Within hours of former presidential candidate Tan Kin Lian publishing his NRIC number on his Facebook page, an unknown person repeatedly used it to try to log into his SingPass account yesterday.
It happened at 8am yesterday, after Mr Tan had published the number, together with his e-mail address, mobile phone number and date of birth.
As a result, his access to his account was blocked by the authorities, Mr Tan, a former chief executive of NTUC Income, told The Straits Times yesterday afternoon as he called for a review of SingPass' security features.
Access to a user's SingPass account gets blocked automatically after six failed attempts. When this happens, the user will be prompted to change his password.
But this still leaves the NRIC open to abuse, Mr Tan said, adding that he has pointed this out to the Government Technology Agency (GovTech).
In a Facebook post yesterday, he said: "I sent an e-mail to GovTech to tell them that after I changed my password, this mischievous person can try to log into my account again and make another six failed attempts to block my account.
"It happened to me because I publicised my NRIC. But this can also happen to anybody who uses the NRIC to apply for a lucky draw or visit a public building. All it needs is for someone to have the NRIC number and make six attempts to get the SingPass account blocked."
SingPass is the national password system that gives users access to government e-services and allows them to connect and transact with government agencies here.
The default for a person's SingPass ID is his NRIC number, and experts have pointed out that it is not secure, given its ubiquity.
SingPass users can change their NRIC number to a unique online ID but most have failed to do so, a spokesman for the Smart Nation and Digital Government Office (SNDGO) told ST last year.
The option for them to use non-NRIC details as their SingPass IDs was introduced in July 2015, together with other enhanced security measures such as the SingPass two-factor authentication (2FA).
With 2FA, users have to enter a one-time password - sent via SMS or generated through a OneKey token - for electronic government transactions, particularly those involving sensitive data. This is in addition to their SingPass username and password.
Mr Bryan Tan, a lawyer at Pinsent Masons MPillay who specialises in technology law and data protection, said the NRIC "is used so often now that it is unrealistic to think it is secure".
He added: "It is just an ID, so using it as a sole verifier to access something as important as SingPass might not be the best idea."
IT CAN HAPPEN TO ANYONE
This can also happen to anybody who uses the NRIC to apply for a lucky draw or visit a public building. All it needs is for someone to have the NRIC number and make six attempts to get the SingPass account blocked.
MR TAN KIN LIAN
Mr Tan Kin Lian told ST that "to be blocked so easily is very unnecessary". He said he had appealed to GovTech to not block his account, as having 2FA in place would already make it secure. Instead, he suggested blocking the device that tried to access his SingPass account.
"Let (the perpetrator) try 100 times or maybe 1,000 times. Why not just block his attempt using the same device? If he manages to get the correct password, he still needs to go through my 2FA, which is now converted into my thumbprint. This is already secure," he wrote in his Facebook post.
Mr Bryan Tan said: "There needs to be a balanced security system that can block someone who tries to access another person's account multiple times. As we can see here, it can be open to misuse (even inadvertently) and be frustrating to the affected person.
"Having said that, it is not advisable to publicise one's NRIC number unnecessarily, which is why the Government has enacted restrictions on the collection of NRIC details."
ST has contacted GovTech and SNDGO for their comments.