A recent advisory published by the Resecurity cybersecurity vendor exposes a trend now developing on the dark web – more and more stolen biometrics-based data is ending up in this corner of the internet.
These revelations, describing the increase in activity of this type as “significant,” highlight the case of Singapore, including its SingPass scheme.
At the same time, they confirm that the fears of the digital ID and age verification push sooner or later turning into a privacy nightmare.
In Singapore, every citizen and resident has a SingPass (Singapore Personal Access) digital ID account, which is touted by the authorities in the city-state as their “trusted digital identity” – not to mention a “convenient” one.
Blackhat hackers, however, beg to disagree, and it’s hard to imagine that digital ID holders affected by identity theft think of the scheme as in any way “convenient.”
Security researchers say that overall, year-on-year, as many as 230 percent more “vendors” are now selling stolen personal information that often contains facial recognition data, fingerprints, and other biometrics belonging to Singaporeans.
A majority of this data has been up for sale on the XSS dark web forum, according to the same source.
In 2024 thus far, this type of activity peaked in April, following a rise in data breaches where cybercriminals targeted a number of online databases that store this information.
Stolen citizens’ identities are then used for a variety of criminal activities, including fraud, scams, and the creation of deepfakes. But once this kind of floodgate opens, exposing particularly sensitive data, spies and various governments are never far behind the common criminals in exploiting the breaches.
Other than supposedly being “easy and secure,” SingPass gives access to more than 1,700 government and private sector services in Singapore, both online, and in person.
But Resecurity said that more than 2,377 of these accounts were compromised last month alone, with the firm saying the holders of those have been notified of this discovery.
However, the firm’s advisory noted that in many cases online platforms that suffer data breaches do not disclose these incidents, which means that citizens and residents in Singapore whose identities have been stolen are not even aware of this.
