Singapore government plans to stop masking NRIC numbers

The Singapore government wants to stop masking NRIC numbers, arguing that they offer a false sense of security. And you know what, I agree.

If you reside in Singapore, you would have woken this morning to read how the Singapore government plans to stop masking NRIC numbers.

The story so far

This comes on the heels of reports on Friday, which revealed how ACRA’s revamped website allows anyone to retrieve an individual’s NRIC, or National Registration Identity Card (NRIC), using just their names.

This caused a predictable furore.

The reports came after former journalist Bertha Henson, frustrated with the runaround when she reported the ‘bug’, wrote about it in a Facebook post. Mainstream newspapers quickly picked it up.

Readers generally expressed:

• Confusion.
• Dismay.
• Anger.

The plot twist today? Turns out that revealing the NRIC in its entirety is the new feature.

Don't worry. It's the plan all along

According to the Ministry of Digital Development and Information (MDDI):

• The government had planned to stop masking NRIC numbers, after a period of "explaining and preparing the ground."
• Unfortunately, the new Bizfile portal was launched before the plans were announced. MDDI apologised for the mistake and anxiety caused.

Why are public agencies phasing out the use of masked NRIC numbers? The answer: To avoid giving a "false sense of security."

False sense of security

In my UnfilteredFriday post yesterday, I observed how the current methods of verifying our identity using details like NRIC, address are broken.

Security by obscurity isn't security.

And information like our names, contact numbers, and yes, NRIC, can already be pieced together from various sources, including data previously leaked online.

It is silly when you think about it:

• We use last 3-4 digits of NRIC for verification.
• But we also give out the same 3-4 digits to all.

Indeed, the earlier PDPA requirement to “mask” most of our NRIC merely shifted us from using the full 8 digits to just 3-4 digits

My opinion: the issue isn’t the NRIC but how we are using it - as a kind of secret identifier. But we will never move away unless we start taking away NRIC as a convenient clutch.

A matter of timing

A friend who texted me observed this incident bears a resemblance to the SimplyGo debacle. Unfortunately, I have to agree.

The issue isn’t about the move to do away with masking of NRIC, but the miscommunication that led to today’s situation.

There’s the reality that the NRIC is bogus security, and then there’s the on-the-ground perception.

These weren't aligned, and I fear, will take far more effort to align now.