Replacing NRIC number as authentication tool may take months: Experts

Singapore’s digital ecosystem will become more secure when NRIC numbers are no longer used to authenticate users, but to put in the infrastructure for stronger authentication tools could take several months to a year or more, said cyber-security experts.

In the interim, Singaporeans could face an incremental risk of scams and identity theft while organisations overhaul their systems, and would be well advised to stay vigilant and adopt additional security measures, they added.

Following a public outcry after the Accounting and Corporate Regulatory Authority (Acra) unmasked NRIC numbers on a new search portal last week, the Government apologised for the unease caused and announced a policy shift whereby NRIC numbers should not be treated as sensitive information.

Furthermore, NRIC numbers are intended to identify individuals, and not to be misused as a form of authentication to access privileged information or perform privileged transactions, said the Government.

Organisations should instead authenticate users through passwords, security tokens or biometric data.

What’s the difference between identifying and verifying?

Experts point out that NRIC numbers are widely used in Singapore across industries such as banking, telecommunications, insurance and healthcare for both identification and verification purposes.

Identification states who a person is, while verification proves a person’s identity.

Singapore University of Social Sciences law lecturer Ben Chester Cheong said: “For example, using your NRIC (number) to register at a clinic’s front desk or to look up your insurance policy is identification – (you are) simply declaring who you are.

“However, making changes to your insurance policy, accessing medical records, or conducting financial transactions requires proper authentication – proving you are who you claim to be.”

What new authentication methods could look like

Authentication methods will vary by sector and what they are used for.

“Some banks might add voice biometrics for additional security. In healthcare settings, hospitals might implement a secure patient portal for accessing medical records, using two-factor authentication,” said Mr Cheong.

“For in-person procedures, biometric verification like fingerprints or facial recognition could complement existing identification processes.”

He added: “Insurance companies might require digital signatures through secure apps, combined with video verification for high-value transactions.”

Simulation Software & Technology director Ori Sasson said organisations could also authenticate users through the Singpass mobile app, which can be made even more secure by using the facial recognition option.

“Using Singpass to authenticate makes lots of sense, since the Government has invested heavily in creating a robust and tamper-proof authentication method,” he added.

Experts say that moving away from NRIC numbers for authentication and turning to more secure methods is a sensible approach in this digital age.

“Modern authentication tools offer several advantages: They are typically harder to compromise, can be changed if breached and provide clearer audit trails. They also enable more sophisticated security measures,” said Mr Cheong.

But to fully set up the infrastructure for such authentication methods is likely to be a time-consuming and costly endeavour, with experts estimating a timeline of three to six months for larger organisations such as major banks, telcos and healthcare groups.

Smaller organisations that rely on NRIC numbers as a form of authentication could take even longer to adapt, depending on the complexity of the changes, regulatory compliance checks and vendor capabilities.

Dr Sasson said: “Costs include upgrading IT systems, training staff and educating customers.

“While OTP (one-time password) or PIN (personal identification number) systems might be relatively straightforward, implementing biometric verification requires hardware, software licensing and potentially new platforms.

“There could also be recurring costs for maintenance, customer support and ongoing security assessments.”

Short-term risk of identity theft and scams

But until organisations fully migrate away from relying on NRIC numbers, some experts are concerned that the transition period could be exploited by scammers.

“While the move away from using NRIC numbers as a method of authentication will boost security of the digital economy in the long run… the issue lies in that alternative systems for authentication had not been fully set up before Acra unmasked IC numbers,” said Mr Anthony Lim, director of the Centre for Strategic Cyberspace and International Studies, a think-tank.

Dr Sasson said Singaporeans will continue to face the risk of scams and identity theft until authentication systems are replaced with more secure methods.

For example, if certain systems have not yet phased out NRIC-based verification, it becomes easier for someone with that number to pass rudimentary security checks and take over accounts, he added.

Before Acra disabled the function allowing people to access the NRIC numbers of individuals on its new portal without payment, members of the public were able to gain access to NRIC numbers of Singaporeans, including public figures like Cabinet ministers.

Cyber criminals could have harvested large amounts of NRIC information then, said Mr Aaron Ang, chief information security officer at Singapore-based IT services company Wissen International.

He said this makes Singaporeans “extremely” vulnerable to scammers who make use of NRIC numbers to secure the trust of victims in phone calls.

“If this blunder by the Government has in some way enabled cyber criminals, then I think that while the government agencies have invested so much in scam prevention, we have inadvertently shot ourselves in the foot and moved steps backwards,” said Mr Ang.

To better protect themselves, Singaporeans need to keep their guard up.

Dr Sasson said: “If someone calls and says they are from the tax authority, the police or the bank, we need to consider whether it makes sense, and whether we have ever received such a call.

“In any such call, we need to understand our NRIC (number) is not necessarily a secret, so we need not assume that if someone knows our NRIC (number), it means they are credible.”

Dr Sasson said Singaporeans should set up PINs, passwords and two-factor authentication for their accounts even if it is optional.

Mr Cheong said in the transition period, organisations should accelerate their move away from using NRIC numbers for authentication, even if they have not yet implemented sophisticated alternatives.

“In the interim, they can utilise simpler but more secure methods like one-time passwords via SMS or e-mail, or implement knowledge-based authentication using transaction histories,” he added.

The Straits Times has reached out to major banks, telcos, insurers and private healthcare groups on their plans following the policy shift.

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

Income Insurance’s minority shareholders back to square one in wake of failed Allianz deal Stronger enforcement of child access orders for divorced parents from Jan 2