Singapore government explains why it wants to unmask NRIC
It wants to spearhead change by changing its policy on masking.
The Singapore government wants to unmask your NRIC because the way it is used is broken.
I'll take a break from my usual Unfiltered Friday and add some clarity to the NRIC saga that started with ACRA's unwitting 'leak' of full NRIC details.
Latest update
In a 2-hour press conference yesterday, the Singapore govt apologised for the lapse.
- Govt decided to stop using masked NRICs.
- Decided on policy shift to spearhead change.
- Internal memo on this got misunderstood.
- ACRA released new feature without masking.
Why stop using masked NRIC? Because everyone's using it as an "authenticator" or means to verify their identity. As I noted on UnfilteredFriday last week, this is bad.
And yes, government agencies have already been instructed to stop using NRIC numbers as a password or to prove someone's identity.
Not meant as 'authenticator'
What's wrong with using the NRIC to verify one's identity? Two main reasons:
- It's possible to guess the masked digits
I code for leisure but am not that good at it. No problem, I got ChatGPT to write some Python code to guess missing NRIC digits for me.
Took 5 minutes, and here's my findings*:
Assuming the DOB is known:
- If last 3 digits avail: ~91 combos.
- If last 4 digits avail: ~9 combos.
So, much easier to guess now.
*Based on my own and my wife's NRIC.
- But the biggest problem is likely this: Unlike credit card numbers, an NRIC is forever and isn't reissued.
All it takes is a breach by a single organisation, and your NRIC is out there in perpetuity. With extensive digitisation driving more cyber breaches, let's just say probability doesn't favour us.
Can you imagine the impending disaster with the current norm to use the NRIC to verify one's identity or reset passwords?
Plans accelerated
Of course, while I agree that how many organisations are using the NRIC wrongly and deriving a false sense of security from it, the botched-up timing likely caused much anxiety.
So, the plan to educate the public, consult with the private sector, and generally move everyone away from abusing the NRIC, will be accelerated.
I think some from the public sector won't be having a very restful holiday break now.
