Anyone who has already been vaccinated against Covid can, for example, have a digital vaccination certificate issued at the pharmacy.
An investigation into the digital vaccination certificate has found that there are some serious failings in the implementation of security. If you want to, you can create vaccination certificates without having received a vaccination.
Data is not checked
The Corona warning app does not check the signatures of the digital vaccination certificates, so everyone can create proof that looks real at first glance. But there are even bigger conceptual problems: Relevant data from the yellow vaccination certificate, for example the batch number of the vaccine, is neither checked during creation nor included in the digital vaccination certificate. This makes a later check impossible. The access for pharmacies to create vaccination certificates is also insecure and once issued, vaccination certificates cannot be revoked in the event of misuse. It's not the technical fundamentals that are lacking, but rather the implementation.
“The impression is that the introduction of the digital vaccination certificate was primarily a quick fix. Being able to present a quick solution before the start of the holiday season was obviously more important than a secure solution from the start,” says Thomas Siebert, Head of Protection Technologies at G DATA CyberDefense.
Pharmacies, doctor's offices and vaccination centers create vaccination certificates using a website. Access to this portal is only secured with a user name and password; multi-factor authentication does not take place. Malicious programs that specialize in accessing access data have been part of cybercriminals' standard repertoire for years. Fraudsters who, for example, misappropriate a pharmacy's login details can theoretically use the portal to create vaccination certificates at will.
Corona warning app
Proof of vaccination can also be integrated into the Robert Koch Institute's Corona Warning App (CWA) so that it can be shown via smartphone. However, the application does not check whether the electronic signature of the scanned evidence is valid. With a few lines of program code, it is possible to create a QR code with a fantasy vaccination certificate that is easily accepted by the Crona-Warn app and can easily withstand visual inspection. Actual verification of proof of vaccination is only possible with the CovCheck app.
[mk_ad]
Source: press release / G Data
Also interesting:
Offers of fake vaccination passports, including detailed descriptions of how the process works, are currently circulating on the Internet.
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )