Cyber criminals threatening to derail global vaccine certification efforts

Cyber criminals threatening to derail global vaccine certification efforts

Vaccine passports are now being considered as the most practical way to re-open borders. However, there is a fast-growing dangerous trend of fake certificates and medical records being sold and produced to whoever wishes to pay for them. Can technology offer a solution? iTNews Asia uncovers.

By on

While the global roll-out of COVID-19 vaccinations underway, are we poised to see business travel and events return?

Kickstarting this return to normalcy, the European commission last month proposed a vaccination certificate to be used as the as ‘door opener’ across countries and travellers.

Israel, with 40% of its population vaccinated, is leading the way with a digital Green Pass.

The pass is available as a paper certificate or in a smartphone app, which links users to their personal health ministry data.

In Asia, China has launched an international health travel certificate and Singapore and Malaysia governments also agreed to work towards recognising both countries vaccine certificates.

The Thailand government over the weekend said proof of vaccine certification will be necessary for travellers going overseas starting June. The plan is to provide recipients of both the first and second vaccine dose with a physical along with a digital vaccination certificate.

Countries in ASEAN are already weighing the introduction of a common digital vaccine certificate that can ease travel restrictions among their citizens.

‘Travel bubbles’ between states were mooted as one way to enable quarantine-free travel between countries, but have failed to take off to date. As more people get vaccinated, certification agreements, seem to be the better and clearer option, and are likely to be replicated between countries globally to facilitate cross-border travel, with vaccine passports becoming required for international flights.

Cyber criminals now seizing a chance to profit

The research division of cyber security firm Check Point have spotted a trend where hackers have begun to offer fake vaccination certificates impersonating official entities on the Dark Net.

Advertisements selling alleged coronavirus vaccines have spiked 300% in the last three months and expanded to include brands like Johnson & Johnson, AstraZeneca, Sputnik, SinoPharm brands for as low as $500. The number of sellers is now over 1,200 with many based in the U.S. and European countries including Spain, Germany, France and Russia.

Various threat actors and hackers have quickly realised the potential market for fake documents, and have been quick to grab the monetisation opportunity. Fake government vaccination certificates are going for US$200 a pop - user simply send their details and money, and the seller emails back fake documents, all in less than 30 minutes.

A fake Russian vaccination certificate selling for US$150. Get it in 30 minutes.

The Dark Net now sells services on all types of certificates, with examples of these custom-made documents that appear authentic and genuine.

Citing the urgency of the problem, the World Health Organisation (WHO) last week said counterfeit and stolen COVID-19 vaccines sold on the dark web “pose a serious risk to global public health and place an additional burden on vulnerable populations and health systems.”

Can technology help fix the fraud problem?

There needs to be global co-ordination. If a digital certificate is to be accepted by different governments, they will likely need access to a country's records of vaccinations and a secure method of linking the health record to the traveller. 

Countries must be able to share the digitally signed data to enable certificate holders to safety roam and cross borders. These certificates must also comply to standards set by organisations such as the WHO.

Photo courtesy of Trybe
Singapore is developing a health certificate using blockchain

Singapore is one of the first in the region to mandate that clinics and testing labs produce digital health certificates. Innoquest, a testing lab, and Trybe, a government approved vendor, is co-developing the certificate using blockchain technology.

In this process, a notarised digital health cert containing a QR code will be sent via email to users. The digital health certificate is verified by laboratory, doctor, and patient, and scanned at the customs or airport pre-departure.

How do we stop fake documents?

Evan Dumas, Regional Director, Southeast Asia at Check Point Software Technologies, said officers should watch for authenticity indicators on documents such as misspellings, errors, low quality logos, and errors in terminology (e.g. ‘corona disease’ or ‘the COVID epidemic’).

Airports, border keepers and any official enforcement agent should have the ability to scan a QR or bar code on the certificate. The code should link to a secured repository that can validate the authenticity of the paper and whether the name on it did get the vaccine or was actually tested for COVID and got a (negative) result.

- Evan Durmas, Regional Director, Southeast Asia at Check Point

Every country should internally manage a central repository of tests and vaccinated people, which can then be securely shared between relevant authorised bodies, he added.

All data of tests and vaccination population should be digitally signed with encrypted keys. This is because in digital signatures, the code is highly exploitable.

“Airports, border keepers and any official enforcement agent should have the ability to scan a QR or bar code on the certificate. The code should link to a secured repository that can validate the authenticity of the paper and whether the name on it did get the vaccine or was actually tested for COVID and got a (negative) result,” said Dumas.

Look out for authenticity indicators in fake medical records.

Will a digital app verification ensure that I am safe to travel?

Returning to a world where international travel and even air-travel is once again commonplace is something we all want, but it requires far more than an app to be solved, cautioned Tim Mackey, Principal Security Strategist at Synopsys Software Integrity Group.

He said that while a number of businesses have been founded to provide mobile apps that attest to the COVID-19 state of the bearer, the security implications of those mobile apps are similar to any healthcare app – any medical data on a person is of prime value to an attacker.

“The nature of the pandemic makes even that data rather valuable. For example, if there were a bug in the app or underlying service that caused it to display to someone that a vaccination protocol hadn’t been completed when it had, then such an error could result in the traveller being denied entry or worse.”

Significant coordination between international entities is required to ensure that the data recorded by the app is correct and complete, advised Mackey.

“Once in the app, the data needs to be verifiably secure and stored in a tamper evident form that itself can’t be modified. Building confidence around this process requires some of the transparency seen within open source software development where skilled practitioners are able to review the implementation and configuration of the proposed solution.

“Mis-steps along this path could easily tarnish the reputation of digital health passports and form a setback to the return to a pre-COVID-19 travel experience.”

Technology is far from fool proof, and when it comes to the security of critical data, serious security reviews are obligatory, said Mackey.

Looking at the challenges facing the industry, he said: “We need only look back at the challenges faced with contact tracing applications to recognise that a technologically acceptable solution might not address privacy concerns.

“That’s in part because there is no single solution to any problem, and often new technologies like ‘blockchain’ or complex technologies like ‘encryption’ are applied without understanding how they might function under adverse conditions like those found during a cyber security attack."

To reach the editorial team on your feedback, story ideas and pitches, contact them here.
© iTnews Asia

Most Read Articles