SINGAPORE - The home addresses of about 80 people were changed online without their knowledge, after scammers had obtained their NRIC and Singpass details.
Scammers had used compromised Singpass accounts to circumvent several security safeguards in the Immigration and Checkpoints Authority's (ICA) change-of-address system.
Initially, only several cases were reported in 2024.
But they've increased recently, and it appears this is one method for crime syndicates to gain access to and control the victims' Singpass accounts.
On Saturday (Jan 11), ICA said it started investigating cases of unauthorised changes of residential addresses in September 2024.
All NRIC holders are required to report a change of address within 28 days of moving into a new residence, whether it is located in or outside Singapore.
Anyone who reports a false residential address can be fined up to $3,000, jailed for two years, or both. It is also an offence if a user does not fix the new address sticker to the NRIC.
To make it convenient for the public to update the authorities on their new address, ICA had in 2020 introduced a feature on their website to allow them to do it online, without needing to go to the police station.
They can access the e-service using Singpass.
To verify the new address, applicants input a unique PIN sent by mail to their new address. Once confirmed, an instant acknowledgement will be sent to indicate the change of address is successful.
Those who are not tech-savvy or unable to submit applications through the online service can appoint proxies, like a friend or family member who are Singpass holders, to submit the applications on their behalf through the 'Others' module on the e-service.
That person must provide the applicant's NRIC number and its date of issue to access the e-service.
To complete the process, the proxy must also obtain and enter the PIN mailed to the applicant's new address.
But in September 2024, several unconnected cases of unauthorised change of address were reported to ICA.
And more cases recently surfaced.
By December, ICA realised how the unauthorised changes were done.
ICA said it so far found about 80 unauthorised attempts, 75 per cent of which were successful in changing the addresses.
It said this is believed to have occurred after the perpetrators used stolen or compromised Singpass accounts to change the residential address of the victims through the "Others" module of the e-service.
To do this, the scammers would have previously acquired both the victim's NRIC number and its date of issue, to input these details into the e-service.
A verification PIN mailer would then be sent to the registered address sent by the scammers.
But the criminals can then use this method to reset the victims' Singpass passwords. For example, if someone forgets his Singpass password, he'll request for a new one to be sent to his home address. So now, the criminals could pretend to be the victim and ask for a new password to be sent to the new address they listed.Once the password has been sent, the criminals can access the victim's Singpass account.
Said ICA: "It is likely that the perpetrators are using stolen or compromised Singpass accounts and letter boxes of third parties to generate more mule accounts to use for scams and other cybercrimes."
ICA has temporarily removed the change of address function from its website to implement additional security measures to prevent further abuse.
It will also conduct a review in the next two days and will likely resume the service on Jan 14, it said.
The authorities are looking to implement additional measures, such as integrating face verification technology into the Singpass log-in for the e-Change of Address service.
ICA said this will minimise the risk that a perpetrator can use the stolen Singpass account of a third party to access the service to change a victim's address.
Those who require proxy assistance can approach the IC Unit at the ICA Building for assistance.
It reminded the public to check that their registered address has not been changed without their knowledge.
This article was first published in The Straits Times. Permission required for reproduction.
