The Immigration and Checkpoints Authority (ICA) on Saturday, 11 January 2025, announced the suspension of its electronic change of address (eCOA) service following unauthorised attempts to modify residential addresses using compromised Singpass accounts.
The service was disabled to prevent further abuse and to implement security upgrades.
The authority identified 80 cases involving unauthorised changes, of which approximately 75 per cent were successful.
According to ICA, the perpetrators used stolen Singpass credentials to modify victims’ registered addresses, likely to create mule accounts for scams and cybercrimes.
Immediate action and timeline for reinstatement
The eCOA service was suspended on the morning of 11 January. ICA aims to restore the service by 14 January, pending a review.
However, the “others” option, which allowed proxies to assist with address changes, will remain offline until robust safeguards are introduced.
How the service worked
Launched in October 2020, the eCOA service enabled Singapore residents to update residential addresses online via Singpass.
Users could select from three options: updating their own address, updating for family members, or using a proxy.
The “others” module was designed to assist residents who were not digitally savvy, enabling trusted proxies to update their addresses.
ICA reported an average of 900 monthly transactions through this feature.
Preliminary findings
ICA Commissioner Marvin Sim revealed that investigations began in September 2024 after public complaints of unauthorised address changes.
The cases grew in number, reaching 80 by December. The perpetrators exploited the “others” module by using victims’ NRIC numbers and issue dates to initiate changes, receiving verification PINs at the fraudulent addresses to finalise the process.
Subsequently, they used the altered address to reset victims’ Singpass passwords, gaining control of their accounts for potential criminal activities.
Mr Sim clarified that there is no evidence linking this incident to a recent NRIC number exposure via the Accounting and Corporate Regulatory Authority (ACRA) portal. He also confirmed that the perpetrators are likely local, with no signs of foreign involvement.
Additional security measures
To prevent further misuse, ICA is integrating face verification technology into the Singpass login for the eCOA service. It is also considering introducing one-time passwords (OTPs) for address changes under the “others” module.
“This ensures that the individual for whom the address is being changed must first acknowledge the proxy’s action,” Mr Sim stated. He emphasised that ICA would not reinstate the “others” module without robust safeguards.
Assistance for affected individuals
In the interim, individuals requiring proxy support can visit ICA’s IC Unit for manual assistance.
ICA is reaching out to affected users to help revert fraudulent changes and issue replacement NRICs with updated issue dates.
Victims with compromised Singpass accounts will receive support from GovTech to reset their credentials.
Members of the public are urged to check their registered address via ICA’s website and report discrepancies at https://go.gov.sg/reportunauthorisedchange.