‘Long overdue’: Experts welcome advisory against private-sector use of NRIC numbers for authentication

Urging the private sector to stop using NRIC numbers for authentication is a timely and pragmatic move to strengthen data security, industry players told The Business Times.

On Thursday (Jun 26), the government released an advisory telling private-sector organisations to move away from using full or partial National Registration Identity Card numbers to authenticate individuals “as soon as possible”.

The government is also working with regulated sectors – such as finance, healthcare and telecommunications – to develop sector-specific guidance in the coming months.

“This is a sensible move and long overdue. Using NRIC numbers for authentication has always been a weak security practice,” said Bhargav Sosale, data protection officer at medtech company Remidio.

He noted that NRIC numbers are more like usernames than passwords, being “static” identifiers that are used widely across institutions from banks to healthcare providers.

“(That) ubiquity is precisely what makes them unsuitable for authorisation,” he said.

Even the use of partial NRIC numbers – such as the last four digits – could be dangerous, noted Pang Tzer Yeu, chief information security officer at Red Alpha Cybersecurity.

The risks are also high when NRIC numbers are paired with other easily obtainable information such as one’s date of birth, noted Gerry Chng, head of cyber at KPMG in Singapore.

Steven Scheurmann of cybersecurity company Palo Alto Networks sees Singapore’s move as a “significant step” towards bolstering digital safety, especially as identity theft and impersonation tactics grow more complex.

He called on organisations to adopt stronger authentication methods such as complex, unique passwords or multi-factor authentication (MFA). Other options include biometric verification and security tokens.

“These methods offer significantly higher resistance to impersonation and fraud, and ultimately help build trust in digital services,” said Scheurmann, who is Palo Alto’s regional vice-president for Asean.

Verification through the Singpass app is another tool that some organisations are already tapping, noted Red Alpha’s Pang.

“Many companies have already moved away from using NRIC, but there are a few sectors where I still see it being prevalent,” he said, citing the insurance sector as an example.

For players that still rely on NRIC numbers for authentication, the government advisory “should be a wake-up call”, said Sosale.

Industry reactions

Industry players that BT reached out to said that they would work with the authorities on the matter.

Association of Banks in Singapore director Ong-Ang Ai Boon said that the industry is exploring “alternative authentication methods in line with today’s advisory”.

She noted that NRIC numbers alone cannot be used for financial transactions such as payments and funds transfers.

However, “there are limited non-transactional circumstances where NRIC numbers are used for authentication, such as to open encrypted documents sent by e-mail”, she said.

A spokesperson for AIA Singapore said that the insurer has moved away from relying solely on NRIC numbers for authentication.

“AIA Singapore only collects full or partial NRIC numbers when it is necessary to establish or verify an individual’s identity to a high degree of accuracy,” said the spokesperson, noting that this is in line with Personal Data Protection Act (PDPA) guidelines.

The insurer also uses MFA for more secure access to online services. Verification processes are also in place at human-assisted customer service touch points.

“We take data security seriously and will continue to ensure all our data collection processes adhere to PDPA guidelines,” the spokesperson added.

Separately, Singtel told BT that it adheres to the present guidelines on the use of NRIC for authentication.

“We will wait and review any new guidelines from the (Infocomm Media Development Authority) before assessing any potential impact to our operations,” said a spokesperson.

Fellow telco M1 told BT that it uses NRIC to only identify customers, and not to authenticate them.

Hospital operator Raffles Medical Group noted that it relies on NRIC numbers as a unique identifier for patients during admission, registration and billing.

The company “will continue to take guidance from the Ministry of Health regarding the use of NRIC numbers for the verification of our patients’ identity”, a spokesperson said.

Data privacy hit the spotlight last December, after a furore over the disclosure of full NRIC numbers on the Accounting and Corporate Regulatory Authority’s Bizfile portal.

The government had plans to change the practice of masking NRIC numbers, but the Bizfile portal had run ahead of that intent, the Ministry of Digital Development and Information said at the time.

Source: The Business Times © SPH Media Limited. Permission required for reproduction.

Responsible public speech is part of a cohesive society: Edwin Tong