What the move away from masked NRIC numbers means for Singaporeans: askST
Source: Straits Times
Article Date: 20 Dec 2024
Author: Osmond Chia & Lee Li Ying
The current practice of masking NRIC numbers creates a false sense of security that such data is secret, said Digital Development and Information Minister Josephine Teo.
Singaporeans have been asked to change the way they think about NRIC numbers and how they are used.
The current practice of masking NRIC numbers creates a false sense of security that such data is secret, Digital Development and Information Minister Josephine Teo said in a press conference on Dec 19.
It also means organisations have started wrongly using NRIC numbers as passwords, or as ways to authenticate a person’s identity and grant them access to privileged information.
Mrs Teo said government agencies had intended to start moving away from these practices by discontinuing the use of masked NRIC numbers.
But a miscommunication between her ministry and the Accounting and Corporate Regulatory Authority (Acra) led to NRIC numbers being fully revealed on Acra’s new business portal.
The Straits Times highlights the changes.
Q: Is this a policy U-turn? Can all organisations collect NRIC numbers now?
A: The only thing that has changed is the Government deciding not to use masked NRIC numbers, said Mrs Teo.
It had planned to discontinue the use of masked NRIC numbers internally, starting with new services.
Mrs Teo said the authorities have been consistent on the proper way NRIC numbers should be handled.
For the private sector, the Personal Data Protection Commission’s (PDPC) 2018 guidelines will remain for now.
This includes all the steps that must be taken when organisations collect and use NRIC numbers and NRICs.
Current guidelines will be updated to include the Government’s new position on masked NRIC numbers, and the improper usage of NRIC numbers for passwords and authentication.
The private sector will be consulted before any changes are made. This process will be sped up in the light of the incident involving Acra.
Q: What does unmasking NRIC numbers mean?
A: Singapore is moving away from using masked NRIC numbers, but this does not mean people should fully reveal NRIC numbers in all circumstances.
This is the misunderstanding that resulted in Acra making its database of NRIC numbers public, Second Minister for Finance Indranee Rajah said during the press conference.
In some instances – for example, before a doctor performs a procedure or a nurse dispenses medication – it is safer and more accurate to use the full NRIC number, instead of a partial one.
But there is no need to use NRIC numbers for identification in other situations, like signing up for retail memberships or lucky draws.
In such cases, alternatives like mobile phone numbers or e-mail addresses can be used.
Q: What is the difference between identification and authentication?
A: NRIC numbers were created as a unique identifier for citizens, but they have come to be used as a means of authentication over time.
Identification means using your NRIC number to state who you are. Doing so allows a medical professional, for instance, to accurately refer to a specific patient’s medical records.
Identifying people using NRIC numbers is more accurate than using their names. This is because the NRIC number, issued to every citizen in their teens, is unique, whereas there can be many people with the same name.
On the other hand, authentication means using your NRIC number to prove you are who you claim to be.
Organisations that use NRIC numbers to authenticate transactions or logins should stop doing so. They should instead use more secure alternatives, like one-time passwords or biometric data.
Q: Why shouldn’t NRIC numbers be used for authentication?
A: NRIC numbers are meant as a unique identifier and cannot be a secret, just as people’s names are not a secret, said Mrs Teo.
“However, over time, NRIC numbers have increasingly come to be used as more than an identifier,” she said.
Some organisations rely on NRIC numbers to prove that a person is who they claim to be, in order to access privileged information or services like freezing bank accounts.
The same logic applies to passport numbers, which are unique but should not be relied on for authentication.
Q: Why can’t partial NRIC numbers be used for authentication?
A: Partial NRIC numbers should not be relied on for authentication because they give a false sense of security that the numbers are concealed, Mrs Teo said.
In reality, they can be easily unravelled by simple algorithms, leaving users vulnerable.
In 2018, the PDPC advised people not to provide their full NRIC numbers to companies.
It recommended that they instead provide other personal data. This could be a phone number or a partial – or masked – NRIC number, by rendering S0123456A as ****456A for verification.
Q: What is the difference between presenting an NRIC and stating your NRIC number?
A: The new approach to NRIC numbers does not invalidate the use of physical NRICs as a way to prove who an individual is.
NRICs can be used to identify a person and prove they are who they claim to be. This is because NRICs have multiple unique identifiers, like a person’s fingerprint and photo. These allow others to check that a person’s NRIC matches whoever is presenting the card.
This makes presenting the physical card more secure than simply stating a person’s NRIC number, which should not be accepted as a means of authentication, said Mrs Teo.
Q: Why can’t the private sector share the same approach to NRIC numbers as the public sector?
A: The same standards for how NRIC numbers should be used cannot apply equally to the private and public sectors, Mrs Teo said.
This is because the Government’s use of NRIC numbers is often linked to the provision of benefits to citizens, she added.
For example, NRIC numbers are used to identify individuals in healthcare, law enforcement and the disbursement of grants.
The plan to move away from masked NRIC numbers is meant for the public sector, Mrs Teo said.
Private companies should abide by the PDPC’s 2018 guidelines when it comes to the collection of NRIC numbers.
The Government has not updated guidelines for private sector usage and will conduct a public consultation before it makes changes to the current guidelines.
Q: Am I at risk? What should I be wary of?
A: Fraudsters who know your full NRIC number could use it to impersonate you for services that still rely on NRIC numbers for authentication.
Acknowledging this, Mrs Teo urged organisations to discontinue this practice as soon as possible.
People should not immediately think that anyone who can recite their NRIC number is reliable or an authority figure.
Instead, they should be cautious about their interactions.
When asked how many NRIC numbers had been made accessible in the new Bizfile portal, Ms Indranee said the authorities are still checking the figure.
She pointed out that Acra does not have access to the information of all Singaporeans, only that of business directors and people in its database.
Source: Straits Times © SPH Media Limited. Permission required for reproduction.
1155