Published on:
20 Dec 2024
4
min read
Image credit: Sora Shimazaki; https://www.pexels.com/photo/unrecognizable-hacker-with-smartphone-typing-on-laptop-at-desk-5935791/.
On personal identification numbers, privacy, and false pretenses: part 2.
Part 1 (I suggest reading this first): [https://lnkd.in/gXCkcKaw].
3️⃣ How should organisations use NRIC numbers, moving forward?
Given:
(a) the Government's public stance that NRIC numbers are public information;¹ and
(b) that for many of us, our NRIC numbers may well already be out there in the wild;²
I suggest that as an urgent priority, all organisations which presently use NRIC numbers to authenticate customers should switch to alternatives.³
And this is a risk-management issue not just for customers. It's also for the organisation itself.
Because:
- if an organisation chooses to drag its feet, and continues to use NRIC numbers alone as an authentication method for an extended period;
- even after this recent saga and the various advisories to shift way from the use of NRIC numbers as authenticators; and
- a customer ends up getting scammed because a bad actor was able to impersonate the customer using their NRIC number...
...let's just say that it is, at the very least, not a good look for the organisation.
--
Short post this time, to close off this topic, and ahead of the final installment of my annual income tax guide (December 2024 edition) - coming on Monday.
Also, some other exciting⁴ news to share next week - stay tuned.
Disclaimer:
The content of this article is intended for informational and educational purposes only and does not constitute legal advice.
¹ https://www.mddi.gov.sg/mddi-s-reply-to-media-queries-on-disclosure-of-nric-number-on-bizfile-system/.
² Due to, for example, bad actors potentially scraping NRIC numbers during the time when Bizfile portal's search function was still up, or incidents such as the 2018 SingHealth data breach (https://en.wikipedia.org/wiki/2018_SingHealth_data_breach).
³ For example, multi-factor authentication involving past transaction information (which is much less likely to be retrievable by fraudsters, as opposed to personal information that may be retrievable via social media).
⁴ Well, to some, maybe. I make no representation or warranty that everyone will find this exciting.
