SINGAPORE: While the Government has issued new guidelines against indiscriminate collection of NRIC details, cybersecurity experts have highlighted a different kind of personal data threat: random NRIC generators.
From September 2019, the Personal Data Protection Commission (PDPC) said organisations can only collect, use or disclose NRIC numbers or NRIC copies "under certain specific circumstances".
But a quick online search by Channel NewsAsia turned up at least two random NRIC generators that can produce "valid" NRIC numbers that are "verified against published checking logic".
Both only required a user to input the desired NRIC number's first letter and corresponding range of birth years before churning out the digits.
When announcing the new NRIC guidelines in August, the PDPC had said that the NRIC number is a "permanent and irreplaceable identifier which can be used to unlock large amounts of information relating to an individual".
READ: Collection of NRIC details: Security, building management providers grapple with costs, time needed to change
“In today’s digital economy, indiscriminate collection or negligent handling of NRIC numbers can increase the risk of unintended disclosure and may result in NRIC numbers being used for illegal activities such as identity theft or fraud," it added.
Mr Jonathan Phua, who co-founded cybersecurity firm InsiderSecurity, said the online NRIC generators pose "big cyber risks" as many online services use NRIC numbers as usernames.
"We know that many people like to use simple-to-remember passwords," he told Channel NewsAsia.
"So if I generated a list of random, valid-looking NRIC numbers, I can try my luck to access such services with these NRIC numbers and commonly used passwords.
"Hopefully, the online services have measures in place to make this kind of attack more difficult, but the attacker may get lucky with an online service that is not so well-protected."
Ms Joanne Wong, senior regional director for Asia-Pacific and Japan at LogRhythm, a security intelligence firm, said the generators can be a "cause for concern".
"A system using artificial intelligence can be fed a list of existing NRIC numbers, possibly stolen in a data breach or bought on the Dark Web, and taught how to better identify and predict valid NRIC numbers," she said.
"Further cross referencing between different sets of stolen data may reveal information such as favourite passwords and mobile numbers tagged to an individual NRIC number.
"In the worst-case scenario, this might even lead to accounts using NRIC numbers as part of login details to be compromised."
Mr Clement Lee, principal consulting security architect for Asia, Middle East and Africa at Check Point Software Technologies, said hackers can build "context" around the generated NRIC numbers to launch an effective social engineering campaign.
For example, a hacker who is able to match the NRIC number to a person's full name and mobile number can call the victim while posing as a person in authority.
"Step by step, the victim will be guided to install further mobile malware for further personal data phishing," Mr Lee said, adding that advanced hackers can substitute their personal numbers with official-looking ones.
SHOULD YOU BE WORRIED?
While it is clear that online NRIC generators can be used for nefarious activities, the experts said there are measures in place to ensure criminals have a tough time.
For example, organisations would usually need additional information like proof of address for verification, said Mr Dexter Ng, chief technology officer at AntiHack.me, a bug bounty platform.
"As there are ways of validating these numbers, it would be difficult to use these generated numbers for illegal activities," Ms Wong said.
Likewise, Mr Lee said it is "extremely tedious to build the context around the NRIC numbers for them to be really useful", while Mr Phua said the NRIC generators "don't pose a new risk" as they have been around for a long time.
Mr Ng said the public "should not worry too much" about the generators, but instead "be more aware and concerned about data breaches from companies that store their data or companies that sell their data for money".
PURPOSE OF NRIC GENERATORS
So, what then is an online NRIC generator used for?
Ms Wong said they can be used for contests, giveaways and registrations, pointing out that the generated NRICs might not necessarily belong to a real person.
"The most common usage or abuse for generators are registration of multiple accounts to gain referral points or discounts," Mr Ng said.
As for the creators themselves, one stated on the generator's website that it is used for software testing purposes, while another said it "serves to demonstrate that it is possible to do so".
Mr Phua said the NRIC algorithm is simple enough that coders can take as quickly as 20 minutes to write their own random generator.
"The NRIC algorithm was never meant to be an impenetrable cipher, but a check for input errors," Mr Lee said. "With a large enough data set, any budding cryptanalyst would be able to solve this algorithm."
SHOULD AUTHORITIES STEP IN?
Despite the generator's simplicity, its creators are quick to acknowledge the harm it can potentially cause.
"You should not use the NRIC numbers to impersonate anyone as it is an offence," one said on the generator's website. Another added: "Users are not allowed to use NRIC/FIN generated for work usage, or submit into Government systems."
It remains unclear if it is legal to generate random yet valid NRIC numbers. Queries to the Info-communications Media Development Authority were referred to the Immigration and Checkpoints Authority (ICA), which issues identity cards to Singapore citizens.
Channel NewsAsia has reached out to ICA for comment.
Nevertheless, the experts are clear about the importance of protecting the unique and widely-used NRIC numbers.
"If an organisation's system is compromised, the perpetrator might make use of the NRIC number to search for more privileged information about the person," said Mr Wayne Lee, a junior security researcher at Kaspersky Lab APAC's global research and analysis team.
Furthermore, Mr Phua said attackers can use NRICs to tie together different kinds of leaked data from various sources and build a profile for different individuals.
"This will be useful to the attacker for identify theft, fraud or even state-sponsored espionage," he added.