Recently, former presidential candidate Tan Kin Lian doxxed himself.
For real. Apparently he was of the opinion that people are being too paranoid about protecting the security of their NRIC numbers.
So he posted it online, and for good measure, included his email address, mobile phone number, and date of birth.
To the surprise of pretty much no one, some pranksters locked him out of his own SingPass account (for, access to, you know, government services like tax records and housing matters).
To the facepalm of pretty much everyone, he blamed GovTech for locking him out of his own SingPass account.
Let me just try to toss in my dua sen on this matter as objectively as I can.
Firstly, putting all those personal information online is a very, very, bad idea. It is somewhat akin to giving your wallet to a total stranger and trusting him to not run away with it. Sure, it’s nice to think the best of others, but like it or not, there are some bad people out there who will run away with the wallet. No one is saying that the thief is in the right and shouldn’t be prosecuted. What everyone is saying is that you have to take good care of your personal items that you can’t afford to lose.
I like to think of myself as a decent guy, but even I can think of at least ten pretty nefarious things that I can do with the kind of information that Mr Tan posted online. I’m not going to post those 10 things, for I don’t want to give any messed-up people out there any funny ideas. What I can say is that those ten things range from ‘mildly annoying’ to ‘evil enough to mess up the rest of your life’. The only thing that’s stopping me is my own personal conscience. I’m sure most people out there have a pretty good personal conscience as well.
I’m just saying to beware of those who don’t.
Secondly, there is a very good reason for GovTech to lock the SingPass account after several failed attempts. I’m no IT whiz, and C Programming was my worst-performing subject in school, but even I know the concept of a Brute Force Attack.
It’s exactly what it sounds like: a hacker can program a bot to throw lots and lots of potential passwords at a website until the right password is entered. It’s not an elegant hacking tactic, but a determined hacker can pull it off.
Locking the account after a few failed attempts is an equally simple and effective way to thwart a Brute Force Attack. Mr Tan should be thanking and not berating the GovTech technicians for putting in that security measure.
In the end, your personal information should not be taken lightly. Sure, you will be expected to divulge them at times when you have to, say, sign up for a new mobile line or refinance your home mortgage. But in such cases the telco or bank has to take all manner of precautions to ensure that your personal information is not leaked or stolen, on pain of prosecution and stiff penalties.
That is certainly not the same as putting those details on your Facebook wall and daring everyone to do their worst.