Why using NRIC to verify our identities is flawed

The current method of verifying our identity using details like NRIC, address is broken, as evidenced by the ACRA Bizfile data leak saga today.

For UnfilteredFriday today, I want to highlight an unpalatable reality: all our data is out there, somewhere. And relying on it to verify our identities makes us vulnerable.

The ACRA saga

You might have seen it already: the newly redesigned ACRA portal lets you retrieve an individual's National Registration Identity Card (NRIC) with seeming impunity.

This was first reported last night in a Facebook post by former journalist Bertha Henson. In her post, she expressed frustration for being given the runaround when she tried to report the apparent data leak.

• Under Search for business information.
• Click on the "People" tab.
• Put in partial or full name.
• Click "Search".

And the full NRIC jumps out.

What's the deal

The Business Times and Straits Times have since ran stories about it.

And despite doing nothing about it initially, ACRA appeared to have temporarily blocked the service, albeit without showing any errors.

However, I could no longer access what I managed to retrieve last night.

Guess that's the power of social media for you.

Data, data, everywhere

As awareness of scams grows, organisations have started implementing more stringent measures such as:

• Phone verification.
• Password-protected PDF files.

The common method of verifying our identities is to ask for information that only the real person should have. Details such as:

• NRIC.
• Full name.
• Date of birth.
• Home Address.

The problem is: These data aren't that hard to find.

• Multiple data leaks over the years.
• Carelessly published information.
• Snafus such as ACRA's.

The result: Most of our data is floating out there, somewhere.

And even when most of it is incomplete, it doesn't take much to put two and two together. It's no wonder scammers are having a field day.

We need new solutions, and we need them yesterday.