Checks after ICA e-service scam show no other govt services can be done with only IC number, date of issue

(Photo credit: ST Photo)

Source: The Straits Times

No government e-services can be carried out using just a person’s NRIC number and its date of issue, the Ministry of Digital Development and Information (MDDI) said on Feb 4.

These checks were made following the Immigration and Checkpoints Authority’s (ICA) disclosure in January that fraudsters had altered victims’ addresses through its e-service. The fraudulent transactions were made through compromised Singpass accounts using just the victim’s NRIC number and its date of issue.

MDDI was responding to questions raised by MPs, including Nominated MP Mark Lee, who asked what lessons the Government had drawn about vulnerabilities in digital public service.

Others like Mr Yip Hon Weng (Yio Chu Kang) and Dr Tan Wu Meng (Jurong GRC) asked what measures are being implemented to prevent future unauthorised access to Singpass and whether the security of all online government services will be checked.

In a written parliamentary reply, Digital Development and Information Minister Josephine Teo said that government agencies have conducted checks on the potential impact on online services.

“So far, there have been no transactional services identified that can be completed in the same manner as unauthorised (electronic change of address) transactions using only the NRIC number and date of issue of the NRIC,” she said.

Government agencies are required to conduct regular risk assessments of their tech systems, including risks arising from systems managed by other agencies. Vulnerabilities must be promptly dealt with, she added.

As for Singpass, which was also targeted by fraudsters during the incident, the Government Technology Agency (GovTech) is working to improve its security through testing and better fraud analytics, she said.

She was responding to Ms Hany Soh (Marsiling-Yew Tee GRC), who asked how GovTech supports ICA in the roll-out of additional security measures.

Mrs Teo said ICA has since introduced facial verification scanning when individuals use their Singpass accounts for higher-risk transactions such as logging in to the “Myself” module to change their home address.

Scammers had used compromised Singpass accounts to circumvent several security safeguards in ICA’s change of address system, the authority announced on Jan 11.

Launched in 2020, the ICA service is intended to allow people to conveniently change their address online by providing their NRIC number and its date of issue. Residents are required by law to update their address, such as when moving to a new home.

Those who are not tech-savvy can appoint someone to help them change their address. The person helping must log in to his own Singpass account and provide the NRIC details of the person whose address is being changed. ICA will then send a PIN, or personal identification number, to the new address.

Scammers used hacked Singpass accounts and leaked NRIC details to log in to ICA’s platform to successfully change the addresses of 71 victims, according to the latest figures heard in Parliament on Feb 4.

The PINs were mailed to the false addresses, allowing fraudsters to change the victims’ addresses on the ICA site. The Singpass passwords of victims could also be reset this way by requesting a new one to be sent to the false address.

It is believed the fraudsters used the compromised accounts and letterboxes of victims to generate more mule accounts to use for crimes, ICA said.

The electronic change of address function on the ICA platform continues to be suspended while security improvements are being made, Minister of State for Home Affairs Sun Xueling said in Parliament on Feb 4.

She said the authorities are checking on whether the distribution of government benefits, like CDC vouchers, was impacted.

Since investigations began in September 2024, 13 people have been arrested over the incident. Four men have been charged with offences under the Computer Misuse Act.

Those found guilty of unauthorised disclosure of access codes under the Act can be jailed for up to three years, fined up to $10,000, or both, for first-time offenders.