Australian vaccination certificates easy to forge
An online security firm has warned that the federal government‘s digital Covid vaccination certificates will be easy to forge without better security.
An online security firm specialising in identity protection has warned that the federal government‘s digital Covid vaccination certificates will be easy to forge without better security.
There is concern that vaccination certificates aka vaccination passports which currently include a person’s name, date of birth and document number can be easily altered and copied.
The government made digital certificates available in June and this week added the ability to store them in Apple Wallet on iPhones and Google Pay on Android devices.
Yesterday South Australian Senator Rex Patrick sought to demonstrate the forging of a vaccination certificate.
There is a report that the federal government’s Expenditure Review Committee has agreed to add QR codes to certificates. This would allow someone to verify the authenticity of a certificate against a government web page that includes the certificate owner’s details.
Government minister Stuart Robert yesterday wouldn’t detail the strength of the security of the vaccination certificates. A spokesman for Mr Robert said the adoption of security would be an “iterative” process.
“Since mandating the recording of Covid vaccinations on the Australian Immunisation Register, the Government has iteratively updated proof of vaccination certificates including bolstering security measures and the government will continue to iteratively update the proof of vaccination certificates.”
Trax Print chief technology officer Robert Ablinger said cyber criminals were capable of forging a QR code verification system if that were adopted.
He said the black market in fake vaccination certificates was already well developed and there were unvaccinated people desperately wanting them. You needed specialist technology to get around this, he said.
“We utilise this technology over in the UK, in the Netherlands and in Aruba. We’re doing this not only for vaccination certificates but also for test certificates for Covid test centres.”
He said forgers in Europe typically charged about 150 euros ($240) to forge travel certificates.
Scanning a QR code takes on the certificate takes authorities to a fake government verification site.
“It takes a scammer probably an hour to build a website that looks identical to a government website, and they can actually get a name of a web page or a domain name that is very similar to what it would look like if they went there. It looks 100 per cent legitimate.”
Mr Ablinger said it wasn’t hard to upload a fake certificate to Apple Wallet.
Apple Wallet does lets users upload their own certificates and there is online software available to build a mobile wallet, such as Pass2U Wallet and Pass4Wallet.
It is understood Google Pay only allows Covid certificates to be uploaded from authorised and verified entities. The origin, authenticity and integrity of the issuing entities are checked using digital signature verification.
A source told The Australian that in employment situations it might be better for employers to verify vaccination status of staff by checking using the document number on a government verification website.
Cassandra Cross from the QUT School of Justice said she had no doubt there would be attempts to forge Australian digital vaccination certificates.
“Offenders are highly motivated, they‘re tech savvy and they’re always looking for opportunities; COVID-19 globally has really opened up opportunities for offenders to target some of those schemes in new areas.
“We saw that with Covid last year … around different Covid related schemes around phishing,” Associate Professor Cross said. “Now there has been this discussion around the potential for vaccine certificates and vaccine passports and that (is) not an unsurprising opportunity for offenders to target their efforts into.
“There is a critical need for governments and organisations to take the time to think through some of the security implications of this.”
Senator Patrick said he was concerned vaccination certificates wouldn’t be secure even with QR codes. “Nothing is forge proof, 100 per cent, but that’s a matter for assessment by competent people.”
He expected anti-vaxxers to be a big market for forged certificates. “They’ll likely want to do something in circumstances where the stimulus is connected to health responses and measures.
“Once we get to a point as in Europe where you have to show a valid ticket or, or a vaccine certificate or a negative Covid test, when people‘s freedom is effectively being restricted or the choices will have been restricted, then the certificate has new value.”
More Coverage
The late bloomer who just raised $37m
Having just completed a year-long $37m Series B cap raise for her Sydney firm, Ada Guan is proof of the adage that it’s better late than never.
How robots will save workers six weeks a year
Robotics and automation are changing workplaces, with Australian workers ‘neutral’ towards the shift, according to MIT. But if you’re good at problem solving, here’s how you can benefit.