‘Long overdue': Experts welcome advisory against private-sector use of NRIC numbers for authentication
'Long overdue': Experts welcome advisory against private-sector use of NRIC numbers for authentication
Source: Business Times
Article Date: 27 Jun 2025
Author: Sharanya Pillai & Therese Soh
Government to work with regulated sectors such as finance, healthcare and telecommunications to develop sector-specific guidance.
Urging the private sector to stop using NRIC numbers for authentication is a timely and pragmatic move to strengthen data security, industry players told The Business Times.
On Thursday (Jun 26), the government released an advisory telling private-sector organisations to move away from using full or partial National Registration Identity Card numbers to authenticate individuals 'as soon as possible'.
The government is also working with regulated sectors – such as finance, healthcare and telecommunications – to develop sector-specific guidance in the coming months.
'This is a sensible move and long overdue. Using NRIC numbers for authentication has always been a weak security practice,' said Bhargav Sosale, data protection officer at medtech company Remidio.
He noted that NRIC numbers are more like usernames than passwords, being 'static' identifiers that are used widely across institutions from banks to healthcare providers.
'(That) ubiquity is precisely what makes them unsuitable for authorisation,' he said.
Even the use of partial NRIC numbers – such as the last four digits – could be dangerous, noted Pang Tzer Yeu, chief information security officer at Red Alpha Cybersecurity.
The risks are also high when NRIC numbers are paired with other easily obtainable information such as one's date of birth, noted Gerry Chng, head of cyber at KPMG in Singapore.
Steven Scheurmann of cybersecurity company Palo Alto Networks sees Singapore's move as a 'significant step' towards bolstering digital safety, especially as identity theft and impersonation tactics grow more complex.
He called on organisations to adopt stronger authentication methods such as complex, unique passwords or multi-factor authentication (MFA). Other options include biometric verification and security tokens.
'These methods offer significantly higher resistance to impersonation and fraud, and ultimately help build trust in digital services,' said Scheurmann, who is Palo Alto's regional vice-president for Asean.
Verification through the Singpass app is another tool that some organisations are already tapping, noted Red Alpha's Pang.
'Many companies have already moved away from using NRIC, but there are a few sectors where I still see it being prevalent,' he said, citing the insurance sector as an example.
For players that still rely on NRIC numbers for authentication, the government advisory 'should be a wake-up call', said Sosale.
Industry reactions
Industry players that BT reached out to said that they would work with the authorities on the matter.
Association of Banks in Singapore director Ong-Ang Ai Boon said that the industry is exploring 'alternative authentication methods in line with today's advisory'.
She noted that NRIC numbers alone cannot be used for financial transactions such as payments and funds transfers.
However, 'there are limited non-transactional circumstances where NRIC numbers are used for authentication, such as to open encrypted documents sent by e-mail', she said.
A spokesperson for AIA Singapore said that the insurer has moved away from relying solely on NRIC numbers for authentication.
'AIA Singapore only collects full or partial NRIC numbers when it is necessary to establish or verify an individual's identity to a high degree of accuracy,' said the spokesperson, noting that this is in line with Personal Data Protection Act (PDPA) guidelines.
The insurer also uses MFA for more secure access to online services. Verification processes are also in place at human-assisted customer service touch points.
'We take data security seriously and will continue to ensure all our data collection processes adhere to PDPA guidelines,' the spokesperson added.
Separately, Singtel told BT that it adheres to the present guidelines on the use of NRIC for authentication.
'We will wait and review any new guidelines from the (Infocomm Media Development Authority) before assessing any potential impact to our operations,' said a spokesperson.
Fellow telco M1 told BT that it uses NRIC to only identify customers, and not to authenticate them.
Hospital operator Raffles Medical Group noted that it relies on NRIC numbers as a unique identifier for patients during admission, registration and billing.
The company 'will continue to take guidance from the Ministry of Health regarding the use of NRIC numbers for the verification of our patients' identity', a spokesperson said.
Data privacy hit the spotlight last December, after a furore over the disclosure of full NRIC numbers on the Accounting and Corporate Regulatory Authority's Bizfile portal.
The government had plans to change the practice of masking NRIC numbers, but the Bizfile portal had run ahead of that intent, the Ministry of Digital Development and Information said at the time.
Source: The Business Times © SPH Media Limited. Permission required for reproduction.
Print
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Singapore Law Watch
9 hours ago
- Singapore Law Watch
‘Long overdue': Experts welcome advisory against private-sector use of NRIC numbers for authentication
'Long overdue': Experts welcome advisory against private-sector use of NRIC numbers for authentication Source: Business Times Article Date: 27 Jun 2025 Author: Sharanya Pillai & Therese Soh Government to work with regulated sectors such as finance, healthcare and telecommunications to develop sector-specific guidance. Urging the private sector to stop using NRIC numbers for authentication is a timely and pragmatic move to strengthen data security, industry players told The Business Times. On Thursday (Jun 26), the government released an advisory telling private-sector organisations to move away from using full or partial National Registration Identity Card numbers to authenticate individuals 'as soon as possible'. The government is also working with regulated sectors – such as finance, healthcare and telecommunications – to develop sector-specific guidance in the coming months. 'This is a sensible move and long overdue. Using NRIC numbers for authentication has always been a weak security practice,' said Bhargav Sosale, data protection officer at medtech company Remidio. He noted that NRIC numbers are more like usernames than passwords, being 'static' identifiers that are used widely across institutions from banks to healthcare providers. '(That) ubiquity is precisely what makes them unsuitable for authorisation,' he said. Even the use of partial NRIC numbers – such as the last four digits – could be dangerous, noted Pang Tzer Yeu, chief information security officer at Red Alpha Cybersecurity. The risks are also high when NRIC numbers are paired with other easily obtainable information such as one's date of birth, noted Gerry Chng, head of cyber at KPMG in Singapore. Steven Scheurmann of cybersecurity company Palo Alto Networks sees Singapore's move as a 'significant step' towards bolstering digital safety, especially as identity theft and impersonation tactics grow more complex. He called on organisations to adopt stronger authentication methods such as complex, unique passwords or multi-factor authentication (MFA). Other options include biometric verification and security tokens. 'These methods offer significantly higher resistance to impersonation and fraud, and ultimately help build trust in digital services,' said Scheurmann, who is Palo Alto's regional vice-president for Asean. Verification through the Singpass app is another tool that some organisations are already tapping, noted Red Alpha's Pang. 'Many companies have already moved away from using NRIC, but there are a few sectors where I still see it being prevalent,' he said, citing the insurance sector as an example. For players that still rely on NRIC numbers for authentication, the government advisory 'should be a wake-up call', said Sosale. Industry reactions Industry players that BT reached out to said that they would work with the authorities on the matter. Association of Banks in Singapore director Ong-Ang Ai Boon said that the industry is exploring 'alternative authentication methods in line with today's advisory'. She noted that NRIC numbers alone cannot be used for financial transactions such as payments and funds transfers. However, 'there are limited non-transactional circumstances where NRIC numbers are used for authentication, such as to open encrypted documents sent by e-mail', she said. A spokesperson for AIA Singapore said that the insurer has moved away from relying solely on NRIC numbers for authentication. 'AIA Singapore only collects full or partial NRIC numbers when it is necessary to establish or verify an individual's identity to a high degree of accuracy,' said the spokesperson, noting that this is in line with Personal Data Protection Act (PDPA) guidelines. The insurer also uses MFA for more secure access to online services. Verification processes are also in place at human-assisted customer service touch points. 'We take data security seriously and will continue to ensure all our data collection processes adhere to PDPA guidelines,' the spokesperson added. Separately, Singtel told BT that it adheres to the present guidelines on the use of NRIC for authentication. 'We will wait and review any new guidelines from the (Infocomm Media Development Authority) before assessing any potential impact to our operations,' said a spokesperson. Fellow telco M1 told BT that it uses NRIC to only identify customers, and not to authenticate them. Hospital operator Raffles Medical Group noted that it relies on NRIC numbers as a unique identifier for patients during admission, registration and billing. The company 'will continue to take guidance from the Ministry of Health regarding the use of NRIC numbers for the verification of our patients' identity', a spokesperson said. Data privacy hit the spotlight last December, after a furore over the disclosure of full NRIC numbers on the Accounting and Corporate Regulatory Authority's Bizfile portal. The government had plans to change the practice of masking NRIC numbers, but the Bizfile portal had run ahead of that intent, the Ministry of Digital Development and Information said at the time. Source: The Business Times © SPH Media Limited. Permission required for reproduction. Print
Business Times
19 hours ago
- Business Times
Market Focus Daily: Friday, June 27, 2025
Japan's Nikkei ends at 6-month high, tracking Wall Street rally; Singapore's job vacancies, unemployment up in Q1, with US tariff impact yet to be seen; Info-Tech Systems launches IPO at S$0.87 apiece, marks SGX's first mainboard listing in two years; Japan's NTT files billion-dollar Reit listing with MAS; IPO set to be SGX's biggest in four years. Synopsis: Market Focus Daily is a closing bell roundup by The Business Times that looks at the day's market movements and news from Singapore and the region. Written and hosted by: Emily Liu (emilyliu@ Produced and edited by: Chai Pei Chieh & Claressa Monteiro Produced by: BT Podcasts, The Business Times, SPH Media --- BT in your inbox Start and end each day with the latest news stories and analyses delivered straight to your inbox. Sign Up Sign Up Follow BT Market Focus and rate us on: Channel: Amazon: Apple Podcasts: Spotify: YouTube Music: Website: Feedback to: btpodcasts@ Do note: This podcast is meant to provide general information only. SPH Media accepts no liability for loss arising from any reliance on the podcast or use of third party's products and services. Please consult professional advisors for independent advice. Discover more BT podcast series: BT Money Hacks at: BT Correspondents: BT Podcasts: BT Branded Podcasts: BT Lens On:
Business Times
a day ago
- Business Times
India oil law revamp unlikely to draw foreign drillers amid red tape and weak incentives
[SINGAPORE] India's first rewrite of its 77-year-old oilfield rules kicked in on Apr 15, with New Delhi hoping it'll help turn around a decade of sluggish output and and ease its growing reliance on imported crude, which stands at over 85 per cent. But analysts say there's still too much red tape in a system that seems to favour local players, making it tough for foreign drillers to break in. Currently, international players form less than 10 per cent of India's total oil and gas (O&G) production, noted CreditSights' South and South-east Asia corporates team. 'Foreign participation in India's upstream O&G sector remains low due to restrictive legacy regulatory procedures and poor economic incentives,' the team told The Business Times. That's why the calibrated changes under the Oilfields (Regulation and Development) Amendment Act, 2025 are unlikely to move the needle on foreign investment, say industry watchers. Limited overseas interest has long weighed on India's output, and the gap matters more than ever now as the country scrambles to boost upstream capacity to meet surging energy demand. BT in your inbox Start and end each day with the latest news stories and analyses delivered straight to your inbox. Sign Up Sign Up Heavy reliance on imports CreditSights' analysts noted that India reportedly consumes about five million barrels of oil per day, while domestic production of crude oil stands at only around 0.6 million barrels per day, underscoring the country's O&G import dependence. India's reliance on imported crude has become a pressing concern, prompting calls for law amendments. The country's import dependency rose to 88.2 per cent in the period from April 2024 to February 2025, from 87.7 per cent in the corresponding period a year ago, based on data from its oil ministry's petroleum planning and analysis cell. After the lower house in India's Parliament approved the amendment Bill on Mar 12, paving the way for it to become law, Petroleum and Natural Gas Minister Hardeep Singh Puri highlighted the country's rising energy consumption needs: 'Today, we are consuming 5.5 million barrels a day of crude oil… If we continue to grow at the rate at which we are, we will go up to 6.5 million to seven million barrels a day. 'India's transformation to become a developed nation will require a large amount of energy in all forms. Steps have been taken to enhance India's energy exploration and production.' For years, India's upstream output has dwindled, contracting at an average annual rate of 1.1 per cent over the past decade, according to S&P Global Commodity Insights. This decline is largely attributed to the natural depletion of mature fields operated by state-run entities, persistent delays in monetising existing discoveries, and a notable scarcity of new finds, noted the team. Compounding these challenges, international interest in India's exploration bidding rounds has largely remained elusive, with restrictive legacy regulatory procedures and poor economic incentives deterring overseas players. Law reforms The new amendments to the Oilfields Act – the principal legislation governing the exploration and development of mineral oil resources in India since 1948 – seek to address these long-standing concerns of exploration companies, with the explicit objective of fostering a more investor-friendly environment, said S&P Global Commodity Insights' analysts. CreditSights team highlighted these key features of the amendments: Empowering the central government to grant licenses for oilfield exploration through notification/bidding/other methods, as opposed to direct application by foreign players in the past; Further streamlining and digitising of approval processes; Improving transparency and legal clarity of the upstream regulatory framework; Introducing a structured penalty system. One of the core changes is the dissociation of petroleum operations from mining operations. By eliminating the long-standing practice of grouping petroleum and mining operations under the same regulatory framework, the law change aims to avoid past confusion that often resulted in the delay of petroleum exploration operations due to the need to obtain irrelevant permits and licences. Investment risks John Zadkovich, partner at Stephenson Harwood, said permitting remains one of the biggest hurdles for upstream players in India, particularly given the capital-intensive nature of the exploration and production sector. 'I've seen projects stymied for six to 10 years because of permitting challenges. So, unless the Indian government has resolved that, it is going to continue to be a problem in attracting investment,' he said. Zadkovich added that upstream projects usually require initial capital of tens, if not hundreds, of millions of dollars, leading to long gestation periods with inherent investment risks. 'If they do get a permitting challenge early in the place, that is gonna be a long time to have an asset setup without development or exploration.' Lengthy legal processes CreditSights' team noted that the introduction of a structured penalty framework will help reduce uncertainty over dispute resolution – a key area of concern for international players. 'We think the new oilfield regulation helps establish a transparent legal framework to reduce ambiguity and operational frictions, which should bolster foreign investor confidence in India's upstream sector,' said the team. However, Stephenson Harwood's Zadkovich noted that legal clarity alone does little to address procedural bottlenecks caused by a shortage of judicial officers. 'It's almost a joke among lawyers that if you kick something into the court system there, it can be 10 to 15 years before you get a judgment. That's not a reflection on the competence of the judiciary but on the shortage of judicial officers and huge backlog. 'It's one thing to streamline the law from a procedural perspective, but if it ends up in the courts or in a tribunal, it can be 10 years for some parties,' he added. Ian Hiscock, director of boutique energy consultancy MMC, said that foreign investors in the sector have 'got burned in the past', so they will be cautious despite the Indian government's consistent efforts to deregulate. Similarly, CreditSights' team noted that the amendments would not bring in a substantial increase in foreign participation in the near term. Despite improving legal and operational clarity, the amendment does not introduce sweeping reforms or explicitly attract new investment into the sector, the research team said. This is on top of execution risks, such as a failure to reduce bureaucratic red tape and inconsistent enforcement across states. More importantly, the government may ultimately have an innate preference towards its domestic O&G companies, given energy security concerns, said the analysts. Current landscape India's upstream O&G sector is dominated by national players (public sector undertakings, or PSUs), namely Oil India and Oil and Natural Gas Corporation. The competitive landscape poses resistance to new entrants, making strategic partnerships more important for foreign players. Zadkovich noted: 'The energy players I've worked with are incredibly astute, well-connected and typically well-backed. So some of the majors there will protect their positions, and I think there'll be a bit of resistance to newcomers.' He highlighted that to navigate the resource-intensive regulatory regime, newcomers will have to be 'very strategic with whom they partner with'. Creditsights' team noted that the PSUs have shed some market share to the Indian private companies over the years, including Reliance Industries, Cairn India (an entity under metals giant Vedanta), and Hindustan Oil Exploration. 'Foreign participation is mainly through joint ventures, production sharing contracts, or minority stakes in specific blocks,' said the team. Some of the major international players in India are BP, TotalEnergies, Shell, ENI, and ExxonMobil.
