‘Long overdue': Experts welcome advisory against private-sector use of NRIC numbers for authentication
[SINGAPORE] Urging the private sector to stop using NRIC numbers for authentication is a timely and pragmatic move to strengthen data security, industry players told The Business Times.
On Thursday (Jun 26), the government released an advisory telling private-sector organisations to move away from using full or partial National Registration Identity Card numbers to authenticate individuals 'as soon as possible'.
The government is also working with regulated sectors – such as finance, healthcare and telecommunications – to develop sector-specific guidance in the coming months.
'This is a sensible move and long overdue. Using NRIC numbers for authentication has always been a weak security practice,' said Bhargav Sosale, data protection officer at medtech company Remidio.
He noted that NRIC numbers are more like usernames than passwords, being 'static' identifiers that are used widely across institutions from banks to healthcare providers.
'(That) ubiquity is precisely what makes them unsuitable for authorisation,' he said.
A NEWSLETTER FOR YOU
Friday, 8.30 am Asean Business
Business insights centering on South-east Asia's fast-growing economies.
Sign Up
Sign Up
Even the use of partial NRIC numbers – such as the last four digits – could be dangerous, noted Pang Tzer Yeu, chief information security officer at Red Alpha Cybersecurity.
The risks are also high when NRIC numbers are paired with other easily obtainable information such as one's date of birth, noted Gerry Chng, head of cyber at KPMG in Singapore.
Steven Scheurmann of cybersecurity company Palo Alto Networks sees Singapore's move as a 'significant step' towards bolstering digital safety, especially as identity theft and impersonation tactics grow more complex.
He called on organisations to adopt stronger authentication methods such as complex, unique passwords or multi-factor authentication (MFA). Other options include biometric verification and security tokens.
'These methods offer significantly higher resistance to impersonation and fraud, and ultimately help build trust in digital services,' said Scheurmann, who is Palo Alto's regional vice-president for Asean.
Verification through the Singpass app is another tool that some organisations are already tapping, noted Red Alpha's Pang.
'Many companies have already moved away from using NRIC, but there are a few sectors where I still see it being prevalent,' he said, citing the insurance sector as an example.
For players that still rely on NRIC numbers for authentication, the government advisory 'should be a wake-up call', said Sosale.
Industry reactions
Industry players that BT reached out to said that they would work with the authorities on the matter.
Association of Banks in Singapore director Ong-Ang Ai Boon said that the industry is exploring 'alternative authentication methods in line with today's advisory'.
She noted that NRIC numbers alone cannot be used for financial transactions such as payments and funds transfers.
However, 'there are limited non-transactional circumstances where NRIC numbers are used for authentication, such as to open encrypted documents sent by e-mail', she said.
A spokesperson for AIA Singapore said that the insurer has moved away from relying solely on NRIC numbers for authentication.
'AIA Singapore only collects full or partial NRIC numbers when it is necessary to establish or verify an individual's identity to a high degree of accuracy,' said the spokesperson, noting that this is in line with Personal Data Protection Act (PDPA) guidelines.
The insurer also uses MFA for more secure access to online services. Verification processes are also in place at human-assisted customer service touch points.
'We take data security seriously and will continue to ensure all our data collection processes adhere to PDPA guidelines,' the spokesperson added.
Separately, Singtel told BT that it adheres to the present guidelines on the use of NRIC for authentication.
'We will wait and review any new guidelines from the (Infocomm Media Development Authority) before assessing any potential impact to our operations,' said a spokesperson.
Fellow telco M1 told BT that it uses NRIC to only identify customers, and not to authenticate them.
Hospital operator Raffles Medical Group noted that it relies on NRIC numbers as a unique identifier for patients during admission, registration and billing.
The company 'will continue to take guidance from the Ministry of Health regarding the use of NRIC numbers for the verification of our patients' identity', a spokesperson said.
Data privacy hit the spotlight last December, after a furore over the disclosure of full NRIC numbers on the Accounting and Corporate Regulatory Authority's Bizfile portal.
The government had plans to change the practice of masking NRIC numbers, but the Bizfile portal had run ahead of that intent, the Ministry of Digital Development and Information said at the time.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Business Times
3 hours ago
- Business Times
Renewable energy source important factor in location of IBM data centres
[SINGAPORE] South-east Asian markets that have a renewable energy source might have a leg up in attracting American tech giant IBM to set up data centres. While having renewable energy is not the only determining factor, it is an important criteria that the technology company considers when assessing where to locate its data centres, said its chief sustainability officer Christina Shim in an interview with The Business Times. When asked whether South-east Asian markets would be more attractive as a location for IBM to set up its data centres if it were to green its energy mix, Shim said: 'Could it help? Absolutely. I think we're all aligned, and making sure that this is an important factor as part of the decision. But it would have to be balanced out with all the other factors.' Shim noted that renewable energy is more accessible in some regions than in others. This is partly why the technology company had set a target of sourcing 90 per cent of the electricity it consumes worldwide from renewable sources by 2030, though it would like to push past 90 per cent if possible. It has an interim goal of 75 per cent by this year, which Shim said it is 'on track, if not a little early' in meeting. IBM has also set a target of achieving net zero greenhouse gas emissions by 2030, with an interim goal of reducing its emissions by 65 per cent by this year against its 2010 levels. A NEWSLETTER FOR YOU Friday, 12.30 pm ESG Insights An exclusive weekly report on the latest environmental, social and governance issues. Sign Up Sign Up If the company does decide to set up a data centre in a location where there are no renewable energy sources, then it would have to balance that out with the rest of its portfolio of data centres, Shim added. The company currently operates more than 60 data centres across the globe, out of which about 10 are in Asia-Pacific. 'If the region here is able to diversify its energy mix more by that point, and we are trying to keep in touch with our global real estate, (as well as) what's happening with government and regulatory affairs regionally... we are keeping on top of any sort of planned investment in those areas to see how we can better shift and evolve with what's happening on the ground,' Shim added. Besides whether a location has renewable energy source, Shim said, data centre management efficiency is also important. 'Can you also improve the optimisation of the data centre itself, and using the right technology internally to be able to do that? That's also pretty powerful,' she added. Shim also said that IBM will continue to embed sustainability into its business, even though climate change has been deprioritised by the current United States administration under President Donald Trump. Integrating sustainability is not just about being a good corporate citizen, but is 'fundamentally good economics for the business and its foundation for growth', Shim added. 'It shows increased innovation. It's additional revenue generation. It's good for talent attraction... Regardless of all the changes, we are focused on maximising long-term value for our clients, for our partners, for us.' For example, with more businesses looking at incorporating artificial intelligence (AI) into their business operations, there is more work looking at how AI models can be trained more efficiently, so that it is more cost-efficient for companies to use such technologies. Shim sees opportunities for AI and sustainability in the area of improving ESG data in Asia. Besides helping to collate and make sense of hundreds of data points that large companies would have, it could also help support language challenges in the region. Besides sustainability reporting, AI can also be used to identify per- and polyfluoroalkyl substances – which are chemicals that are extremely persistent in the environment and human bodies – in a company's supply chain. 'How do you identify where they are in your supply chain, in your manufacturing, in your products, and then how do you make sure that you have the right sustainable replacements to make it safer for your consumers, for your customers – not just from a regulatory perspective, which is increasingly going to be enforced, but also from a consumer safety perspective,' she said. 'That is something that will also be very relevant in this region just because of how much manufacturing happens here that goes globally.'
Straits Times
8 hours ago
- Straits Times
Forum: CPF to continue improving online nomination service
We thank Madam Yeow Kam Hoow for her feedback on the online nomination service (Make online process for CPF nominations more user-friendly, June 26) and have reached out to her to provide assistance. CPF Board adopts a 'digital first, not digital only' approach. This means the board strives to make digital services, especially essential services, easy to use while making non-digital alternatives available for members who need them. For certain high-risk transactions, such as online nominations, enhanced authentication is a necessary security safeguard to protect CPF members and their CPF transactions. We recognise that a minority of members, such as Madam Yeow, may encounter challenges during facial authentication, and will work with our partners to improve its usability, while maintaining security standards. Members who encounter issues with their facial authentication can call the Singpass helpdesk at +65 6335 3533 directly. Alternatively, members who remain unsuccessful despite multiple attempts can make an appointment and visit a CPF service centre for an in-person nomination. Members who are unable to visit a CPF service centre can call the CPF call centre at 1800-227-1188 for help. Gregory Chia Group Director Retirement Income Group Central Provident Fund Board More on this Topic Forum: What readers are saying Join ST's Telegram channel and get the latest breaking news delivered to you.
Business Times
11 hours ago
- Business Times
Gold-rich Laos hits mother lode with S-E Asia's first bullion bank amid inflation, currency blues
[VIENTIANE] In the heart of a resource-rich continent famed for metals and gems, one of South-east Asia's smallest economies quietly launched the region's first dedicated gold bank – a bold bid to draw tonnes of the precious yellow metal back into the formal financial system. With protracted double-digit inflation (though gradually easing), hefty debt levels, and renewed kip depreciation plaguing the landlocked nation, Laos is betting big on the safe-haven asset. It is a well-timed gambit, seeing how gold prices hit multiple fresh highs through 2024 before peaking in April 2025 to breach US$3,500 per ounce. This year, the metal has gained some 28 per cent so far. In an interview with The Business Times, Lao Bullion Bank chief executive Chanthone Sitthixay said: 'There are so many commercial banks in Laos and the limitation is that the local currency, the kip, cannot be transacted at the international level. But gold can.' And so he pitched the creation of a local gold ecosystem in 2020 to former Lao prime minister and current President Thongloun Sisoulith, before the bank's eventual launch in December 2024. Dr Chanthone Sitthixay, the CEO of Lao Bullion Bank, pitched the idea of creating a local gold ecosystem to the government back in 2020. PHOTO: LAO BULLION BANK Research suggests that the country still holds more than 1,000 tonnes of gold underground – worth an estimated US$100 billion, said Dr Chanthone. A NEWSLETTER FOR YOU Friday, 8.30 am Asean Business Business insights centering on South-east Asia's fast-growing economies. Sign Up Sign Up Meanwhile, private households currently hold some US$10 billion worth of the precious metal, he added, noting that responsibility falls on the Lao Bullion Bank to coax the wealth back into the formal financial system. Six-month track record As at the first half of 2025, Lao Bullion Bank amassed between 500 kg and 600 kg of gold from private households. Once its refinery – which has a capacity of up to 150 tonnes a year – is completed in end-June, the bank anticipates onboarding gold miners as a new customer segment, noted the CEO. Dr Chanthone expects mining contributions to then make up some 30 per cent of the bank's assets – with households still accounting for the bulk. The target, however, is to scale up refinery services so that gold from miners eventually accounts for 70 per cent of the bank's assets, added the 49-year-old business tycoon. To achieve this, Lao Bullion Bank is eyeing a timeline of around one year, following a government directive requiring all miners to refine their gold to a purity of more than 99 per cent before it can be exported, he said. Miners in the country traditionally exported only the raw metal to foreign markets because of the absence of a comprehensive gold ecosystem that encompasses mining, refining, trading and investment. In the six months since its opening, the bank has opened more than 2,000 accounts and is seeing an increase of about 10 new ones each day. 'We haven't really been bombarding people with promotional campaigns and such,' explained Dr Chanthone. 'We are trying to make sure that the systems and infrastructure are in place.' On customer demographics, the CEO shared that the bank serves both locals and foreigners, including expatriates who work in the country. Interestingly, the bank has observed a higher number of younger clients, driven by growing interest in investing, but whose deposit volumes remain modest. Conversely, it has fewer clients who are older, but they contribute more, he said. Blueprint for growth Within the next three years, the bullion bank intends to expand into four other major Lao provinces: Luang Prabang, Oudomxay, Savannakhet and Champasak, said Dr Chanthone. It currently operates out of a five-storey building in the capital, Vientiane. Bank counters and tellers occupy the ground floor, while the second floor houses a laboratory for testing modest amounts of gold. The third floor holds the information technology and trading rooms, while the upper levels are reserved for office and meeting spaces. Like a traditional commercial bank, it offers deposit, withdrawal and transfer services. What is unique, however, is that the Lao Bullion Bank issues certificates to clients who deposit their gold, and these documents can be used as collateral by customers seeking loans from commercial banks and financial institutions in Laos, said Dr Chanthone. He explained: 'We have 37 banks in Laos and the total deposit amount at these commercial banks is 110 per cent of our gross domestic product (GDP). For gold, we estimate it to be about 100 per cent of GDP.' These deposits combined will make up more than 200 per cent of Laos' GDP, which would demonstrate the country's strong liquidity, he said. 'If customers only deposit gold with the bank, it will not be liquid,' continued Dr Chanthone. 'But once the certificate is issued, they can get financing from other banks, which creates liquidity.' Another novel offering of the bank is its automated vending machines that operate just like conventional ATMs, except that these dispense gold. The machines now offer four types of gold bars – weighing 1 g, 7.5 g, 15 g or 30 g – that come in either a standard design or limited designs of national landmarks That Luang and Patuxay. Two of the 10 machines the bank has are currently placed within the building, while the remaining eight will be installed in hotels, markets and other public places once safe, populated locations have been identified, said the CEO. Two of Lao Bullion Bank's 10 gold vending machines are housed on the ground floor of its building. PHOTO: LAO BULLION BANK Dr Chanthone noted that the primary target audience for these gold vending machines are tourists. He hopes that tourists will come to associate Laos with its gold – the same way Myanmar is known for its jade, Thailand for its rubies, and Sri Lanka for its sapphires. A screen capture of the Lao Bullion Bank's website on Jun 26. The bank sells four different types of gold bars – weighing 1 g, 7.5 g, 15 g or 30 g – that come in either a standard design or limited designs of national landmarks That Luang and Patuxay. SCREENSHOT: LAO BULLION BANK WEBSITE Other initiatives in the pipeline include gold-trading services on international platforms, with the bank's trade team poised to officially begin operating in August. Golden ticket to fiscal stability Set up as a public-private partnership, Lao Bullion Bank is 25 per cent owned by the government, with the remaining 75 per cent share belonging to primarily family-owned investment holding company PTL Holding. The initial capital of US$60 million injected into the bank was accumulated from the various family businesses, said Dr Chanthone, who holds a master's degree and PhD in strategic business management. On whether the move was part of a wider de-dollarisation narrative exacerbated by the US' tariff volatility, the CEO demurred. 'The main objective is to focus on strengthening the local currency by (transitioning it) from non-convertible to convertible; and the country has gold, which can be considered near-cash.' As the third-largest gold producer among Asean member states, Laos aims to become an Asian trading hub for the yellow metal by 2030. The way Lao Bullion Bank supports the nation's goals, said Dr Chanthone, is 'by bringing gold that's out of the system back into the system, making it more liquid… and reducing the supply of M2 in the economy'. M2 is a broad measure of money supply, used by economists as an indicator of potential inflation. Global appetite for gold continues to hold firm, with demand hitting its highest first-quarter level since 2016, according to an Apr 30 report by the World Gold Council on Q1 2025 gold demand trends. Quoting the council's head of Asia-Pacific (ex-China) and global head of central banks Fan Shaokai, the release wrote: 'With the full impact of tariff measures still unfolding, investors continue to turn to gold, recognising its role as a portfolio diversifier that has historically performed well during periods of uncertainty.' Neighbouring Indonesia also opened its first two state-owned bullion banks on Feb 26, some two months after the Lao Bullion Bank's launch. Asked whether there exist opportunities for collaboration with South-east Asia's largest gold producer, Dr Chanthone concurred, noting that the bank has 'really good connections' with the Indonesian government. The bank is a foreign associate member of the Singapore Bullion Market Association. On his hopes for the bank and the country, the magnate concluded: 'The problems of Lao people must be solved by a Lao. I don't just do business; I want to do something that is impactful for the country.' He added: 'We do our best to make the country prosperous.'
