ICA suspends online residential address change service following unauthorised changes

Date:

Box 1


The Immigration and Checkpoints Authority (ICA) on Saturday, 11 January 2025, announced the suspension of its electronic change of address (eCOA) service following unauthorised attempts to modify residential addresses using compromised Singpass accounts.

Box 2

The service was disabled to prevent further abuse and to implement security upgrades.

The authority identified 80 cases involving unauthorised changes, of which approximately 75 per cent were successful.

According to ICA, the perpetrators used stolen Singpass credentials to modify victims’ registered addresses, likely to create mule accounts for scams and cybercrimes.

Immediate action and timeline for reinstatement

Box 3

The eCOA service was suspended on the morning of 11 January. ICA aims to restore the service by 14 January, pending a review.

However, the “others” option, which allowed proxies to assist with address changes, will remain offline until robust safeguards are introduced.

How the service worked

Launched in October 2020, the eCOA service enabled Singapore residents to update residential addresses online via Singpass.

Box 4

Users could select from three options: updating their own address, updating for family members, or using a proxy.

The “others” module was designed to assist residents who were not digitally savvy, enabling trusted proxies to update their addresses.

ICA reported an average of 900 monthly transactions through this feature.

Preliminary findings

ICA Commissioner Marvin Sim revealed that investigations began in September 2024 after public complaints of unauthorised address changes.

The cases grew in number, reaching 80 by December. The perpetrators exploited the “others” module by using victims’ NRIC numbers and issue dates to initiate changes, receiving verification PINs at the fraudulent addresses to finalise the process.

Subsequently, they used the altered address to reset victims’ Singpass passwords, gaining control of their accounts for potential criminal activities.

Mr Sim clarified that there is no evidence linking this incident to a recent NRIC number exposure via the Accounting and Corporate Regulatory Authority (ACRA) portal. He also confirmed that the perpetrators are likely local, with no signs of foreign involvement.

Additional security measures

To prevent further misuse, ICA is integrating face verification technology into the Singpass login for the eCOA service. It is also considering introducing one-time passwords (OTPs) for address changes under the “others” module.

“This ensures that the individual for whom the address is being changed must first acknowledge the proxy’s action,” Mr Sim stated. He emphasised that ICA would not reinstate the “others” module without robust safeguards.

Assistance for affected individuals

In the interim, individuals requiring proxy support can visit ICA’s IC Unit for manual assistance.

ICA is reaching out to affected users to help revert fraudulent changes and issue replacement NRICs with updated issue dates.

Victims with compromised Singpass accounts will receive support from GovTech to reset their credentials.

Members of the public are urged to check their registered address via ICA’s website and report discrepancies at https://go.gov.sg/reportunauthorisedchange.



Source link

Box 5

Share post:

spot_img

Popular

More like this
Related

Ahead of Trump Presidency, the Fed Quits Global Climate Network

The Federal Reserve has withdrawn from a network...

On a Raid With Syria’s New Security Forces

new video loaded: On a Raid With Syria’s...