Use e-mail addresses instead of NRIC data

Security experts moot alternative identifiers that can be quickly replaced in case of fraud

The Personal Data Protection Commission wants consumers to have the right to refuse to hand over their NRIC details in scenarios such as buying movie tickets online.
The Personal Data Protection Commission wants consumers to have the right to refuse to hand over their NRIC details in scenarios such as buying movie tickets online.ST FILE PHOTO

With stricter protection of NRIC data on the horizon, security experts are urging malls and vendors to set up unique identifiers for their members that do not rely on NRIC or even mobile phone numbers.

The reason is that any damage from fraud related to one's NRIC - and increasingly mobile phone number - cannot be reversed so easily, said Mr Lennie Tan, regional vice-president and general manager of cyber-security firm One Identity. "It's far harder and almost impossible to change these identifiers," he added.

Instead, security experts suggested that vendors set up systems that generate a unique string of numbers tied to limited personal information such as an e-mail address or name. If the string of numbers is compromised, vendors just need to create a new one.

"A phone number and an e-mail address are usually sufficient for identity verification, especially when combined with a unique identifier generated by the vendor," said Mr Nick Savvides, a security advocate for Asia-Pacific and Japan at cyber-security software firm Symantec.

The value that hackers place on NRIC data speaks volumes. Compared with credit card numbers, which can be easily deactivated and changed, NRIC numbers cost a few times more on the black market, according to industry estimates.

For years, service providers have freely collected customers' NRIC numbers to track parking redemptions, membership accounts, lucky draws and movie ticket purchases online, among many things.

From mid-2018, when stricter privacy rules kick in, consumers will be able to refuse to hand over their NRIC details, and the onus will be on service providers to use alternative methods to identify them.

These rules are going through a public consultation, which will end on Dec 18.

The hassle and cost of setting up systems that generate unique identifiers have prompted many retailers, malls, bicycle rental firms and cinema operators to use NRIC data, said independent global cyber-security expert Aloysius Cheang.

"Most collect NRIC numbers out of convenience too," he said. "Collecting NRIC data has been the way of life here for years and was started by government agencies."

But since most online shopping and content streaming websites let customers use their e-mail address to log in, experts believe that it would not be too difficult for vendors to switch to this system.

The Personal Data Protection Commission wants NRIC details to be collected only where the law requires it, or when it is necessary to verify someone's identity "to a high degree of fidelity".

Consumers buying movie tickets online was cited as a scenario that does not require cinemas to collect NRIC data, a current practice by Shaw Theatres and Golden Village (GV).

But GV begs to differ. Replying to queries from The Straits Times, its spokesman said: "The use of customers' NRICs is for fraud prevention and payment dispute management."

A version of this article appeared in the print edition of The Straits Times on November 09, 2017, with the headline 'Use e-mail addresses instead of NRIC data'. Subscribe