SINGAPORE: Three men were charged in court on Jan 17 over their alleged links to a case in which the home addresses of multiple people were changed online without their knowledge.

Koh Hong Yan, 26, Ng Wei Chang, 30, and Yuen Mun Fei, 38, are each accused of one count of misusing a computer system.

On or around Oct 1, 2024, Ng allegedly abetted the disclosure of a six-digit personal identification number (PIN) to gain access to data held in the Immigration and Checkpoints Authority’s (ICA) e-services.

He is said to have done it so that the National Registration Identity Card-registered addresses of unknown people could be unlawfully changed.

In November 2024, Yuen allegedly transmitted Koh’s credentials linked to the national digital identity service – the user ID and one-time passwords.

According to court documents, Koh is said to have disclosed information such as the one-time password for his own Singpass account to Yuen without authority on Dec 16, 2024.

This was purportedly done to gain access to the Singpass computer system, allowing unknown people to gain access into the ICA e-services to change the NRIC-registered addresses of multiple people.

The cases involving the three Singaporean men will be mentioned again in court on Jan 24.

The Straits Times had earlier reported that 69 people had their home addresses changed online after scammers obtained their NRIC and Singpass details.

The scammers had used compromised Singpass accounts to circumvent several security safeguards in the ICA’s change of address system.

It was also earlier reported that seven people had been arrested for allegedly using the ICA e-service to illegally change other people’s registered home addresses.

In a statement on Jan 14, the police said the six men and a woman, aged between 19 and 32, are purportedly responsible for at least 30 of the cases of unauthorised attempts first announced by ICA on Jan 11.

ICA then temporarily suspended the change of address function on its website to implement additional security measures to prevent further abuse.

On Jan 14, ICA said that it had resumed the service after implementing additional security measures.

Those seeking to change their own residential addresses can continue to do so for themselves via the “Myself” module. The “Others” module to change addresses via proxy remains suspended.

Before the suspension, an average of 900 Singapore residents changed their residential address through proxies every month, ICA said.

On Jan 11, ICA said it started investigating such cases in September 2024 after it received several unconnected reports of unauthorised change of address.

All NRIC holders are required to report a change of address within 28 days of moving into a new residence, whether it is located in or outside Singapore.

Anyone who reports a false residential address can be fined up to S$3,000 (US$2195), jailed for two years, or both. It is also an offence if a person does not affix the new address sticker on the NRIC.

Those who are not tech-savvy or unable to submit an application through the online service can appoint a proxy, such as a friend or family member who is a Singpass holder, to submit it on their behalf through the “Others” module on the e-service.

That person must provide the applicant’s NRIC number and its date of issue to access the e-service.

To complete the process, the proxy must also obtain and enter the PIN mailed to the applicant’s new address.

Three months after starting its investigations into the reports of unauthorised change of address, ICA realised how they happened.

The perpetrators used stolen or compromised Singpass accounts to change the residential address of the victim as a proxy through the “Others” module of the e-service.

To do so, the scammers would have previously acquired both the victim’s NRIC number and its date of issue, to input these details into the e-service.

A verification PIN mailer would then be sent to the registered address specified by the scammers.

But the criminals can then use this method to reset the victims’ Singpass passwords.

For example, if someone forgets his Singpass password, he will request a new one to be sent to his home address.

So now, the criminals can pretend to be the victim and ask for a new password to be sent to the new address they listed.

Once the password has been sent, the criminals can access the victim’s Singpass account.

Said ICA: “It is likely that the perpetrators are using stolen or compromised Singpass accounts and letter boxes of third parties to generate more mule accounts to use for scams and other cybercrimes.”

There is no indication that the incidents are connected to the disclosure of NRIC numbers via the Accounting and Corporate Regulatory Authority’s new Bizfile portal. - The Straits Times/ANN