As Malaysia prepares to launch a new version of MyKad, the absence of a cancellation mechanism for lost or stolen cards remains a glaring vulnerability. Reform is possible — and urgently needed
By Dr Mohd Safar Hasim
Malaysia is on the brink of rolling out a new version of MyKad — one that promises biometric upgrades, enhanced security features, and integration with MyDigital ID.
But despite these advancements, one critical flaw remains untouched: there is still no kill switch for lost or stolen MyKad.
This oversight is not just technical. It is systemic. And unless addressed, it will continue to expose citizens to subsidy fraud, identity theft, and legal entanglements.
The government should pause the rollout of the new MyKad until this vulnerability is resolved. A card that represents a person’s identity must also protect that identity — especially when compromised.
A Case That Reveals the Flaw
A recent case shared on Facebook illustrates the danger. A citizen, attempting to use his Sumbangan Asas Rahmah (SARA) aid to purchase baby supplies, was shocked to learn his balance had already been depleted.
Upon investigation, MyKasih confirmed that his SARA allocation had been used in Klang — a location he had never visited. The culprit? His old MyKad, lost in 2021 and replaced with a new one.
Despite filing a police report and receiving a replacement card, the old MyKad remained active in the hands of an unknown party.
The implications are staggering. Not only was the card used to access SARA, but the individual suspects it was also used to purchase subsidised petrol under the Budi Madani RON95 scheme.
Worse, the Setel app — used by many to track fuel purchases — offers no transaction history for subsidy usage, leaving victims without recourse or proof. When the victim lodged a report at the Bangi police station, he was redirected to Klang, where the transactions occurred. Eventually, the case was passed to the Ministry of Finance.
At JPN Putrajaya, he discovered he was not alone — at least two other individuals had reported similar misuse of their MyKad for government subsidies. And this figure excludes cases reported at state-level JPN offices.
The most alarming revelation? JPN confirmed they have no mechanism to deactivate or block a lost MyKad. As long as the physical card is intact, anyone — even non-citizens — can use it to access government aid, register services, or worse, commit identity fraud.
A Brief History of Malaysia’s IC System
Malaysia’s identity card system began in 1948, during the Malayan Emergency. The first IC was a paper-based document used to track movement and identity under British rule.
In 1960, plastic ICs were introduced in Peninsular Malaysia, followed by Sabah (1972) and Sarawak (1966). By 1990, laminated ICs became standard nationwide.
The digital leap came in 2001, when Malaysia launched MyKad, becoming the first country to introduce a multi-application identity card with an embedded chip. The card could store personal data, driving licence info, health records, and even function as an ATM or e-purse.
In 2012, MyKad was upgraded with polycarbonate material, ghost images, and enhanced chip security. Yet, despite these improvements, the card remained a static bearer token — usable by anyone who physically possessed it.
Now, in 2025, Malaysia is preparing to launch a new version of MyKad with biometric scans of all 10 fingerprints, facial and iris recognition, and integration with MyDigital ID. But the core flaw persists: there is still no way to cancel a lost card.
Why a Kill Switch Is Essential
Consider this: when a credit card is lost, the issuing bank immediately blocks the card and issues a new one. The old card becomes unusable. Similarly, every mobile phone has two identifiers — a phone number and an IMEI number. If a phone is stolen, telcos can blacklist the IMEI, rendering the device unusable even with a new SIM.
Why can’t MyKad adopt a similar logic?
Technically, it’s possible. If each MyKad chip had a unique, trackable hardware ID — akin to an IMEI — it could be registered in a central database. When a card is lost, the chip ID could be blacklisted.
Backend systems across government apps, kiosks, and subsidy platforms would reject transactions from blacklisted chips. A new MyKad would be issued with a new chip ID, while retaining the same NRIC number.
This would allow identity continuity while invalidating compromised cards. It would protect citizens from misuse and restore public trust in digital governance.
What the New MyKad Must Include
The upcoming MyKad promises biometric verification and integration with MyDigital ID. These are important steps. But unless the system includes a chip-level cancellation mechanism, the vulnerability remains.
Biometrics can verify a person — but they don’t block a stolen card. MyDigital ID can authenticate online transactions — but it doesn’t prevent someone from using a lost MyKad at a petrol kiosk or government counter.
Without chip invalidation, the system protects the card — not the citizen.
A Civic Proposal: Chip-Level Deactivation Framework
To address this, we propose a MyKad Chip Deactivation Framework:
1. Assign a unique Chip ID to every MyKad (similar to IMEI)
2. Centralise Chip ID registry at JPN, linked to NRIC number
3. Enable real-time validation across government apps, kiosks, and subsidy systems
4. Allow chip-level deactivation upon police report and issuance of new MyKad
5. Retain NRIC continuity — only the chip is invalidated, not the person’s identity
This framework would align Malaysia’s identity system with global best practices. It would prevent misuse of lost/stolen MyKad, protect subsidy integrity, and enable layered security. It would also empower citizens to reclaim control over their identity.
The Civic Imperative
This is not merely a matter of personal inconvenience. It is a breach of public trust in our digital systems. If a lost IC can still unlock government aid, then our subsidy targeting is not just flawed — it is compromised.
As Malaysia moves toward digital inclusivity and fiscal responsibility, we must ensure that our systems protect the very people they are designed to serve. Otherwise, the promise of targeted aid becomes a playground for fraud — and the victims are left holding the consequences.
The time has come to rethink how we protect identity in a digital age. The MyKad must evolve from a static token to a dynamic, secure identity system — one that protects citizens, not just cards.
The government must halt the rollout of the new MyKad until this issue is resolved. A card that cannot be cancelled is a card that can be misused. And in a digital nation, that is a risk we can no longer afford.
The views expressed here are entirely those of Dr Mohd Safar Hasim, a Council Member of the Malaysian Press Institute (MPI)