Stop using NRIC numbers - full or partial - for authentication, private organisations told
[SINGAPORE] The Personal Data Protection Commission (PDPC) and Cyber Security Agency (CSA) urged private organisations to stop using national registration identity card (NRIC) numbers for authentication in a joint advisory posted on their websites on Thursday (Jun 26).
This comes on the back of government efforts, since January, to ensure the proper use of NRIC numbers in the private sector to better protect citizens, the Ministry of Digital Development and Information (MDDI) said in a statement on the same day.
'NRIC numbers should not be used to prove that a person is who he claims to be for the purposes of trying to gain access to services or information meant only for that person,' the MDDI statement said.
'It is unsafe for organisations to use NRIC numbers in this manner because a person's NRIC number may be known to others, permitting anyone who knows his NRIC number to impersonate him and easily access his personal data or records,' the MDDI statement added.
The ministry noted that some private sector organisations currently require individuals to use their NRICs as passwords to access information intended solely for them, such as insurance documents.
Organisations that use full or partial NRIC numbers for authentication should transition away from this practice as soon as possible, it said.
This includes not setting NRIC numbers as default passwords and not using full or partial NRIC numbers with other easily obtainable personal data.
'If it is necessary to authenticate a person, organisations should consider alternative methods, for example requiring the person to use strong passwords, security token or fingerprint identification,' the MDDI statement said.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Business Times
3 hours ago
- Business Times
Daily Debrief: What Happened Today (Jun 26)
Stories you might have missed Government urges private sector to stop using full, partial NRIC numbers for authentication Authorities say this will better protects citizens from impersonation and having their personal data accessed by others. Johor's billion-ringgit property market braces for higher foreign-buyer tax Foreigners are scrambling to seal property deals in the state to beat the Jul 1 levy hike. Industry players are concerned over the short notice. Singapore's millionaire inflow to halve in 2025: report BT in your inbox Start and end each day with the latest news stories and analyses delivered straight to your inbox. Sign Up Sign Up Meanwhile, Thailand emerges as South-east Asia's new safe haven, while China's outflow of affluent individuals slows. Singapore's factory output growth slows to 3.9% in May, but beats estimates Nearly all clusters, including electronics, have recorded increases in production year on year. Chinatown Business Association seeks over S$77,700 in backdated rent from Nanyang Old Coffee for outdoor refreshment area It is also demanding that the cafe remove items that have encroached into the space, and pay legal costs of S$5,500.
AsiaOne
5 hours ago
- AsiaOne
Government asks private firms to stop using IC numbers to prove person's identity, Singapore News
Private organisations in Singapore should stop using National Registration Identity Card (NRIC) numbers to prove a person's identity as soon as possible, the Ministry of Digital Development and Information (MDDI) has said. In a media release on Thursday (June 26), MDDI said that while NRIC numbers may be used to identify a person over the phone or when using digital services, it should not be used for authenticating access to private services or information meant only for that person. In a joint advisory issued the same day, the Personal Data Protection Commission (PDPC) and Cyber Security Agency (CSA) said NRIC numbers are issued to uniquely identify a person and must be assumed to have been disclosed to at least a few other persons. Noting that organisations are responsible for deciding whether and how to authenticate their users, CSA said passwords are one such method of authenticating a person. Passwords that cannot be easily guessed should hence be used, it said, noting that passwords containing easily obtained information including names, NRIC numbers or birthdates do not make strong passwords. PDPC and CSA said in the advisory that default passwords, such as the ones required for password-protected files sent via e-mail, should not be NRIC numbers. Private organisations should also not combine the full or partial numbers with other easily obtainable personal data for authentication; for example, passwords that combine partial NRIC numbers and date of birth, like "567A01Jan80". [[nid:712707]] Even if an individual can state his NRIC number, organisations must be aware that he may not be who he claims to be. If it is necessary to authenticate persons, they should consider using other authentication method(s) and take a risk-based approach when deciding, taking into consideration factors like the value and sensitivity of the protected material and potential threats and vulnerabilities. Other options to authenticate a person include strong passwords, using a security token and fingerprint or facial verification. MDDI said the Government has been taking steps to ensure the proper use of NRIC numbers in the private sector, to better protect citizens, since January. The ministry added that the Government is also working with regulated sectors such as finance, healthcare, and telecommunications to develop sector-specific guidance in the coming months. [[nid:715244]]
Business Times
6 hours ago
- Business Times
Government urges private sector to stop using full, partial NRIC numbers for authentication
[SINGAPORE] The Personal Data Protection Commission (PDPC) and Cyber Security Agency (CSA) on Thursday (Jun 26) advised private organisations to stop using full or partial national registration identity card (NRIC) numbers for authentication. Authentication is the process of proving that a person is who he claims to be before granting him access to services or information intended solely for him, the PDPC and CSA said in a joint advisory posted on their websites. 'NRIC numbers should not be used to prove that a person is who he claims to be for the purposes of trying to gain access to services or information meant only for that person,' the Ministry of Digital Development and Information (MDDI) said in a statement on the same day. Companies that do use NRIC numbers for such purposes should 'transition away from (the) practice as soon as possible', the ministry said. This includes not setting NRIC numbers as default passwords and not using full or partial NRIC numbers with other easily obtainable personal data – such as by using passwords that combine parts of a person's NRIC number with his date of birth. The ministry noted that some private sector organisations currently require individuals to use their NRICs as passwords to access information intended solely for them, such as insurance documents. This practice is unsafe as a person's NRIC number may be known to others such that using it for authentication would permit anyone who knows the person's NRIC number to impersonate him and easily access his personal data or records, the MDDI said. 'If it is necessary to authenticate a person, organisations should consider alternative methods, for example requiring the person to use strong passwords, a security token or fingerprint identification,' the MDDI statement said. This comes on the back of government efforts, since January, to ensure the proper use of NRIC numbers in the private sector to better protect citizens, MDDI said.
