Sharing the last 4 characters of your NRIC? Think twice.
“Don’t worry; we’re only collecting the last 4 characters of your NRIC.” — famous last words.
On 1 September 2019, stricter guidelines were applied to the collection and usage of NRIC (Singapore Registration ID Cards). Other than use cases required by the law, only partial NRIC should be disclosed (last 3 digits + checksum).
In April 2022, I reported, via government bug bounty, hundreds of thousands of citizens with the last 4 characters of NRIC exposed and demonstrated a way to derive the full NRIC from the masked-4-characters. The verdict was partial — some attempts were made by some agencies to make such lists “less public”, while other agencies stated that they are exempted from PDPA and thus not in violation of disclosing protected information.
In one of my bug bounty reports, I’ve demonstrated on a high-profile VIP the ability to:
- Retrieve his partial NRIC.
- Derive the full NRIC.
- Validate it accurately and passively.
- Send messages or funds to that person (you can imagine, in a malicious way).
- Getting physical address.
- Also, the potential to do this at scale using a few proposed approaches.
There are two reasons why I’m writing this.
- The general public needs to be aware of the insecurities around sharing the last 4 characters of NRIC. In many scenarios, even a banking call, the last 4 characters of NRIC can be used to prove one’s identity and further retrieve more sensitive information.
- There are many 3rd party services actively collecting this piece of information and hosting them, so getting access to these lists is trivial. This needs to change.
Collecting Partial NRIC
I did some plain-old Google Dorking and found tens of thousands of exposed full names + partial NRIC (well, there were some full NRICs, but we won’t talk about them) as part of organisations’ nominal rolls, name lists, lucky draw winners and participants, etc. While I’ve contacted the main parties explaining the vulnerability, they responded that the users or participants had granted permission for their protected data to be used in any way deemed fit by the organisations. I mean, who reads T&Cs for lucky draws, right? Interesting tidbit, I checked in with an acquaintance whose name I saw on my list, and he was surprised and unpleased to see his masked NRIC exposed.
These files are still publicly listed, accessible, and can be crawled by SEO engines. Also, there are 3rd party services that aren’t associated with or based in Singapore that have already crawled this and are actively hosting collected information, making it even easier to obtain such lists. Other findings include services that provide querying functions based on generic names or numbers, which I’ll not be explicit about.
Getting hold of partial NRIC alone makes it easy to phish a target. Finding a victim’s email address from the full name is trivial, and armed with the last 4 characters of NRIC and the context of the lucky draw or associated activity, it makes the phishing context a lot more convincing.
Deriving Full NRIC from Partial NRIC
Starting 1 January 1968, NRIC numbers began with the cardholder’s birth year. So if I were born in 1970, my NRIC would read S70XX123B, where 123B was the exposed data from above. Like email addresses, getting a victim’s birth year is easy. Social media accounts, or even LinkedIn, would likely contain information relating to birth year, such as university graduation date, which we can then work backwards on.
All that’s required is just guessing the remaining 2 digits.
The middle 2 digits are incremental, so a person born in January 1970 would have a lower number than another born in December 1970. So pick a starting number based on the birth month or otherwise, start from 00. There are several NRIC validators online where you could pump in S7000123B, and they would advise whether it’s a valid ID based on the checksum:
So assuming my target’s birth month is in January, I’ll probably try numbers 00–20, and I may get 3 hits from the passive check above.
Validating NRIC
With 3 potentially valid NRIC numbers from above, we’ll perform another round of pseudo-passive checks using services such as PayNow/PayAnyone, where we can send money to people by stating their NRIC (or mobile numbers). We don’t have to send money; we’re just using the lookup feature.
Out of the 3 above, one would resolve to the target’s full name (or, I recommend, nicknames), which would be your target’s full NRIC.
Buying Personal Information
With the full NRIC (or just the full name even), an attacker could take it a step further and purchase the business or personal profile from a government agency, which would include more data about the person, including contact details, addresses, etc. If someone buys my profile, I wouldn’t be notified.
Recommendations
- Replace full names with obscure nicknames for PayNow — for that matter, use different alias for different services.
- Only share your last 4 characters of NRIC when absolutely required and when you’ve understood securely the collecting organisation is managing and storing your information.
- Limit to the last 3 digits without the checksum — to make reverse-derivation harder.
- Where applicable, and this might be controversial, provide “inaccurate” last 4 characters of NRIC if you do not think there’s a use case for such a collection.
- Physically partial-mask your NRIC card — with stickers so that when you have to present your physical card, say at a hotel or for car rental, the collecting organisation would only collect your last 4 characters of NRIC and would have to resort to using this article to derive your full NRIC if they want to : )
