Scammers changed 71 addresses via ICA e-service; checks being done if CDC vouchers affected

SINGAPORE – The Immigration and Checkpoints Authority (ICA) will continue to suspend parts of its electronic change of address (eCOA) function on its website until it is more secure.

The ICA had said on Jan 11 that scammers had used compromised Singpass accounts to circumvent several security safeguards in the system.

Minister of State for Home Affairs Sun Xueling gave this update in Parliament on Feb 4 when replying to questions from several MPs on the issue.

She said the authorities are checking on whether the distribution of government benefits, like CDC vouchers, was impacted by this criminal activity, and if it was, they will help those who are affected.

On Jan 11, ICA had said several unconnected cases of unauthorised change of address were reported in September 2024.

In 2020, ICA had introduced a feature on its website to make it convenient for members of the public to update the authorities on their new addresses, using Singpass, without visiting a police station.

To verify a new address, applicants key in a unique PIN sent by mail to their new address. Once confirmed, an instant acknowledgement will be sent to indicate the change of address is successful.

Those who are not tech-savvy or who are unable to submit applications through the online service can appoint proxies, such as a friend or family member who is a Singpass holder, to submit the applications on their behalf through the “Others” module on eCOA.

That person must provide the applicant’s NRIC number and its date of issue to access the service.

To complete the process, the proxy must also obtain and enter the PIN mailed to the applicant’s new address.

On Feb 4, Ms Sun said the suspects had tried to change the addresses of 99 people and succeeded in 71 cases.

Of these 71, the criminals took over the Singpass accounts of 16 victims by performing a password reset.

Ms Sun said the Singpass accounts of the 99 have been suspended, and the authorities are helping them reset and secure their accounts.

ICA will help them replace their physical NRICs, which will come with a new date of issue.

Ms Sun said the police will also help to stop or reverse any fraudulent activity from the 16 compromised Singpass accounts.

Ms Sun was responding to queries from Ms Joan Pereira (Tanjong Pagar GRC), Mr Mohd Fahmi Aliman (Marine Parade GRC) and Non-Constituency MPs Leong Mun Wai and Hazel Poa.

Ms Sun said 13 people have been arrested over the incident. Four men have been charged with offences under the Computer Misuse Act.

Ms Sun said several safeguards were put in place at the time eCOA was introduced, including the need to authenticate the proxy through Singpass, the use of the NRIC number and date of issue, and the use of a physical PIN mailer.

She said: “At that time, these were assessed to represent an acceptable balance between absolute security and usability. However, we now recognise that this service could be and was exploited by malicious actors.”

She said a key problem was that people gave up their Singpass accounts to be misused.

She said this was not anticipated, and was the key reason why malicious actors were able to exploit the “Others” module in eCOA.

Said Ms Sun: “They had first used Singpass accounts which had been relinquished, as proxies to initiate the change of address for another individual.

“Using the date of issue of NRIC as one of the three safeguards was reasonable, but proved not adequate, as malicious actors managed to get hold of the information.”

She said ICA has since introduced face verification when individuals use their Singpass accounts to log into the “Myself” module of the eCOA service to change their own residential addresses.

This module resumed on Jan 14.

But the “Others” module and the “Myself and My Family” module will remain suspended until additional safeguards can be put in place, Ms Sun added.

Ms Pereira asked why ICA did not suspend eCOA earlier, when first alerted to the incidents.

Ms Sun said ICA suspended the service only on Jan 11 because the agency needed time to investigate the various reports.

She added: “In hindsight, ICA could have taken steps to cease the service earlier in December 2024 when the modus operandi was established. But these are judgment calls that public officers have to make every day.”

NRIC holders must report a change of address within 28 days of moving into a new residence. Those using a false address can be fined up to $3,000, jailed for two years, or both.

ICA said an average of 900 Singapore residents change their residential addresses through proxies every month.

Those found guilty of unauthorised disclosure of access codes under the Computer Misuse Act can be jailed for up to three years, fined up to $10,000, or both, for first-time offenders.

Individuals convicted of the disclosure of passwords or access codes in relation to the national digital identity service under the same Act face the same penalties.