I was recently asked to take a survey which authenticated users solely using IC numbers. According to guideline 6 of PDPC's advisory on the use of NRIC numbers, NRIC numbers are widely used for various business purposes and organisations that use NRIC numbers as user names or membership numbers might be disclosing personal data to third parties without consent. Under what circumstances then is it alright to use NRIC numbers for authentication?
The survey login page requires only your NRIC number in order to authenticate. This is perfectly acceptable, what is the worst that could happen? Someone who knows your NRIC number could do the survey on your behalf. If he knows the NRIC number of multiple respondents, he could skew the survey results by a substantial margin. At this point, I believe the risks are still acceptable and no great damage has been done. Organizations performing surveys may face certain constraints, this could be the first time they are contacting the respondents and do not have any other channel to securely communicate a password. Even if they had, respondents might find it too much of a hassle to enter the password and it might deter them from completing the survey.
Here is where it starts getting gnarly. The respondent's full name, email, phone number and address is pre-filled on the last page of the survey. In this particular case, the information was obtained through legitimate means. At this point, I believe that the NRIC number alone as a form of authentication is insufficient to protect all the personal information. The problem is further exacerbated by the fact that this particular survey is conducted across a cohort, hence most respondent's NRIC number would start with the same few digits. A brute force attack is likely to be possible. I tested out this hypothesis by decrementing my NRIC number by 1 digit at a time, calculating the checksum and trying out that number. I succeeded after less than 20 tries, getting into my "NRIC neighbour's" account and revealing his personal details. I immediately contacted the party in charge of the survey to highlight this issue.
To their credit, they responded almost immediately and fixed the problem within 3 days. They decided to remove the pre-filled fields so as to stem the information leakage. This is a perfectly acceptable solution, albeit at the cost of convenience. Respondents will now have to type their contact details. Will this deter them? I do not think so, they can click submit without entering their details, especially if they are not interested in the lucky draw.
There are a number of alternative solutions.
-
Enhance the authentication process by requiring respondents to enter date of birth or other privileged information on the login page. I am unsure if this organization has the date of birth of respondents, but there is at least one other piece of information that can be requested and is not part of the information being verified.
-
Redact part of the contact information, (e.g. 9123-████, Blk ███ Serangoon Ave 4 #██-██ Singapore ██████). This method does have its drawbacks as well. Firstly, some information is still being leaked. Secondly, it might not be able to catch typos in the information being verified, e.g. wrong number in the last 4 digits of the phone number. Thirdly, it might not work for special cases, e.g. only 1 house on the entire street. I have encountered a certain bank which redacts all middle characters in email address, (e.g. a████a@gmail.com, b████████b@hotmail.com). It works until you encounter edge cases, e.g. custom domains or short emails, (e.g. a█a@live.com.sg, p█████c@limbenjamin.com). Yes, some of us are lucky enough to get short emails addresses or even twitter handles.
There is no short answer to whether using NRIC number alone is sufficient for authentication. It might be feasible if no privileged information is leaked and no privileged access is being granted. However, in most cases, NRIC numbers are used as identification while a separate piece of information such as a password is used to authenticate.