Current use of NRIC numbers 'leaves us vulnerable': Why Singapore wants to change the way it uses identification numbers
Partial or masked NRIC numbers have been used as a way to conceal full numbers, but that creates a "false sense of security", said Minister for Digital Development and Information Josephine Teo.
This audio is generated by an AI tool.
SINGAPORE: Rattling off your National Registration Identity Card (NRIC) number is sometimes taken as proof that you are who you say you are. You may even get access to confidential documents using your NRIC number.
But that is not secure because NRIC numbers are not secrets, said Minister for Digital Development and Information Josephine Teo at a press conference addressing queries that were raised after a new portal showed people's names and NRIC numbers in search results.
Although an identity number is a form of personal data that should be protected, it is used in certain settings such as when checking into a hotel or seeking medical treatment.
On Thursday (Dec 19), Mrs Teo outlined several ways in which NRIC numbers are being misused. First, they are used as proof that people are who they claim to be, and hence grant people access to privileged information.
Second, they are seen as information that only the authorities know, which can make us vulnerable to scammers.
Third, masked NRIC numbers have been used as a way to conceal the full numbers, but that creates a "false sense of security" that the full numbers are not known. In reality, the full NRIC number of an individual can easily be guessed with the help of simple algorithms, especially if the person's birth year is also known.
To better protect members of the public, policy involving NRIC numbers needs to change, said Mrs Teo. "The current situation leaves us vulnerable," she said.
NRIC numbers mainly serve to identify people – they say who individuals are, much like names do. However, they have been used for authentication, or proving that people are who they claim to be.
An NRIC card can be used for authentication because it contains a photo, allowing people to check that the photo matches the person holding the card. NRIC numbers alone should not be accepted as authentication.
"We must assume that our NRIC numbers are known to quite a few people," said Mrs Teo.
Over time, NRIC numbers have increasingly come to be used as more than just identifiers, she said.
"This is not a good idea," said Mrs Teo. "Since our NRIC numbers are known to some other people, someone unauthorised may misuse our NRIC number to get access."
People who know our NRIC numbers can also pose as figures of authority because of our long-standing practices and habits, which treat the numbers as confidential information.
Mrs Teo said that even though our names are not secrets, we would be suspicious if someone we did not recognise called us by name and acted like they knew us.
"In the same way, this is how we should treat anyone who tells us our NRIC number," she said.
WHAT NEEDS TO CHANGE
Since current practices made Singaporeans vulnerable, Mrs Teo said there was a need to change the status quo – to move away from using NRIC numbers as authenticators.
Masked NRIC numbers would also be discontinued, with other identifiers used instead of full or partial numbers.
"We knew this had to be done over a period of time, and that a major effort would be needed to help Singaporeans understand the risks," she said.
The government started by telling its agencies to stop using NRIC numbers as passwords or to prove that people are who they claim to be. It also stopped using masked NRIC numbers for new services, and planned to do the same with existing services when they are updated.
Mrs Teo said the Personal Data Protection Commission's (PDPC) guidelines will be updated to put a stop to the wrong uses of NRIC numbers and to reassure organisations that have "legitimate reasons" to use NRIC numbers.
Most organisations and people can carry on with what they are doing, and continue to exercise care in handling NRIC numbers.
"For organisations that are not using NRIC numbers, whether full or partial, as password or authenticator, nothing has changed," she said. "But if they are, then they should stop these practices as soon as practicable."
Using NRIC numbers as passwords or authenticators is not a secure way to handle customer interactions, and that has to stop, she said.
"NOT RUSHING TO CHANGE POLICY"
While the government believes that decisive action must be taken, Mrs Teo said the authorities recognise that it will take time to change practices and mindsets.
"That's why we are not rushing to change policy. We will start by focussing on the incorrect use of NRIC numbers and stopping such practices," she said.
The only thing that has changed is the government deciding not to use masked NRIC numbers, and it sent out a circular in July regarding this. That is the position the government has taken internally.
For the private sector, a consultation needs to be carried out.
"We haven't decided," she said. "We want to talk to the private sector – under what circumstances you still think that you need to collect the full NRIC number as a way of identifying, and what processes can be put in place to ensure that you are able to exercise your duty of care."
After the consultation is completed, the PDPC guidelines will be adjusted if necessary.
Full NRIC numbers will likely still be used in settings such as hospitals, where they can help to identify individuals more accurately.
But other organisations can rely on email addresses or mobile numbers that can more or less identify a person.
People should not be afraid to use their NRIC numbers confidently as identifiers, but also should not try to conceal them and use them as passwords, said Mrs Teo.
"That puts the person in a vulnerable position, and it's not the right way of protecting them. The right way of protecting them is to phase out the use of these masked NRIC numbers, certainly for the government," she said.
