Vendors urged not to rely on customer NRIC or mobile phone numbers for identifiers

This article is more than 12 months old

With stricter protection of NRIC data on the horizon, security experts are urging malls and vendors to set up unique identifiers for their members that do not rely on NRIC or even mobile phone numbers.

Damage from fraud related to one's NRIC - and increasingly mobile phone number - cannot be reversed easily, said Mr Lennie Tan, regional vice-president and general manager of cyber security firm One Identity.

"It is far harder and almost impossible to change these identifiers," he added.

Instead, security experts suggest that vendors set up systems that generate a unique string of numbers tied to limited personal information such as an e-mail address or name. If the numbers are compromised, vendors just create a new one.

"A phone number and an e-mail address are usually sufficient for identity verification, especially when combined with a unique identifier generated by the vendor," said Mr Nick Savvides, a security advocate for Asia Pacific and Japan at cyber security firm Symantec.

The value that hackers place on NRIC data speaks volumes.

Compared with credit card numbers, which can be easily deactivated and changed, NRIC numbers cost a few times more on the black market, according to industry estimates.

For years, service providers have freely collected customers' NRIC numbers to track parking redemptions, membership accounts and lucky draws, among many things.

From next year, when stricter privacy rules kick in, consumers will be able to refuse to hand over their NRIC details, and the onus will be on providers to use other methods to identify them.

The cost of setting up systems that generate unique identifiers have prompted many retailers, malls and cinema operators to use NRIC data, said independent global cyber security expert Aloysius Cheang.

"Most collect NRIC numbers out of convenience too," he said.

But as most online shopping and content streaming websites let customers use their e-mail address to log in, experts believe it would not be too difficult for vendors to switch to this.

The Personal Data Protection Commission wants NRIC details to be collected only when the law requires it, or when it is vital to verify someone's identity "to a high degree of fidelity".

Consumers buying movie tickets online was cited as a scenario that does not require cinemas to collect NRIC data, a practice by Shaw Theatres and Golden Village (GV).

But GV begs to differ, saying its use of the data is for "fraud prevention and payment dispute management".