KUALA LUMPUR – Malaysia’s phased rollout of a revamped MyKad with 53 security features marks a major upgrade to the national identity system as authorities move to counter increasingly sophisticated cyber threats driven by artificial intelligence, deepfakes, and large-scale identity fraud.
The new MyKad, which will be introduced in stages from this month at selected National Registration Department (JPN) offices before a wider rollout nationwide, comes nearly 14 years after the last major enhancement in 2012.
Existing cards will remain valid during the transition period, according to official implementation plans.
The upgrade forms part of a broader identity modernisation programme that also includes phased improvements to other identification documents, as Malaysia shifts towards a more integrated digital identity ecosystem linked to MyDigital ID.
Speaking to Scoop, Universiti Sains Malaysia’s Centre for Cyber Security Research professor Dr Selvakumar Manickam said the overhaul reflects a fundamental shift in the country’s security needs since the last update.
“The last upgrade was back in 2012 and the threat landscape was fundamentally different then. In the cybersecurity world, that is a lifetime,” he said.
“Deepfakes did not exist at scale. Generative AI was not widely accessible. Synthetic identity fraud was not a mass-market crime. The new MyKad is a structural recalibration of our national identity security posture to meet threats that the current card was simply not designed to resist.”
Selvakumar said the new system strengthens identity protection across physical, visual and digital layers, making fraud significantly more difficult at multiple points of verification.
“These layers work together. The physical features make duplication difficult, the visual elements allow quick authentication, and the digital layer controls what data can be accessed, by whom and under what conditions,” he said.
However, he stressed that the most serious risks have shifted away from physical card cloning towards digital identity exploitation.
“Identity theft today is rarely about copying the card. It is about exploiting leaked databases, scams and weaknesses in digital verification systems. The weakest link is often the surrounding digital infrastructure rather than the card itself,” he said.
Selvakumar also warned that the transition period between old and new systems presents heightened vulnerability.
“During any national identity upgrade, criminals exploit the overlap period. Dual validity and verification mismatches create opportunities for fraud. Any new digital or QR-based verification system must be fully secured before deployment,” he said.
At the same time, Malaysian Corruption Watch (MCW) president Jais Abdul Karim said while the upgraded card strengthens physical security, long-term risks lie in how the system is managed and governed.
He described MyKad as a critical gateway to national services.
“MyKad is effectively the identity key used by Malaysians to access banking services, government transactions, law enforcement processes and public services,” he said.
He said the increase to 53 security features would make physical forgery significantly more difficult through encryption, holograms, laser engraving and ultraviolet-based authentication.
However, he warned that cyber risks now extend beyond the card itself.
“Today’s threat is no longer limited to card cloning. It extends to identity cloning,” he said.
“Criminals are exploiting stolen personal data and vulnerabilities in digital verification systems. Even if the card is secure, compromised databases, internal access abuse or third-party systems can still expose citizens.”
Jais said the most critical vulnerabilities often emerge during system migration and integration, particularly involving external vendors and centralised databases.
“Data migration, system integration, internal access controls and vendor management are all high-risk areas if not properly secured,” he said.
He called for stronger oversight, including independent cybersecurity audits and more transparent accountability mechanisms.
“Public confidence cannot rely solely on assurances from implementing agencies. Independent oversight is necessary to ensure continuous verification and accountability,” he said.
Meanwhile, economist Geoffrey Williams from the Williams Business Consultancy said that the expansion of national identity infrastructure must also be viewed through a civil liberties lens.
He warned that increased integration of identity systems into daily transactions could raise concerns over privacy and personal freedom.
“The more features that are built into the MyKad, the more personal data is collected, stored and potentially monitored,” he said.
“While these systems are often introduced for convenience and security, they also raise important questions about how much control individuals retain over their personal information.”
Williams said safeguards must be clearly defined to prevent misuse and overreach.
“Security must not come at the expense of privacy. As national identity systems become central to accessing everyday services, transparency and accountability are essential to protect personal freedoms,” he said.
It was reported that officials have indicated that the rollout will be conducted in phases to allow for system testing and public adaptation, with existing MyKad cards remaining valid throughout the transition.
The new identity framework is expected to gradually integrate with Malaysia’s broader digital identity push, including MyDigital ID, as the country moves towards a hybrid physical-digital authentication system. – June 15, 2026