Government asks private firms to stop using IC numbers to prove person's identity

Private organisations in Singapore should stop using National Registration Identity Card (NRIC) numbers to prove a person's identity as soon as possible, the Ministry of Digital Development and Information (MDDI) has said.
In a media release on Thursday (June 26), MDDI said that while NRIC numbers may be used to identify a person over the phone or when using digital services, it should not be used for authenticating access to private services or information meant only for that person.
In a joint advisory issued the same day, the Personal Data Protection Commission (PDPC) and Cyber Security Agency (CSA) said NRIC numbers are issued to uniquely identify a person and must be assumed to have been disclosed to at least a few other persons.
Noting that organisations are responsible for deciding whether and how to authenticate their users, CSA said passwords are one such method of authenticating a person.
Passwords that cannot be easily guessed should hence be used, it said, noting that passwords containing easily obtained information including names, NRIC numbers or birthdates do not make strong passwords.
PDPC and CSA said in the advisory that default passwords, such as the ones required for password-protected files sent via e-mail, should not be NRIC numbers.
Private organisations should also not combine the full or partial numbers with other easily obtainable personal data for authentication; for example, passwords that combine partial NRIC numbers and date of birth, like "567A01Jan80".
Even if an individual can state his NRIC number, organisations must be aware that he may not be who he claims to be.
If it is necessary to authenticate persons, they should consider using other authentication method(s) and take a risk-based approach when deciding, taking into consideration factors like the value and sensitivity of the protected material and potential threats and vulnerabilities.
Other options to authenticate a person include strong passwords, using a security token and fingerprint or facial verification.
MDDI said the Government has been taking steps to ensure the proper use of NRIC numbers in the private sector, to better protect citizens, since January.
The ministry added that the Government is also working with regulated sectors such as finance, healthcare, and telecommunications to develop sector-specific guidance in the coming months.
For more original AsiaOne articles, visit here.