Private sector should not use NRIC numbers for authentication; government had planned to stop this
But private organisations can continue collecting partial NRIC numbers for identification
NATIONAL Registration Identity Card (NRIC) numbers in Singapore are sometimes incorrectly used, and the government had planned to stop this while the problem was “relatively contained”, Minister for Digital Development and Information Josephine Teo said on Wednesday (Jan 8).
But the government had not yet pushed for this as it wanted public agencies to change first, and expected that change would take longer for the private sector due to “longstanding practices and habits”, said Teo in Parliament.
She advised private-sector organisations to now do two things. First, those using NRIC numbers as a factor of authentication or as default passwords should stop as soon as possible.
Second, private organisations may continue to collect partial NRIC numbers to identify people. Guidelines here have not yet changed and will only be updated after a public consultation.
In separate ministerial statements, Teo and Second Minister for Finance Indranee Rajah addressed 51 parliamentary questions on the issue.
This was in the wake of public confusion after it emerged that NRIC numbers were disclosed in full on the Accounting and Corporate Regulatory Authority’s (Acra) Bizfile portal.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
Calling the Bizfile incident “unfortunate”, Teo said: “Without intending to, it led the public to believe that the government is changing its policy to allow full NRIC numbers to be exposed on a wide scale. This is not the case.
“We take the public’s concerns seriously and are very sorry for the mistake that caused them much anxiety.”
Identification versus authentication
Teo assured the public that NRIC numbers remain personal data, saying: “NRIC numbers can only be collected when there is a need to do so. Organisations that collect NRIC numbers also have a duty of care.”
Such organisations must notify and seek consent on use, as well as ensure protection of the data. This will not change, she added.
Yet while NRIC numbers are useful as unique identifiers, they have also been incorrectly used, said Teo.
One example is treating the NRIC number not just as an identifier, but as authentication.
Some organisations assume that citing an NRIC number confirms a person’s identity, and treat this as “a key to unlock more information or services”. This is “clearly wrong”, said Teo.
Another incorrect use is collecting and using partial NRIC numbers, believing this to be “safe”. Similarly, some individuals use their NRIC numbers as passwords in the belief that the full number is secret.
But this is a “false sense of security”, as algorithms make it easy to work out the full NRIC number from the partial or masked one.
The government thus wanted to both stop organisations from using the NRIC number as an authenticator, and move away from the use of masked NRIC numbers. It planned to change internal practices before changing those of the private sector and non-profit organisations.
Lapse in coordination
The government asked public agencies to stop using the NRIC number as an authenticator or password, and to not plan new uses, with the eventual goal of discontinuing existing uses of masked NRIC numbers.
But a “lapse in coordination” between agencies led to Acra’s misunderstanding, she said.
“What we should have made clear was that moving away from the use of masked NRIC numbers did not mean automatically using the full NRIC number instead in every case,” she said. “At no point was our intention to disclose full NRIC numbers on a wide scale.”
As for the private sector, Teo noted that some organisations can switch from partial NRIC numbers to other forms of identification, such as mobile phone numbers.
However, other organisations may need to identify persons by full NRIC numbers. For example, pre-schools would prefer to collect visitors’ NRIC numbers so that parents feel more secure. Another use is in applications for and disbursements of substantial financial aid.
These considerations will be taken into account when the government updates private sector guidelines, she said.
Asked by Members of Parliament (MPs) about the use of NRIC numbers in scams, Teo replied that the bulk of such cases involve scammers pretending to be authority figures by citing victims’ NRIC numbers.
This is in contrast to using the number directly. She said: “It’s not quite so easy to pinpoint even one specific instance where the scammer was able to get hold of the NRIC number, and then key that in to unlock valuables.”
MP for Bukit Panjang Liang Eng Hwa asked what downsides there were to continuing the use of masked NRIC numbers, since the public is comfortable with this even if it is not foolproof.
Teo reiterated that because algorithms can be used to derive full NRIC numbers, such a practice creates “a false sense of security”, and not stopping it “is also not responsible”.
Copyright SPH Media. All rights reserved.
