Ex-presidential candidate Tan Kin Lian highlights misuse of his NRIC to access SingPass

Former presidential candidate Tan Kin Lian had his NRIC number used repeatedly by an unknown person, who was trying to log in to his SingPass on May 27, after he published his NRIC number on his Facebook page.
Former presidential candidate Tan Kin Lian had his NRIC number used repeatedly by an unknown person, who was trying to log in to his SingPass on May 27, after he published his NRIC number on his Facebook page.PHOTO: ST FILE

SINGAPORE - Within hours of former presidential candidate Tan Kin Lian publishing his NRIC number on his Facebook page, an unknown person used it repeatedly to try to log into his SingPass on Monday (May 27).

It happened after Mr Tan had published it, together with his e-mail address, mobile phone number and date of birth, at 8am on Monday.

As a result, his access to his account was blocked by the authorities, Mr Tan, a former chief executive officer of NTUC Income, told The Straits Times in the afternoon as he called for a review of SingPass's security features.

Access to a user's SingPass gets blocked automatically after six failed attempts.

When this happens, the user will be prompted to change his password.

But this still leaves the NRIC open to abuse, Mr Tan said, adding that he has pointed this out to the Government Technology Agency (GovTech).

In a Facebook post on Monday describing the incident, he said: "I sent an e-mail to GovTech to tell them that after I change my password, this mischievous person can try to log into my account again and make another six failed attempts to block my account.

"It happened to me because I publicised my NRIC. But this can also happen to anybody who uses the NRIC to apply for a lucky draw, or to visit a public building.

"All it needs is for someone to have the NRIC number and make six attempts to get the SingPass account blocked."

 
 
 

SingPass is the national password system that gives access to government e-services and allows users to connect and transact with government agencies here.

The default for a person's SingPass ID is their NRIC, and experts had pointed out that it is not secure given its ubiquity.

SingPass users can change their NRIC number to a unique online ID but most have failed to do so, a spokesman for the Smart Nation and Digital Government Office (SNDGO) told ST last year.

The option for them to use non-NRIC details as their SingPass IDs was introduced in July 2015, together with other enhanced security measures, such as the SingPass two-factor authentication (2FA).

With 2FA, users have to enter a one-time password - sent through SMS or generated through a OneKey token - for electronic government transactions, particularly those involving sensitive data. This is in addition to their SingPass username and password.

Mr Bryan Tan, a lawyer from Pinsent Masons MPillay specialising in technology law and data protection, said the NRIC "is used so often now that it is unrealistic to think it is secure".

He added: "It is just an ID, so using it as a sole verifier to access something as important as SingPass might not be the best idea."

Mr Tan Kin Lian told ST that "to be blocked so easily is very unnecessary".

He said he had appealed to GovTech to not block his account, as having 2FA in place is already secure. Instead, he suggested blocking the device that tried to access his SingPass.

"Let him try 100 times or maybe 1,000 times. Why not just block his attempt using the same device? If he manages to get the correct password, he still needs to go through my 2FA, which is now converted into my thumb print. This is already secure," he wrote in his Facebook post.

Mr Bryan Tan called for a security system in SingPass that can prevent such incidents from happening.

"There needs to be a balanced security system that can block someone who tries to access another's account multiple times. As we can see here, it can be open to misuse (even inadvertently) and be frustrating to the affected person," he said.

"Having said that, it is not advisable to publicise one's NRIC unnecessarily, which is why the Government has enacted restrictions on the collection of NRICs."

ST has contacted  GovTech and SNDGO for comments.