ICA suspends online service after 80 cases of unauthorised change of address using compromised Singpass accounts

The Immigration and Checkpoints Authority (ICA) identified about 80 cases of unauthorised attempts to change residential addresses registered with ICA using stolen or compromised Singpass accounts through ICA's electronic change of address (eCOA) service.

In a press release on Jan. 11, ICA said it started investigating cases of unauthorised changes of residential addresses in September 2024.

Initially, there were only a few cases, which appeared unconnected.

But ICA said more cases surfaced recently.

By December 2024, ICA's investigation uncovered how the unauthorised changes were made.

ICA was also able to identify what the unathorised changes of addresses were used for.

The perpetrators successfully changed the addresses in about 75 per cent of the 80 attempts that ICA found.

ICA has since suspended its eCOA for review and said it will likely resume the service on Jan. 14.

Using stolen or compromised Singpass accounts

ICA said perpetrators used stolen or compromised Singpass accounts to change victims' residential addresses through the eCOA service.

They did so using the "Others" module, which was introduced to help the less digitally savvy. It allows them to have their residential address updated online by a proxy.

The proxy, acting on behalf of the person seeking to update their address, would log in to the eCOA service using their own Singpass and input the person's NRIC number and date of issue of their NRIC.

ICA said that the perpetrators of the recent cases would have previously acquired both the NRIC number and date of issue of the NRIC of their victims and input the details into the eCOA service.

From there, a verification PIN mailer would be sent to the registered residential address set by the perpetrator.

Once the victim's registered residential address was changed, it was used to set a new password for the victim's Singpass account by requesting the Singpass service to mail a new PIN to the changed address.

The perpetrators then likely used the stolen or compromised Singpass accounts and letterboxes of third parties to generate more mule accounts for scams and other cybercrimes.

"ICA has therefore temporarily disable the eCOA service this morning (Jan. 11) to implement additional security measures to prevent further abuse," ICA said.

Further measures

ICA said the "Others" module will remain unavailable until further measures are implemented to allow a proxy to change an address safely.

The additional security measures include integrating face verification technology into the Singpass login for the eCOA service to minimise the risk that a perpetrator can use the stolen Singpass account.

Those who require proxy assistance may approach the IC Unit at level 3 of the ICA Building for assistance from Mondays to Fridays, 8am to 4:30pm.

ICA shared that it is working with the relevant agencies to assist affected individuals and are contacting all known affected individuals.

ICA will assist the victims in replacing their NRIC (the same NRIC number but a different Date of Issue) and changing their registered address to the correct one.

For those whose Singpass accounts may have been compromised, ICA will work with GovTech to reset them.

The police are investigating the cases to identify the perpetrators and accomplices.

ICA advised members of the public to check their registered address on ICA's website to ensure its accuracy.

"We apologise for the inconvenience as we work to reinforce the security of the eCOA service," said ICA.

Top photos via Google Maps and Singpass website