After privacy concerns were raised over ACRA's new Bizfile portal showing full NRIC numbers in search results, the Singapore government announced it intends to stop masking the numbers. How will this change the way such information is used and how can people and organisations continue to protect themselves from cybersecurity attacks?
Crispina Robert speaks to Steve Tan, deputy head of technology, media and telecommunications from Rajah & Tann Singapore and Aaron Ang, chief information security officer at Singapore-based IT services company Wissen International.
(Photo: Zhaki Abdullah)
Here is an excerpt of the conversation:
Aaron Ang, Wissen International:
In the cybersecurity world, we have been so conditioned and trained to think of NRIC numbers as the holy grail of personal information. Some of them, just one identifier (like the NRIC) can help you to identify a person. Some require a combination of data, and that's essentially what makes up personal identifiable information.
But the NRIC has long been seen as protected. You can easily get someone's date of birth, someone's address maybe, but NRIC is something that is really hard to get.
It opens up lots of possibilities (as to what) people can do. So this change in policy, which was apparently acted on by ACRA much earlier than the rest of the government agencies, allows a window of opportunity for cyber criminals to harvest the data.
Whether or not NRIC remains something that should be protected, whether NRIC is a unique identifier, whether NRIC is your full name, that honestly does not really matter in the world of cyber crime. Essentially, this data can be used and it has been used to actually do evil and do harm.
Crispina Robert, host:
Let me pick up on something you said, Aaron. I know you said that, okay this is quite shocking, but MDDI has said that, "Look, it's kind of pointless to mask it because the algorithms are so advanced." Basically the scammers out there have become quite sophisticated ...
I think what sits uncomfortably is that all this while, PDPA says don't collect (the) full IC number, right? And now they're saying, okay, the full IC number is not as vulnerable as we thought it was, or we initially made it out to be. Is there some kind of a mismatch between the PDPA requirements (and the policy)?
Steve Tan, Rajah & Tann Singapore:
I mean, we can't obfuscate the fact that through the years we've been really conditioned to the fact that, yes, we've got to treat national identification numbers carefully because it's immutable, and it in itself, is like your master key right, to unlocking lots of access to other platforms, data and stuff like that. And of course, now that you see a change coming from the pronouncement from MDDI (with the media release on Dec 13). Then PDPC came up with the release on Dec 14, right? And the jury is not out yet, right?
If you read that release carefully, they're focusing on authentication, on password access.
Find more episodes of Deep Dive here.
A new episode of Deep Dive drops every Friday. Follow the podcast on Apple or Spotify for the latest updates.
Have a great topic for us? Drop the team an email at cnapodcasts [at] mediacorp.com.sg
Continue reading...
Crispina Robert speaks to Steve Tan, deputy head of technology, media and telecommunications from Rajah & Tann Singapore and Aaron Ang, chief information security officer at Singapore-based IT services company Wissen International.
(Photo: Zhaki Abdullah)
Here is an excerpt of the conversation:
Aaron Ang, Wissen International:
In the cybersecurity world, we have been so conditioned and trained to think of NRIC numbers as the holy grail of personal information. Some of them, just one identifier (like the NRIC) can help you to identify a person. Some require a combination of data, and that's essentially what makes up personal identifiable information.
But the NRIC has long been seen as protected. You can easily get someone's date of birth, someone's address maybe, but NRIC is something that is really hard to get.
It opens up lots of possibilities (as to what) people can do. So this change in policy, which was apparently acted on by ACRA much earlier than the rest of the government agencies, allows a window of opportunity for cyber criminals to harvest the data.
Whether or not NRIC remains something that should be protected, whether NRIC is a unique identifier, whether NRIC is your full name, that honestly does not really matter in the world of cyber crime. Essentially, this data can be used and it has been used to actually do evil and do harm.
Crispina Robert, host:
Let me pick up on something you said, Aaron. I know you said that, okay this is quite shocking, but MDDI has said that, "Look, it's kind of pointless to mask it because the algorithms are so advanced." Basically the scammers out there have become quite sophisticated ...
I think what sits uncomfortably is that all this while, PDPA says don't collect (the) full IC number, right? And now they're saying, okay, the full IC number is not as vulnerable as we thought it was, or we initially made it out to be. Is there some kind of a mismatch between the PDPA requirements (and the policy)?
Steve Tan, Rajah & Tann Singapore:
I mean, we can't obfuscate the fact that through the years we've been really conditioned to the fact that, yes, we've got to treat national identification numbers carefully because it's immutable, and it in itself, is like your master key right, to unlocking lots of access to other platforms, data and stuff like that. And of course, now that you see a change coming from the pronouncement from MDDI (with the media release on Dec 13). Then PDPC came up with the release on Dec 14, right? And the jury is not out yet, right?
If you read that release carefully, they're focusing on authentication, on password access.
But when you look at perhaps the end parts and all that, there's no inconsistency between what PDPC is saying vis a vis MDDI. They're just saying that they're looking at this more carefully, and they come up with a fuller perspective on things, as well as amending the advisory guidelines once they seek public consultation and stuff like that.
Find more episodes of Deep Dive here.
A new episode of Deep Dive drops every Friday. Follow the podcast on Apple or Spotify for the latest updates.
Have a great topic for us? Drop the team an email at cnapodcasts [at] mediacorp.com.sg
Continue reading...