Safeguarding Digital Identity Challenges, Strategies, and Future Solutions

Learning Points from SingPass & Immigration Checkpoint Authority Incidents

In recent months, there has been growing interest in the impact of online scams and identity theft that have led to huge financial losses and an increase in money-laundering activities in Singapore. This article discusses the challenges and strategies related to digital identity theft, focusing on the vulnerabilities of digital identity systems, particularly in Singapore, and explores the concept of Self-Sovereign Identity (SSI) as a potential solution.

Problems of Digital Identity Theft and Online Scam

A digital identity theft refers to the malicious act of exploiting or compromising an individual's or an organisation’s online identity, allowing attackers to access sensitive personal or corporate data by targeting vulnerabilities in their digital footprint. As technology advances, so does the rising tide of cyber threats and opportunities in safeguarding personal and organisational digital identities and footprints.

As reported in the Straits Times article published on 12 Jan 2025¹, scammers successfully managed to steal about 60 Singapore citizens’ National Registration Identity Card (NRIC) details to compromise their SingPass (Singapore Personal Access) accounts for fraudulent activities. Once the individual’s SingPass account was compromised, the bad actor could then use the individual’s SingPass digital identity credentials to login and transact on multiple online services that accept SingPass authentication, thus gaining unauthorised access to the individual’s accounts.

SingPass, is a trusted digital identity platform developed by the Singapore government for Singapore citizens and residents. It allows users to securely access a wide range of government and private sector services online and in person. However, the successful compromise of SingPass accounts by scammers could erode public trust in the system, affecting both individuals and businesses. This, in turn, could harm Singapore’s reputation as a trusted digital hub for online commerce.

In another Straits Times report on 22 Nov 2024², it was revealed that over the past three years, approximately 19,000 money mules had escaped prosecution despite their involvement in scams that defrauded Singaporeans of more than $1 billion. A money mule is someone who transfers or moves illegally acquired money on behalf of someone else. Money mules can move funds in various ways, including through bank accounts, cashier’s checks, virtual currency, prepaid debit cards, or money service businesses. Given SingPass credentials are widely used for banking transactions, including opening new internet banking accounts, it has been challenging to prove whether individuals knowingly facilitated criminal activities by selling their bank and SingPass accounts or if their accounts were indeed stolen by bad actors. 

Such large-scale abuse of SingPass digital identities poses a serious risk to Singapore’s digital economy, which was valued at $113 billion (17.7% of GDP) in 20233. As a result, the Singapore government has introduced stricter laws to empower law enforcement agencies to act against money mules and individuals who misuse their SingPass accounts for scams and other crimes. 

Digital identities play an integral role in establishing reliable, verifiable connections between users and the digital world. Through strict authentication processes, digital identities contribute to the creation of a secure online environment.

The attack surface for identity-based security has expanded, particularly through stolen credentials and phishing, which are used to hack into an organisation’s networks and are raising concerns about protecting digital identities. Bad actors, adept at social engineering, exploit human nature to compromise identities through phishing and gain access to sensitive data, posing a serious threat to digital identities.

Most recently, in 2024, artificial intelligence (AI) emerged as a powerful tool for bad actors, enabling the creation of fake identities, the generation of convincing phishing emails, and even the cloning of voices and in-person videos for nefarious purposes. Combatting these threats necessitates heightened awareness, as the integration of AI in identity-based attacks continues to evolve, posing an increased risk to users' sensitive data and financial assets. 

What Can We Do to Safeguard and Protect Our Digital Identity? 

A robust digital identity system should ideally serve as a barrier against security breaches, ensuring the sanctity of personal and financial data. However, the recurring incidents of data breaches, identity theft, and fraudulent activities highlight the inherent issues in current digital identity systems. These vulnerabilities not only represent isolated incidents but also translate into staggering financial setbacks for businesses, governments, and individuals alike.


Figure 1: Strategies to mitigate cyber threats to digital credentials. 

To mitigate cyber threats to digital credentials managed by a government or organisation, such as the SingPass digital identity system, consider implementing some of these strategies as summarised in Figure 1: 

• Implement strong password policies and enable multi-factor authentication (MFA): Enforce complex password requirements (including minimum length and character variety), mandate regular password changes and prevent password reuse across different systems. The Singapore government has advised against using NRIC data as common user identity (ID) or password. This follows the government's observation that the NRIC is not a strong ID or password, and that it is often used in various government-to-consumer and business-to-consumer online systems. Given the NRIC of Singapore citizen is formulated with the date-of-birth data and the formula is public knowledge to those who researched into it, it is not a very secure password or user ID for use. Once compromised, it could allow unauthorised access to multiple online systems. 
• Regularly review user access: Most online portals, including government and internet banking systems, immediately send a notification alert upon successful login. It is crucial that the alert be directed to a frequently monitored registered email or phone number to confirm login legitimacy. This will ensure early detection of any unauthorised login attempts and prevent any fraudulent transactions.
• Stay vigilant and informed about prevailing cybersecurity threats: Singapore Cyber Emergency Response Team (SingCERT) has been established to facilitate the detection, resolution and prevention of cybersecurity related incidents on the Internet, issuing advisories and alerts on prevailing cyber-attacks. In most economies around the region, they have their own national cyber emergency response teams. Staying informed with these advisories and alerts can help you avoid becoming a victim of a cyber-attack.
• Encrypt and protect sensitive or personal data: Always exercise caution when sharing sensitive or personal data with any individual or organisation that has not been verified. If the purpose and intended use of the data collected are not clearly stated, it is wise to refrain from sharing it. Any personal data sent over the internet should be encrypted to safeguard it from unauthorised access or accidental data leak.
• Maintain robust incident response plans and test them regularly: Enterprises are advised to adopt an “assumed breach” mentality, with ready incident response plans which are regularly reviewed. Teams should be trained and periodically tested to respond promptly and effectively to any cyber incidents, including credential leaks or identity theft. 

To bolster data security and privacy within Environmental, Social, and Governance (ESG) initiatives, organisations must adopt a comprehensive approach that addresses various facets of data management and protection. Here are some essential strategies for organisations to consider:

• In Singapore, the Cybersecurity Act⁴ was passed to regulate Critical Information Infrastructure (CII), mandating that designated entities adopt the framework and comply with the Cybersecurity Code of Practice (CCOP) to safeguard sensitive data, including digital identities in the care of the CII service providers.
• In the European Union, a similar NIS-2 Directive (Directive (EU)⁵ 2022/2555 legislative framework was designed to enhance cybersecurity across the European Union by establishing a high common level of security for network and information infrastructure.

Around the world, governments have implemented legislation to enhance security to safeguard data. Collaboration between the public and private sectors, coupled with increased public awareness and education about cyber threats, is critical for keeping corporate data breaches and identity theft in check and mitigating their impact.

Future Challenges and Probable Solutions

In today’s fast-changing technology-driven world, fuelled by innovations like Artificial Intelligence, we need a secure, verifiable, and efficient way to verify our identities online, especially for commerce, communication, and collaboration. While existing digital identity methods have worked, we face new challenges that require us to think differently to counter AI-driven deepfakes that have caused distrust and doubts around digital identities. 

In addition, critics of existing digital identity model highlight that no single party involved in an identity ecosystem, including governments, should be fully trusted for overseeing individual personal data. While it would be apparent that government-issued credentials carry special privacy considerations due to their inclusion of verified personal data, the literature in this space has often overlooked the fact that identity systems inherently operate as multi-party trust models. Privacy requirements exist between the credential issuer (like SingPass, managed and run by the Singapore Government), the credential consumer (such a governmental agency, private business, or another individual), the device and application or the wallet storing the credential, and the individual using it.

Self-Sovereign Identity (SSI)⁶, a paradigm shift in the world of digital identity, has emerged to be the preferred solution. SSI transfers the power of ownership, control, and shareability of personal identity and data back to the individual. In this model, users possess sole authority over their identity data, determining when, how, and with whom they would share their credentials. Such an approach not only bolsters security but also simplifies processes for enterprises to onboard new customers, offer them new services, and reduce compliance pressure.

In the SSI model, cryptographic techniques are employed to create verifiable credentials. These credentials, unlike traditional digital IDs, would not be stored in centralised databases. Instead, they reside with the individual, often in digital wallets, and could be shared directly with those who needed to verify them. Verification would be achieved through federated or decentralised networks, obviating the need for a singular verifying authority. These credentials contain fraud-proof data that included everything from name, address, and date of birth to fully digitised passport or driving license.

Some examples of this future state of SSI include:

• European Self-Sovereign Identity Framework (ESSIF): The European Union is developing the ESSIF, aimed at providing a secure and interoperable framework for digital identities across member states. This framework leverages blockchain technology and decentralised identifiers (DIDs) to ensure user control and privacy.
• ID2020: A global public-private partnership working together to ensure that every person on the planet possesses a unique digital identity. ID2020 focuses on providing digital identity solutions for vulnerable populations, such as refugees and stateless individuals, using SSI principles.

Conclusion

The protection of digital identities is paramount in an increasingly interconnected world where cyber threats are ever evolving. Vulnerabilities in current digital identity systems, exemplified by data breaches and scams in Singapore, underscore the requirement for robust security measures. At BDO, we advise and emphasise the importance of having an “assumed breach” mentality to highlight the need for data encryption, effective incident response plans, and adopt and comply with the prevalent legislative frameworks to safeguard sensitive data. Looking ahead, the adoption of the SSI model presents a promising solution, empowering individuals with greater control over their personal data while enhancing security through decentralised verification methods. Collaboration between the public and private sectors, coupled with increased public awareness, will be crucial in mitigating risks and ensuring the integrity of digital identities in the future. 

References

1. “ICA suspends online change of address service after scammers alter dozens of victims’ addresses”, The Straits Times, 12 Jan 2025: https://www.straitstimes.com/singapore/ica-suspends-online-change-of-address-function-after-scammers-alter-dozens-of-victims-addresses
2. “Tougher laws mean money mules can’t claim ignorance when selling bank, SingPass accounts to scammers”, The Straits Times, 22 Nov 2024: https://www.straitstimes.com/singapore/tougher-laws-mean-money-mules-can-t-claim-ignorance-when-selling-bank-singpass-accounts-to-scammers
3. “Singapore’s digital economy made up 17.7% of GDP in 2023”, The Straits Times, 30 Oct 2024: https://www.straitstimes.com/singapore/singapores-digital-economy-contributed-17-7-to-gdp-in-2023-more-than-200000-jobs-created
4. Cybersecurity Act: https://www.csa.gov.sg/legislation/cybersecurity-act
5. NIS-2 Directive (Directive (EU): https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng
6. Self-Sovereign Identity (SSI): https://www.identity.com/self-sovereign-identity/