, more than 100 government e-services will require two-factor authentication , according to IDA. These include essential services such as those by the Central Provident Fund Board (CPF), Inland Revenue Authority of Singapore (IRAS) and the Ministry of Manpower.
“No system is entirely fool proof. However, the measures that we’ve put in place make it considerably more difficult for a hacker or someone else to breach the accounts and sensitive data of SingPass users and make transactions on their behalf for nefarious purposes,” said Poh.
Creating a cybersecurity ecosystem
The CSA, which consolidates and co-ordinates the city’s cyber security capabilities across different sectors, is at the forefront of Singapore’s efforts to push back the new wave of online threats that could endanger commerce and national security.
In early October 2015, the agency inked several partnership deals with local and foreign industry players – among them Singtel, Check Point and FireEye – for initiatives intended to strengthen the cyber security ecosystem.
Read more about IT security in Asean countries
As an emerging economic power bloc, Asean is bracing itself for an influx of cyber crimes as hackers look for lucrative targets.
South-east Asian finance companies are adopting cloud technology with more caution than in other regions of the world.
Asean countries will need legislation to motivate organisations to step up their cyber security activities.
With Singtel, the CSA expects to develop indigenous R&D.
Bill Chang, CEO, Singtel Group Enterprises said: “A resilient cyber security ecosystem will help reinforce Singapore’s position as a key business hub for innovation while building the foundation of a safe and smart nation.”
One key area of collaboration between Singtel and CSA will be training of cybersecurity professionals – which is one of the key goals of Singapore’s new five-year National Cyber Security Masterplan 2018.
CSA also signed a Memorandum of Intent (MOI) with Crest International and the Association of Information Security Professionals (AISP) to introduce Crest certification for penetration testers in Singapore. The certifications will serve as a competency baseline for practising professionals and service providers. Under this MOI, the partners will join hands to set up a Crest Singapore Chapter next year.
CSA and the Infocomm Development Authority of Singapore (IDA) have established the Cyber Security Associates and Technologists Programme (CSAT) to train ICT professionals to acquire practical skills for specialised job roles for Cyber Security Operations. The programme is aimed at helping fresh and mid-career ICT individuals attain the necessary practical skills to better equip them for cyber security roles and positions.
David Koh, CSA CEO, said: “We are excited to be taking these strides forward with our partners to enhance Singapore’s cyber security capabilities as well as raise the quality of the industry and workforce. These partnerships pave the way for us to work closely together on innovative solutions to strengthen our cyber security core. We look forward to establishing more of such consequential partnerships to achieve the vision of a secure smart nation for Singapore.”
Singapore’s business community, particularly those from the financial sector, welcomed CSA’s partnership with Crest.
“Financial institutions face increasing cyber threats. It is therefore critical they conduct robust penetration testing to identify and rectify system vulnerabilities promptly and efficiently,” said Wong Nai Seng, assistant managing director at the Monetary Authority of Singapore. “Crest’s Singapore chapter will help deepen the pool of qualified penetration testing expertise in Singapore and the region and strengthen our financial institutions’ cyber defences.”
Ong-Ang Ai Boon, director at The Association of Banks in Singapore, echoed the sentiment. “Crest will provide financial institutions and outsourced service providers a better assurance on the quality of penetration testing services and in turn enhance the overall cyber security posture of banks in Singapore.”