Government asks private firms to stop using IC numbers to prove person's identity, Singapore News
Private organisations in Singapore should stop using National Registration Identity Card (NRIC) numbers to prove a person's identity as soon as possible, the Ministry of Digital Development and Information (MDDI) has said.
In a media release on Thursday (June 26), MDDI said that while NRIC numbers may be used to identify a person over the phone or when using digital services, it should not be used for authenticating access to private services or information meant only for that person.
In a joint advisory issued the same day, the Personal Data Protection Commission (PDPC) and Cyber Security Agency (CSA) said NRIC numbers are issued to uniquely identify a person and must be assumed to have been disclosed to at least a few other persons.
Noting that organisations are responsible for deciding whether and how to authenticate their users, CSA said passwords are one such method of authenticating a person.
Passwords that cannot be easily guessed should hence be used, it said, noting that passwords containing easily obtained information including names, NRIC numbers or birthdates do not make strong passwords.
PDPC and CSA said in the advisory that default passwords, such as the ones required for password-protected files sent via e-mail, should not be NRIC numbers.
Private organisations should also not combine the full or partial numbers with other easily obtainable personal data for authentication; for example, passwords that combine partial NRIC numbers and date of birth, like "567A01Jan80".
[[nid:712707]]
Even if an individual can state his NRIC number, organisations must be aware that he may not be who he claims to be.
If it is necessary to authenticate persons, they should consider using other authentication method(s) and take a risk-based approach when deciding, taking into consideration factors like the value and sensitivity of the protected material and potential threats and vulnerabilities.
Other options to authenticate a person include strong passwords, using a security token and fingerprint or facial verification.
MDDI said the Government has been taking steps to ensure the proper use of NRIC numbers in the private sector, to better protect citizens, since January.
The ministry added that the Government is also working with regulated sectors such as finance, healthcare, and telecommunications to develop sector-specific guidance in the coming months.
[[nid:715244]]
lim.kewei@asiaone.com
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
CNA
3 hours ago
- CNA
Private sector urged to move away from using NRIC numbers as means of authentication
The authorities have urged private sector organisations to move away from using NRIC numbers as a means of authentication. The Personal Data Protection Commission and Cyber Security Agency of Singapore are also working with regulated sectors — such as finance, healthcare and telecommunications — to provide sector-specific guidance in the coming months. Nicolas Ng reports.
AsiaOne
9 hours ago
- AsiaOne
Government asks private firms to stop using IC numbers to prove person's identity, Singapore News
Private organisations in Singapore should stop using National Registration Identity Card (NRIC) numbers to prove a person's identity as soon as possible, the Ministry of Digital Development and Information (MDDI) has said. In a media release on Thursday (June 26), MDDI said that while NRIC numbers may be used to identify a person over the phone or when using digital services, it should not be used for authenticating access to private services or information meant only for that person. In a joint advisory issued the same day, the Personal Data Protection Commission (PDPC) and Cyber Security Agency (CSA) said NRIC numbers are issued to uniquely identify a person and must be assumed to have been disclosed to at least a few other persons. Noting that organisations are responsible for deciding whether and how to authenticate their users, CSA said passwords are one such method of authenticating a person. Passwords that cannot be easily guessed should hence be used, it said, noting that passwords containing easily obtained information including names, NRIC numbers or birthdates do not make strong passwords. PDPC and CSA said in the advisory that default passwords, such as the ones required for password-protected files sent via e-mail, should not be NRIC numbers. Private organisations should also not combine the full or partial numbers with other easily obtainable personal data for authentication; for example, passwords that combine partial NRIC numbers and date of birth, like "567A01Jan80". [[nid:712707]] Even if an individual can state his NRIC number, organisations must be aware that he may not be who he claims to be. If it is necessary to authenticate persons, they should consider using other authentication method(s) and take a risk-based approach when deciding, taking into consideration factors like the value and sensitivity of the protected material and potential threats and vulnerabilities. Other options to authenticate a person include strong passwords, using a security token and fingerprint or facial verification. MDDI said the Government has been taking steps to ensure the proper use of NRIC numbers in the private sector, to better protect citizens, since January. The ministry added that the Government is also working with regulated sectors such as finance, healthcare, and telecommunications to develop sector-specific guidance in the coming months. [[nid:715244]]
Business Times
10 hours ago
- Business Times
Government urges private sector to stop using full, partial NRIC numbers for authentication
[SINGAPORE] The Personal Data Protection Commission (PDPC) and Cyber Security Agency (CSA) on Thursday (Jun 26) advised private organisations to stop using full or partial national registration identity card (NRIC) numbers for authentication. Authentication is the process of proving that a person is who he claims to be before granting him access to services or information intended solely for him, the PDPC and CSA said in a joint advisory posted on their websites. 'NRIC numbers should not be used to prove that a person is who he claims to be for the purposes of trying to gain access to services or information meant only for that person,' the Ministry of Digital Development and Information (MDDI) said in a statement on the same day. Companies that do use NRIC numbers for such purposes should 'transition away from (the) practice as soon as possible', the ministry said. This includes not setting NRIC numbers as default passwords and not using full or partial NRIC numbers with other easily obtainable personal data – such as by using passwords that combine parts of a person's NRIC number with his date of birth. The ministry noted that some private sector organisations currently require individuals to use their NRICs as passwords to access information intended solely for them, such as insurance documents. This practice is unsafe as a person's NRIC number may be known to others such that using it for authentication would permit anyone who knows the person's NRIC number to impersonate him and easily access his personal data or records, the MDDI said. 'If it is necessary to authenticate a person, organisations should consider alternative methods, for example requiring the person to use strong passwords, a security token or fingerprint identification,' the MDDI statement said. This comes on the back of government efforts, since January, to ensure the proper use of NRIC numbers in the private sector to better protect citizens, MDDI said.
