The security stakes of NIN data
A successful NIMC NIN lookup returns the full legal name, date of birth, gender, address, phone number, and biometric photograph of the NIN holder. Compare this to a BVN lookup, which returns name, date of birth, and phone number. The NIN record is more comprehensive and includes a biometric photograph — which means an attacker with unauthorized NIN lookup capability can verify not just that an identity exists but that it matches a specific face. This combination is the complete toolkit for synthetic identity fraud and account takeover.
The NDPA 2023 classifies biometric data — including the facial image returned in NIN records — as sensitive personal data. Processing sensitive personal data without a lawful basis is a high-severity NDPC violation. A fintech whose NIN verification API integration allows unauthorized lookups is simultaneously enabling identity fraud and committing data protection violations.
1. Unauthorized NIN lookup via unauthenticated endpoint
Some fintechs expose a NIN verification endpoint on their API for internal use during customer onboarding. We test whether this endpoint is protected by authentication. An endpoint that accepts a NIN number and returns the corresponding NIMC data without requiring an authenticated session allows any person on the internet to perform NIN lookups at the platform's cost and in violation of the platform's NIMC API terms of use.
2. NIN substitution in the KYC session
The core security check in any NIN-based KYC workflow is that the NIN being verified belongs to the person initiating the application — not to someone else. We test whether the NIN used in the NIMC lookup is derived from the user's own session (e.g., from a BVN-linked phone verification) or accepted as a client-submitted parameter in the KYC API request. If an attacker can submit any NIN in the request body, they can perform NIMC lookups on arbitrary individuals during their own onboarding — receiving that individual's full biographic data as part of the verification response.
// KYC initiation request
{
"step": "nin_verification",
"nin": "12345678901" // attacker substitutes any NIN here
}
// If backend calls NIMC with the submitted NIN instead of a session-derived NIN,
// this is an unauthorized identity lookup 3. NIN enumeration through response differences
We test whether the NIN verification endpoint reveals information about whether a NIN exists through different error responses. A response of "NIN not found" vs. "Name does not match" reveals whether the NIN is valid even when the associated name does not match. An attacker can enumerate valid NIN numbers by observing which numbers produce a "not found" response versus a "mismatch" response — building a database of valid NIN records without completing a successful verification.
4. NIN session binding to user identity
The NIN verification flow should be cryptographically bound to the user session from the point of initiation to the point of confirmation. We test whether the verified NIN is stored server-side in the session before being used in the onboarding record, or whether the confirmed NIN is submitted in a final KYC confirmation request where it can be swapped. The binding test: verify NIN X as user A, then submit a KYC confirmation request with NIN Y — the backend should reject the confirmation because NIN Y was not the NIN verified in the current session.
5. Rate limiting on the NIN verification endpoint
Without rate limiting, a NIN verification endpoint becomes a lookup tool that an attacker can query thousands of times to harvest identity data. We test rate limiting for both authenticated and unauthenticated access, and for both per-IP and per-account request throttling. For NIN verification specifically, we recommend a strict limit of no more than 5 verification attempts per user per hour, with account-level lockout after 10 failed attempts in 24 hours.
NIN lookup endpoint accessible without authentication, no rate limit
During a security assessment of a Nigerian fintech's onboarding API, we discovered that the NIN verification endpoint was accessible without authentication. The endpoint accepted a GET request with a NIN as a query parameter and returned the full NIMC verification response including name, date of birth, and photograph URL. There was no rate limiting on the endpoint. In a test period of 60 seconds using a parallel request tool, we successfully queried 847 NIN numbers, receiving valid biographic data for each NIN that existed in the NIMC database. Fix priority: critical. The platform was also operating this lookup at their own NIMC API cost without any per-user or per-session control. Remediated by adding JWT authentication to the endpoint, restricting access to active onboarding sessions only, and implementing a rate limit of 3 requests per session per 10-minute window.
Integrating NIN verification in your Nigerian fintech? Book a security audit of the full KYC workflow before unauthorized lookups become a regulatory incident.
Book a KYC API Security AuditFrequently asked questions
What data does a NIMC NIN verification return to the integrating application?
A successful NIN verification returns the holder's full legal name, date of birth, gender, residential address, phone number, and a photograph. This is the most comprehensive biographic identity dataset available on any Nigerian individual. Unauthorized access to this data through an exploitable NIN verification API is a significant NDPA violation and can enable identity fraud at scale.
Who is authorized to integrate the NIMC NIN verification API?
NIMC authorizes specific categories of entities to integrate the NIN verification API including banks, telcos, insurance companies, and licensed verification service providers. Unauthorized API access is a criminal offence under the NIMC Act. Fintechs that access NIN data through unauthorized channels or that misuse authorized access for purposes beyond customer verification risk both NIMC sanctions and NDPA enforcement.
Why is the NIN verification API a target for attackers in fintech?
NIN data is used as the bedrock of identity verification in Nigeria. An attacker who can perform unauthorized NIN lookups can verify synthetic identities, reconstruct complete identity profiles for social engineering, or enumerate NIN numbers to build a database of verified identity data. The NIN verification API is not just a lookup tool — in the wrong hands it is a data harvesting mechanism.
Related reading
Blog: BVN and KYC data security · Credit bureau API security · BVN spoofing and liveness bypass
Services: Penetration testing · API security