Initial Results
Marvin Sim, the ICA’s commissioner, reported that the agency began inquiries in September of last year after receiving reports from residents who had unapproved changes to their home addresses.
” First, there were only a few cases that appeared related, but more cases surfaced recently”, the authority said, adding that the number of scenarios grew to 80 to date.
By December of last year, ICA’s investigations revealed that the culprits had used stolen or hacked Singpass addresses to change the victims ‘ residential names through the “others” component of the e-service.
According to ICA, they may have previously had the NRIC amount and date of issue of the patients ‘ NRICs to type these facts into the eCOA service.
The perpetrator may obtain the mailer to confirm the change of address, and the COA service had then send a verification PIN to the authorized resident address.
When a murderer’s listed domestic target changed, the victim’s Singpass account was created by requesting that the perpetrator’s Singpass company send a new PIN to the listed home address.
Speaking at a press conference held at the ICA Building, Mr Sim said the offenders were “likely to be visitors” and there were” no signs” that foreign players were involved.
Additionally, there were no established statistical trends for the patients involved.
Mr. Sim noted that police inquiries are continuous, and that he did not provide any additional information about the offenders.
” Once authorities have completed the research, we may come down hard on the culprits”, he said.
In response to questions from reporters, Mr. Sim added that there was” no indication” that the incident was related to the recent exposure of NRIC numbers via the new Accounting and Corporate Regulatory Authority (ACRA ) portal, which was launched on December 9.
” For the ACRA portal, the date of issue is not known… because for the perpetrators to change ( the residential addresses ), they need both the NRIC and the date of issue ( of the NRIC )”, he said.
ICA stressed that this was” not an issue about ( a ) system glitch”.
According to Mr. Sim,” We designed the digital service since 2020 to provide convenience to members of ( the ) public,” but in recent months, we have discovered a new tactic of people using the eCOA to defraud another person’s address and, as a result, take control of their Singpass for other criminal activities.
” This is why we decided to act quickly”.
ADDITIONAL SECURITY MEASURES
In addition to the extra security measures that will be implemented, according to ICA, include integrating experience identification technology into the Singpass password for the online service.
The chance that a perpetrator may get the support to change a victim’s address will be reduced, the statement stated.
Additionally, it is considering whether to implement an OTP option before domestic addresses can be changed using the “others” choice.
In response to a question from CNA, Mr. Sim said,” This means that the person ( for ) whom the address is being changed must first acknowledge that he or she has asked the proxy to change the address.”
These are a few of the choices we are considering. The guarantee I want to give is that we won’t reintroduce the “others” module unless we are really certain that we will be able to put in place more complete safeguards, he continued.
ICA stated that from Monday through Friday, those who need substitute support may contact the Circuit System on Level 3 of the ICA Building for support between 8am and 4.30pm.
Additionally, it is contacting all known affected individuals to get their NRICs back, which will have the same NRIC figures but distinct issue dates, as well as assist them revert to their real addresses.  ,
ICA said it will function with GovTech to restore the records for those whose Singpass accounts may have been compromised.
It also advised members of the public to check their registered address on ICA’s website and report any inaccuracies immediately via https ://go.gov.sg/reportunauthorisedchange.