Unmasking NRIC numbers: how does it affect your privacy?

This article is contributed by Osmond Chia, and a version of it first appeared in The Straits Times, an SPH publication, on December 21, 2024.

NRIC, the key to Singaporean life

SINGAPORE - Individuals whose full NRIC numbers were exposed on the Accounting and Corporate Regulatory Authority’s (Acra) database earlier in December face potential cybersecurity risks, as organisations frequently rely on NRIC numbers to retrieve personal information.

Checks by The Straits Times also found that NRIC numbers can be key to collecting information about individuals, which can be used for targeted scams or mischief.

Cyber-security experts cautioned that bad actors can use NRIC numbers to trick victims into believing they are authority figures or committing crimes. The exposed NRIC numbers can also be used to collect further information about scams.

The experts said the risks highlight how an NRIC number in the wrong hands can harm individuals. As a result, individuals must be vigilant against scams, even as changes in how NRIC numbers are used in the private sector are underway.

How did the NRIC unmasking begin?

Play

The concerns come after the NRIC numbers belonging to key representatives of companies registered under Acra’s database were accidentally revealed on its new Bizfile web portal on December 9.

Anyone could freely search and view the full NRIC numbers of registered individuals, including business public representatives — some of whom are also politicians.

Acra apologised for the incident and disabled the feature on Dec 13. However, experts said fraudsters could still use simple algorithms to collect the NRIC numbers exposed during this window at scale, increasing the threat of scams.

Acra said the incident was caused by a misunderstanding of an internal message distributed by the Ministry of Digital Development and Information (MDDI) some time in 2024, which informed agencies of plans to move away from using masked NRIC numbers for better security.

It did not reveal how many NRIC numbers were exposed during the incident.

Minister for Digital Development and Information Josephine Teo said at a press conference on December 19 that the authorities are accelerating public education efforts on the use of NRIC numbers and consulting with the private sector on their use.

In the meantime, she urged private-sector organisations to stop relying on NRIC numbers as proof that a person is who he or she claims to be, such as to authenticate fund transfers.

Leaked NRIC numbers a key to personal data

Organisations still rely on NRIC numbers as a key to retrieve personal data.

At e-kiosks in local healthcare institutions, checks by ST in the past week have found that entering an NRIC number can reveal its owner’s registered address, contact number, recent appointment records and medical bills.

Bad actors could potentially cause mischief by cancelling appointments or collecting prescriptions fraudulently, said cyber-security expert David Siah, executive vice-president of Southeast Asia-Australia at the Centre of Strategic Cyberspace + International Studies, a London-based think-tank.

Privacy Ninja co-founder Andy Prakash said such information can make scams more convincing, as fraudsters can include more unique details, such as a person’s medical condition.

Scammers are unlikely to collect such information at scale due to the presence of security cameras and the difficulty in ensuring if an individual is a patient there, but the information can be used in a one-off targeted attack against specific individuals, he said.

The Registry of Marriages, a national database, allows users who have logged in via the national authentication tool Singpass to look up to whom an individual is married. Users are limited to two free searches a year.

The gaps in using NRIC, then, now, and in future

Some banks accept NRIC numbers to quickly identify customers who need help to block transactions as a measure to thwart scams.

Such a feature has surfaced a debate on the balance between security and convenience, in the light of a report on Dec 9 that a couple’s credit cards were blocked while they were on holiday, after a bank was scammed by an impersonator who used their NRIC numbers and personal details to freeze the couple's accounts.

Local banks said the ability to freeze an account quickly is part of their protocol and an important anti-fraud measure.

For other requests, banks typically require callers to identify themselves by entering their NRIC numbers during the call, followed by a one-time password sent to their phone before services or privileged information are provided.

Calls by ST found that transactions over the phone are limited to fund transfers between the customer’s accounts with the bank and not to anyone else for security purposes.

Insurance companies are known to lock documents sent to customers behind automated passwords, which consist of a combination of a customer’s birthdate and partial NRIC number.

Local banks and insurers are reviewing their use of NRIC numbers and may change their practices soon.

MDDI told the media on December 19 that full NRIC numbers should be used only in situations requiring higher authenticity checks, such as hotel check-ins, medical appointments, and subscribing to a new phone line. They should not be used to sign up for retail memberships or lucky draws, among other scenarios.

How can we protect ourselves?

Cybersecurity consultant Shane Chiang from Momentum Z said organisations are responsible for strengthening cybersecurity measures and ensuring that NRICs are no longer relied on for authentication. He said NRICs should be used only for identification purposes and that individual vigilance is vital during this transition.

Individuals should enable two-factor authentication on online services and anticipate targeted phishing attempts. When more personal data is exposed, phishing attempts will likely be more convincing.

Mr Chiang added: “Individuals should verify the legitimacy of communications before sharing further personal information or engaging with unfamiliar parties.”

Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.