Fri07202018

LAST_UPDATEFri, 20 Jul 2018 7pm

Here's What You Should Know The Next Time Someone Asks For Your MyKad

Pic: FirstpostPic: Firstpost

Can you remember when was the last time you gave out your identification card (IC) number to a third party without thinking twice about it?

We are more wary when asked to reveal our bank account, credit card, insurance policy and EPF account number, or when asked for our income tax information but when it comes to our MyKad, we are shockingly complacent.

Whether we realise or not, many of us have been giving our IC number rather freely from entering contests, completing surveys to receiving parcels from courier companies.

However, have you ever stopped to wonder whether your IC number will be misused by the third party who is currently in possession of it?

Hackers Can Dig Up Plenty Of Information Just From Your IC Number

The unique 12 digit numbers assigned to us by the National Registration Department may be treated by some simply as a set of numbers on a card that recognises us to be legal Malaysian citizens but we need to realise that our identity is stored within those numbers.

It is pertinent that we know the value and importance of our IC numbers because in the off chance that hackers get a hold of it, our identity and life is practically in their hands.

An IT specialist, who wants to remain anonymous, relayed that through our IC numbers, hackers will get access to a whole bunch of information that will enable them to think of malicious activities that they may or may not get away with.

Filepic: ReutersFilepic: Reuters

“A lot of us have forgotten that our IC number is our identity, and the preferred verification/authorisation mode.

“Think of it this way; banks, companies will ask you to verify your identity by stating your IC number, you’re asked to provide your I/C when you apply for basically anything from tertiary education, to car loans to credit card.

“Once hackers get their hands on the number, you’re basically giving them permission to your identity and life,” she emphasised.

She added that with a little stalking, hackers will be able to identify how you look like and permit them to create a fake IC.

And for some hackers, they are able to hack so deeply, they can uncover your address, workplace, phone number and even access to information such as your income tax reference number, your mall loyalty points, your bank account and etc.

“All these can potentially lead to perpetrators using your identity/ IC to make purchases and scams, and it can go as far as linking your identity/ name to criminal activities,” she said, while sharing that our identity can be stolen without us realising it until red flags are raised and we are neck deep in trouble.

Although she has never dealt with cases of identity theft in her line of work since it is outside her jurisdiction and job scope, she relayed how a woman’s identity was used as a mule for a drug syndicate in Kuala Lumpur.

“The woman received an unexpected visit by the police, informing her that her name, IC number and bank account number was used as a mule to transfer drug money between a syndicate and dealers.

“Because the perpetrators have her IC number, it was even more challenging for the woman to clear her name.

“She, her family and close friends were interrogated, and after an investigation, it was then revealed that she had her identity stolen and misused. How the police discovered that, I am unable to share,” she shared.

As such, she believes that there should be a different way to verify our identity but beyond that, she believes that there should be a special and thorough task force that tackles this issue.

If Your Identity Is Stolen, It May Be Difficult To Prove Your Innocence

Although the Private Data Protection Act 2010 (PDPA) that protects our data, which is collected for commercial purposes, from being misused by third parties has been enacted, there are limits to how far the law can protect us especially when our data is collected for non-commercial purposes, which is unregulated and open to abuse.

Foong Cheng Leong, founder of law firm Foong Cheng Leong & Co., relayed that when you simply give out your IC number to anyone asking, you are liable to have more of your information to be collected and can be used for social engineering such as creating a complete profile about you.

Foong Cheng LeongFoong Cheng Leong“With a complete profile, one can use it to obtain certain things like services, access to bank accounts, mobile numbers, financial information, email, buildings and further information etc.

“One can also use that profile to obtain information of another person e.g. a person close to you, for example, your spouse's personal information,” he said.

And when our personal data and identity gets stolen, it may not be easy to prove and it will depend on the circumstances.

“But one would have to go through a difficult process of being investigated. He may be arrested, remanded, have his computers and mobile devices ceased, privacy invaded etc.” he said.

Although he has not had any cases involving IC number, he has come across cases involving the misuse of identity.

“I had one case where the employee was charged in Court under the Computer Crimes Act 1997 for unauthorised modification of content.

“His office account and internet account were used to delete a database of his employer. Fortunately, we managed to prove that it was not him who did it,” he said.

Foong also said that cases of identity theft are not just a few in the country, as he shared the most well-known case which is the case of Adorna Properties Sdn Bhd v Boonsom Boonyanit.

“The land owner lost her land after it was fraudulently transferred to a third party and subsequently sold to a bona fide purchaser - see https://asklegal.my/p/boonsom-boonyanit-adorna-properties-indefeasible-title-national-land-code-1. Note that the position of this law has changed - see http://www.skrine.com/better-late-than-never,” he shared.

He said that the best way to protect our data is by ensuring that it is always secure and that we control the circulation of our data.

Know Your Rights Under Malaysian Law When Someone Asks For Your MyKad

As much as our IC number contains much of our information, our physical identification card or MyKad also holds our personal information within its chip and it is important for us to ensure that it is not compromised by a third party.

And there are many instances where our MyKad can be compromised such as when we leave our MyKad to security before entering a gated residence or office building for identification or in exchange for an access card.

But is it legal for them to retain our MyKad even if we are not comfortable with it? Foong said that this debate falls under a grey area.

“Arguably a premise owner can request for information of a person before they allow the access. However, the Personal Data Protection Act 2010 states that processing of personal data cannot be excessive and the retaining of MyKad would be excessive.

“But the PDPA does not apply to the Federal and State Government. Nevertheless, the security guards or building owners are normally operated by a private entity,” he said.

And while we might be a bit apprehensive about leaving our MyKad with strangers, we should also be concerned about lost and stolen MyKads, where as of May 2017, a total of 169,381 lost cards were reported.

However, National Registration Department (NRD) deputy director-general (operations) Datuk Mohd Zahari Hassan said last year that the number of lost cards reported is not worrying as “we have about 30 million MyKad holders.”

Regardless of his assurance that the number of lost cards are not worrying, we as cardholders need to remember that our MyKad contains personal data that can be accessed including at the very least our name, address, race, citizenship status, religion (for Muslims) and fingerprint minutiae, or it can be used by unscrupulous people to create fake MyKads.

According to a recent article on tech news portal lowyat.net, the numbering format used in our chip-based MyKad is antiquated, as it is based on existing technology available from the 1990s.

Simply put, the numbering format reveals too much direct information without encryption which is dangerous in today’s digitally wired community.

As such, the article argues that a new MyKad numbering system should be introduced such as the one used in Singapore, where they use a system called 'checksum algorithm' to generate unique alpha-numeric IC numbers for their citizens.

While it is far from perfect, as the algorithm has been reverse engineered to reveal the information contained within those numbers, it looks to be better than the one that we currently have.

But since we are still dependent on the identification system that we have now, we need to take precautionary steps to protect our personal data given the security limitations of our existing MyKad. While the following list is not exhaustive, it can be a starting guide for us to be more careful with our identity:

-mD