*Platinum Member*
Centennial Member
Posts: 110533
Liked By: 63553
Joined: 30 Jun 10
Followers:
3
Tipsters
Championship:
Player
has
not started
|
Companies should stop using NRIC numbers as passwords to authenticate people’s identities, say the Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA).
A man handing over an NRIC for scanning. (File photo: CNA/Zhaki Abdullah)
SINGAPORE: Private sector organisations should stop using National Registration Identity Card (NRIC) numbers to authenticate individuals or as passowords, said the Ministry of Digital Development and Information of Singapore (MDDI), citing risks of impersonation and data breaches.
The Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA) issued a formal advisory on Thursday (Jun 26), guiding companies to stop using NRIC numbers to prove a person’s identity.
“While organisations may use NRIC numbers to identify who a person is over the phone or when using digital services, NRIC numbers should not be used to prove that a person is who he claims to be … for the purposes of trying to gain access to services or information meant only for that person,” said MDDI.
The ministry noted that currently, private sector organisations may require people to use their NRIC numbers as passwords to access information intended only for them, such as in insurance documents.
“It is unsafe for organisations to use NRIC numbers in this manner because a person’s NRIC number may be known to others, permitting anyone who knows his NRIC number to impersonate him and easily access his personal data or record.”
Hence, companies that are using full or partial NRIC numbers for authentication purposes should move away from this practice as soon as possible, said MDDI.
This includes not setting NRIC numbers as default passwords in password-protected files sent via email. and not using the full or partial numbers together with other easily obtainable personal data, such as date of birth.
“If it is necessary to authenticate a person, organisations should consider alternative methods, for example requiring the person to use strong passwords, security token or fingerprint identification,” said MDDI.
The ministry added that the government is also working with regulated sectors, including finance, healthcare and telecommunications, to develop sector-specific guidance in the coming months.
The government has been working to ensure the proper use of NRIC numbers in the private sector since January to better protect citizens, said MDDI.
In January, Minister for Digital Development and Information Josephine Teo said in a ministerial statement that private sector organisations that are using NRIC numbers as authentication factors or default passwords should stop this practice as soon as possible.
Mrs Teo said at the time that those organisations which collect partial NRIC numbers to identify people can continue to do so, and that the ministry would only consider how the guidelines on NRIC number usage in the private sector should be updated after consulting the public.
The move followed public backlash in December 2024, over the launch of anew Bizfile portal by the Accounting and Corporate Regulatory Authority (ACRA), which exposed names and full NRIC numbers for free via its search function.
|
Main Menu >
Gossip Corner >
Formal advisory to stop using NRIC number as Passwords auth
[ 193 Chatters Online
]
1
) 
Find all Topics Started by LONGSTER
Find all Posts by LONGSTER
Follow / Unfollow
PM LONGSTER
Yesterday
12:44 PM (1 day ago)
0 Likes
Like
