Ex-Presidential Candidate Posted NRIC & Details Online; Got Locked Out From SingPass & Nearly From FB As Well

Remember him?

Other than being the NTUC Income Chief for thirty years, he got in the limelight after running for the Singapore presidency in the 2011 Presidential Election, and got the fourth position…out of four candidates.

The 71-year-old has been active on Facebook since then, coming out with extremely trolling viral contents like this:

Sometimes, he’d also tell you about his haircut:

And also about his life, like how people took the front seat of a bus, which apparently is his favourite seat:

While he might remind you of your uncle who’s not aware that Facebook algorithm has filtered him to the last of your newsfeed, Tan Kin Lian, who uses Blogspot for his blog (simi si blog?!), is still influential, not because of his run for presidency almost eight years ago, but because he has a fan base of over 13K Likes in his Facebook Page.

And of course, for something like this.

Tan Kin Lian Posts His Personal Details Online to Prove a Point

All of a sudden, at 8:00 a.m. this morning, the man who nearly became our president posted this (I’ve turned it into an image and censored the details for obvious reasons):

Simply put, he posted his personal details, including his NRIC number, email address, mobile number and date of birth online to prove a point: that even if our personal details are obtained by third parties, we do not need to worry much as no one can access anything sensitive.

In his words, he said “the paranoia about the privacy of NRIC and contact details to be over-blown” and that “whenever there is a data breach and the NRIC or contact details are stolen, it seemed to be a big issue. I do not think so.”

Oh, well.

He did prove a point; but it’s not the point he wanted to prove.

SingPass Account Locked Out

So, an hour later, he was still adamant that nothing would happen.

Then, about six hours after he published his personal details online, he gave us an update: he has been locked out from his SingPass account.

Most well-secured system would lock out a user when the user tried to log in with the wrong login credentials a few times. This is to prevent something known as a “brute-force attack”, whereby a software would try to log in hundreds of millions of times a second with different combination of usernames and passwords just to find the correct one.

While we can’t confirm, it could be that he had used the default login username for his SingPass, which is his NRIC number. Apparently, all it took was someone to try to log in unsuccessfully six times, and his account was locked out.

He then criticized GovTech, for he believed that his 2FA would have prevented any brute-force attack.

But it didn’t end.

Facebook Account Nearly Compromised

About an hour later, he posted this:

Apparently, someone had done the same thing to his Facebook account; but instead of trying to log in unsuccessfully, the “someone” probably tried the “forget password” feature in Facebook.

And of course you’re wondering: how did that “someone” know his username?

Remember how he also provided his email address and phone number as well?

Never Try This At Home

Yeah, while personal details might not be sufficient enough to log into a sensitive account, they can be used by bad actors to implement what is known as “social engineering”: using the personal details to find out the eventual login credentials.

An example is someone calling you, saying that he’s from a bank, and then verifying his identify by saying your NRIC number. He then asked you to click on a simple link. You might just believe him and ta-da: you’ve just downloaded a malware.

In other words, the point is noted: personal details should be kept personal, especially now when we’re heading towards a Digital Nation.

In the meantime, have you changed your SingPass username to something unique instead of your NRIC number?