The Singapore NRIC In Singapore, the NRIC is an individual identifier. Similar to the Social Security number in America, the NRIC identifies each individual uniquely. The Singapore Government has an online password system called SingPass (http://www.ecitizen.gov.sg/singpass/index.htm) that is used in a variety of online services for citizens. Examples include Singapore’s CPF system, and the Accounting and Corporate Regulatory Authority, which governs business operations in Singapore. The NRIC is also a common token used by banks, telcos, and various other service providers to authenticate their users over the phone. In this article, Cerberus Network looks at the NRIC and some of the potential for mischief and fraud associated with this identifier.
NRIC stands for National Registration Identity Card. The NRIC Number (UIN), or NRIC in short, consists of 9 digits. The first digit is S, T, F or G, following by 7 numeric digits, and an alphabet that serves as a check digit. Ngiam Shih Tung (http://www.ngiam.net/NRIC/) has a very concise and detailed writeup on the Singapore NRIC checksum algorithm. He has also actively questioned the National Library Board of Singapore on their policy of allowing users to check borrowing records simply with a surname and an NRIC. Chue Wai Lian also wrote an NRIC checker for DOS/Win32 and Java (http://web.singnet.com.sg/~wailian/nric.htm).
As the NRIC uniquely identifies a person, can its exposure lead to identity theft and fraud? This is an important question that Cerberus Network would like to answer. In addition, what is the most current status on the algorithm used to compute the NRIC checksum? Although there are no known public documents from the authorities, there are references from Ngiam Shih Tung and Mac-Net.com (http://www.mac-net.com/183580.page), that this algorithm could be available from the Ministry of Home Affairs/ICA department, for a fee of $200-400. However, links offered by both sources seem to have been outdated.
With hardly any official confirmation or denial of publicly floating NRIC algorithms, Cerberus Network has studied the NRIC check digit problem and we agree completely with Ngiam Shih Tung on his findings. We have also designed a free web service that can be used to decide NRIC check digits, implementing an algorithm based on Ngiam Shih Tung’s publication (http://www.ngiam.net/NRIC/). If you know how to consume a web service, the URL is http://www.cerberus-network.com/NRIC.asmx . The web service is provided as is. Cerberus Network provides no warranties, express or implied, and does not guarantee the accuracy of the results whatsoever. The web service is also provided for legal and legitimate, or research usage only.
In a typical context, the NRIC is usually used with a person's birthdate, and sometimes the maiden name or surname of his mother, to establish authentication. This is a common procedure in a bank, and also with telcos. For operations that require tighter security, banks typically ask questions like "How many accounts do you have with us?", "How many cards do you hold?" or "What is your credit limit?". However, with the NRIC always being one of the key questions asked, we need to pause and consider if it could one day become the favourite identify theft instrument of malicious parties.
Security
So exactly how safe is the NRIC? Could it become an instrument of identity theft or fraud? We will discuss this in the next installment.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment