Singapore Considers Limiting Use of NRIC NumbersPrivacy, Identity Theft Protection Are the Primary Reasons
With the aim of protecting data privacy, the government of Singapore is considering taking steps to greatly reduce the use of the National Registration Identity Card numbers for verifying consumers' identities.
See Also: Move Beyond Passwords
The NRIC number is a unique identifier that the government assigns to each Singapore resident. It's often used as a required document or identifier for transactions with the government, as well as for many commercial transactions.
"This action is actually consistent with the policies of several other countries with regard to handling of government-issued IDs," says the CEO of a Singapore-headquartered security firm, who asked not to be identified.
Because the NRIC number is a permanent and irreplaceable identifier that can be used to unlock large amounts of information, the indiscriminate collection and use of individuals' numbers is of special concern because it increases the risk numbers will be stolen.
Singapore's Personal Data Protection Commission is seeking feedback on plans to revise its advisory guidelines for carrying out Personal Data Protection Act provisions that pertain to the collection, use and disclosure of the numbers.
The initiative is designed to balance business efficiencies and data protection in the interest of digitization, some security experts say.
"There are stringent policies which govern the banking and finance industries. The government wants to bring a similar level of security measures across the public sector, and therefore is pushing for more stringent cybersecurity on national critical infrastructures," says a Singapore-based IT practitioner from a large advisory firm, who asked not to be named.
What PDPC Has Proposed
PDPC says that the excess collection of an individual's physical NRIC card, or a copy of it, is one of the areas of concern.
"The NRIC not only contains the individual's identity number, but also other personal data, such as the individual's full name, photograph, thumbprint and residential address," PDPC officials tell Information Security Media Group.
The new proposal states that organizations should refrain from collecting, using or disclosing an individual's NRIC number or its copy, except if it's required under the law.
Minimizing Data Storage
As part of its proposal to minimize the use of the NRIC number, the PDPC proposes that organizations be required to cease retaining all documents containing personal data and devise ways to remove data collected as soon as the purpose for which it was collected is over.
Under the proposal, organizations would have 12 months to comply once it's enacted. Necessary steps would include, for example, changes to policies and processes on the collection, use or disclosure of NRIC numbers, NRIC cards or copies of the cards.
"PDPC is cognizant that organizations may require some time to review existing business practices and implement operational changes to use other identifiers or forms of collateral in place of NRIC number," PDPC says.
Tom Wills, director at Ontrack Advisory, a management consulting firm, says scaling back on the use of the national ID is a good move because it could help reduce fraud.
"A national ID number is unique per person, but it also links back to that person in a legal sense and can be used [often in conjunction with other personal data elements like their mobile number, address] to perform actions on behalf of that person," he says.
Cause for Concern
One cause of concern for the government is that some data breaches at banks and other firms have revealed NRIC numbers and other details of individuals.
"NRIC per se is secure. But since it's used almost for every transaction, the smallest of breaches can have long-term effect," says the adviser who asked to remain unnamed.
Some security experts, however, say widespread use of NRIC as an identifier is appropriate if it's backed by two-factor authentication.
HOO Chuan-Wei, an APAC technical adviser for ISC2, notes: "Our national ID card system is rather strong and it is easy to spot a fake ID card. If we are looking at the Singpass [online account management for access to Singapore Government e-services] system, the government has implemented 2FA [two-factor authentication] to mitigate access control risks. 2FA is only as strong as the implementation; OTP [one-time password] via SMS is being considered a weak option due to the inherent weakness of the mobile phones and the SS7 vulnerability on the telco network."
What's the Alternative?
But some security practitioners contend that a more secure method would be something that is unique to each person but can't be used to perform an action.
"Tokenization technology is one possible way to achieve this. The only way a criminal could uncover the actual ID would be to hack (or discover) the key that strongly encrypted the national ID number, and that would be extremely difficult so long as the key is well-secured," Wills says.
For example, the ID number 123456789 could be tokenized to XB-5N18-3Q6. The actual ID number could be used to open a bank account, but the tokenized replacement XB-5N18-3Q6 would be useless to anyone who stole it, Wills explains.
"Tokenization has been taken up by Visa, MasterCard and other major payment schemes as a workable and secure way to protect individual's payment card account numbers. It could just as well be used by a government to protect national ID numbers or any other number that has to be kept confidential," Wills adds.