close
close

Mondor Festival

News with a Local Lens

NRIC numbers can be used to reveal home address, clinical records and freeze bank accounts.
minsta

NRIC numbers can be used to reveal home address, clinical records and freeze bank accounts.

SINGAPORE – Individuals whose full NRIC numbers were exposed in the Accounting and Corporate Regulatory Authority (Acra) database earlier in December face potential cybersecurity risks as organizations frequently rely on NRIC numbers to retrieve personal information.

The Straits Times’ checks also found that NRIC numbers can be used as a key to collect information on individuals, which can be used for scams or targeted misdeeds.

Cybersecurity experts have warned that NRIC numbers can be used by malicious people. actors to deceive victims into believing they are authority figures or to commit a crime. Exposed NRIC numbers can also be used to collect additional information for scams.

Experts said these risks highlight how an NRIC number in the wrong hands can pose risks to individuals, who must be vigilant against scams, even as changes in the way NRIC numbers are used in the sector private are in progress.

The concerns come after NRIC numbers belonging to key representatives of companies registered in Acra’s database were revealed by mistake on its new web portal Bizfile on December 9. As a result, anyone could freely search and view the full NRIC numbers of registered individuals, including business leaders and politicians.

Acra apologized for the incident and disabled the feature on December 13, but experts said fraudsters could still use simple algorithms to collect exposed NRIC numbers during this window on a large scale, increasing the threat of scams.

Acra said the incident was caused by misunderstanding of an internal message distributed by the Ministry of Digital Development and Information (MDDI) in 2024, which informed agencies of their intention to abandon the use of masked NRIC numbers for better security.

He did not reveal how many NRIC numbers were exposed in the incident.

Authorities are accelerating efforts to educate the public on the use of NRIC numbers and consult the private sector on the use of NRIC numbers, Digital Development and Information Minister Josephine Teo said. at a press conference on December 19.

In the meantime, she urged private sector organizations to stop relying on NRIC numbers as proof that a person is who they say they are, for example to authenticate fund transfers.

NRIC number leaks are key to personal data

Organizations still rely on NRIC numbers as the key to retrieving personal data.

At electronic kiosks of local health establishments, checks by ST over the past week I have found that entering an NRIC number can reveal its owner’s registered address, contact number, recent appointment records and medical bills.

Bad actors could potentially cause mischief by canceling appointments or fraudulently collecting prescriptions, said cybersecurity expert David Siah.executive vice president for Southeast Asia and Australia at the Center of Strategic Cyberspace + International Studies, a London-based think tank.

Andy Prakash, co-founder of Privacy Ninja, said such information can make scams more convincing because fraudsters can include more unique details, such as a person’s health status.

Fraudsters are unlikely to collect such information on a large scale due to the presence of security cameras and the difficulty of knowing whether someone is a patient on site, but the information can be used in an ad hoc and targeted manner. attack against specific individuals, he said.

The Marriage Registry, a national database, allows users who have logged in through the national authentication tool Singpass to search who a person is married to. Users are limited to two free searches per year.

Some banks accept NRIC numbers to quickly identify customers who need help blocking transactions to thwart scams.

Such a feature has sparked debate over the balance between security and convenience, in light of a Dec. 9 report that a couple’s credit cards were blocked while on vacation after a fraudster used their NRIC numbers and their personal details for freeze their accounts.

Local banks have said the ability to quickly freeze an account is part of their protocol and an important anti-fraud measure.

For other requests, banks typically ask callers to identify themselves by entering their NRIC number during the call, followed by a one-time password sent to their phone before any services or inside information is provided .

Calls made by ST revealed that telephone transactions are limited to fund transfers between the customer’s own accounts with the bank and not to anyone else for security reasons.

Local banks review their use of NRIC numbersand could soon change their practices.

MDDI told the media on December 19 that full NRIC numbers should only be used in situations requiring higher authenticity checks, such as during hotel check-ins, medical appointments and subscription to a new telephone line. They should not be used to subscribe to retail memberships or sweepstakes, among other scenarios.

Cybersecurity consultant Shane Chiang says it all It is up to organizations to strengthen cybersecurity measures and ensure that NRICs are no longer used for authentication. NRICs should be used for identification purposes only, he said, adding that individual vigilance is vital during this transition.

Individuals should enable two-factor authentication on online services and anticipate targeted phishing attempts.which are likely to be more convincing when more personal data is exposed.

Mr Chiang added: “Individuals should verify the legitimacy of communications before sharing other personal information or engaging with unknown parties. »

Join ST WhatsApp channel and get the latest news and must-reads.