Guest post: Vaccine Passport App Vulnerabilities: an Overview

Guest post: Vaccine Passport App Vulnerabilities: an Overview

Due to high demand, digital vaccine passports are rushed out worldwide. However, they often have serious data security and validity issues. Let’s see what some of these vulnerabilities are and how ID readers can help in spotting criminals exploiting vaccine passport apps with fake COVID certificates.

As countries are reopening their borders, there is a justifiable demand for digital versions of our vaccine passports. And states are answering that demand as fast as they can. But due to rushing out these apps, many of them come with severe vulnerability issues.

In this article, we collected the most notorious cases. We also propose a viable option for spotting convincing but forged analog and digital vaccine passports.

Why Is Vaccine Passport Vulnerability a Risk?

We all know that there is no such thing as a perfect mobile application. In many cases, a bug is nothing more than a nuisance. However, vulnerability becomes a priority for apps that store sensitive data, such as the vaccine passport.

New York Times correspondent Ceylan Yeğinsu writes that the main problem is that a passport is a government-issued document for certifying personal data. So “many people fear […] handing over personal and sensitive health information that data controllers can easily abuse.” And unlike medical facilities where laws strictly regulate how such information must be handled, businesses outside the health industry can do whatever they want with our health data.

Panda Security, a manufacturer of antivirus solutions conducted non-representative research regarding vaccine passports, It turned out that 56% of the people worry about the security of their data. Unfortunately, they have every reason to fear falling victim to data theft. In the early stages of the COVID-19 pandemic, four U.S. states suffered from cyberattacks targeting unemployment benefits applicants.

The results of Panda Security's study, showing that 56% of people have concerns for their data's safety
Courtesy of Panda Security

As such, digital COVID certificates should be bulletproof from the get-go. However, these apps had to be developed rapidly to lift travel and social restrictions as soon as possible This resulted in flaws of varying degrees of concern.

Examples of Known Digital Vaccine Passport Vulnerabilities

NYC Safe: One Photo to Fool Them All

It’s hard to tell from a printed vaccine passport whether it’s fake or not, let alone from a photo of the document. This was the case with New York’s NYC Safe application. Heavily criticized for being nothing more than photo storage for paper-based COVID passports, the application allowed individuals to upload any document, legitimate or forged. The weakness of the system became all too evident when it accepted a portrait of Mickey Mouse as proof of vaccination.

NYC Excelsior Pass Wallet: Fake Credentials

The infamous case of this U.S. digital vaccine passport for the citizens of New York State highlighted another type of risk. As discovered by the NCC Group, the NYC Excelsior Pass Wallet application allowed individuals to create and store fake vaccine credentials by simply scanning a phony document. Users could easily exploit the fact that the COVID certificate wasn’t appropriately verified.

Australia’s Express Plus Medicare: Replicating the Animated Validator

Ten minutes. This is all it took for Richard Nelson, a software engineer in Sydney, to expose the vulnerability of Australia’s Express Plus Medicare COVID-19 application. He also proved why QR codes are a must for vaccine passports. The main issue with the Australian COVID certificate is that aside from basic data, it features a supposedly unique animation to demonstrate the passport’s validity. Nelson could easily replicate this animation, allowing him to create as many fake digital vaccine passports as he liked.

A Set of Vaccine Passports Showing Their Respective Status Screen

Québec’s VaxiCode Verif: Forged Digital Signatures

Like many COVID certificate apps used worldwide, the digital vaccine passport issued by Québec, Canada, uses QR codes containing the necessary vaccination data combined with digital signatures. The digital signature features asymmetric cryptography, using two keys. Theoretically, this guarantees that the validator app doesn’t identify fake credentials as legit.

A cybersecurity expert still managed to fool VaxiCode Verif relatively easily. He generated a key pair and made the public key available at a given website. Then he created two QR codes. One was posing as a valid digital vaccine passport containing the public key and a plain fake COVID certificate. Then he presented the QR code with the public key to the app. It correctly rejected it as a valid COVID certificate but, simultaneously, forcefully downloaded the public key. After that, the app verified the other fake digital vaccine passport as being valid.

We should add that the app’s developers reacted quickly. Soon after the incident, they released a new version that eliminated the problem.

EU Digital COVID Certificate: Vaccinating the Dead

When it comes to the European vaccine passport, called the EU digital COVID certificate, experts usually praise it for implementing the strict privacy rules of the GDPR, especially from overseas. In fact, allowing member states of the EU to develop their own versions of the COVID certificate was a risk, which eventually paid off. That doesn’t mean there were no flaws, however.

Tim Berghoff of GData, a German computer security company, pointed out many issues with the EU certificate’s German version. We’ll highlight two:

  1. In the case of paper-based COVID certificates issued by a pharmacy or a doctor’s office, the accuracy of the data transferred into the app wasn’t verified if the original. Cybersecurity experts managed to validate an EU vaccine passport even though it showed the same date for the test subject’s first and second vaccination.
  2. Berghoff and his team could create a vaccine passport for Robert Koch, a German microbiologist from the 19th century. The EU COVID certificate had no problem validating the vaccination of a long-gone person.
Example of a Vaccine Passport

Are Paper-Based Vaccine Passports the Answer?

Not quite. Granted, it seems like a logical step to forget digital vaccine passports and have our vaccination certificates in our pockets.

Like their digital counterparts, paper-based certificates were also rushed out. This led to analog vaccine passports being easily forgeable. In the U.S., the Centers for Disease Control and Prevention (CDC) issued a certificate with data written in ink. It isn’t surprising that scammers took their chance and flooded the black market with fake vaccine passports.

Consequentially, these fake certificates could quickly end up in COVID apps with minimal or no authenticity validation features. This allows unvaccinated people to enter places that require individuals to be vaccinated.

Verifying Vaccination Status

Application bugs and issues will always be discovered and eliminated sooner or later. This is what happened in the case the apps of Québec and the State of New York. Furthermore, virtual COVID certificates – at least those implementing digital signatures – are still more resistant to forgery than their paper-based counterparts. In any case, those who trust analog vaccine passports more should make sure they store them in a secure location.

Osmond Smart ID Reader and Scanner Banner

If you are part of a business and have to verify the validity of digital vaccine certificates, there are two things you should consider. First, check, and double-check the document in front of you. Although some national and international vaccine passports do not feature advanced security solutions like digital signature, they are in the minority. The number of states requiring vaccine passports is rising. Many of them are likely not to accept vulnerable certificates as valid travel documents.

One way to verify that an individual isn’t presenting a fake COVID certificate is by cross-checking it with another ID document. An advanced automated ID reader like Osmond can verify a travel passport’s authenticity while also obtaining virtually all data from travel passports via optical character recognition technology, including the traveler’s name, country of origin, and many more.

About the Author

Balázs Molnár

Hungary

As an International Sales Manager at Adaptive Recognition, I am responsible for the business development in several countries all over the world. We are market leaders in the OCR based technologies industry, and my task is to help our partners, customers find the most suitable solution for their needs in the ID reading & verification technology.

View profile

Banks of Romania reinvent customer experience

Banks of Romania reinvent customer experience

Customer experience in banks depends on a lot of factors. Most of these can be enhanced by smart technology – in this material, Adaptive Recognitions show how the firm’s ID management solutions take part in customer experience.

BCR Erste Bank, BRD Bank

Banca Comercială Română (BCR), a member of Erste Group, is the most important financial group in Romania, including operations of universal bank (retail, corporate & investment banking, treasury and capital markets), as well as specialized companies on the leasing market, assets management, private pensions, housing banks and banking services through mobile phone. BCR is No. 1 bank in Romania on the assets value (over EUR 16 billion), No. 1 Bank by number of clients and No. 1 bank by savings and financing segments. (Wikipedia)

Quick project facts

  • Locations: BCR Erste Bank, BRD Bank
  • Products: PRMc, Combo Smart e-passport reader devices
  • Total quantity: 3,000+ pcs.
  • Application areas: Automated data entry, ID authentication

What if a banking experience is pleasant both for the customer and the bank employee? Let’s see how these Romanian banks introduced a 21st century technology for avoiding any headaches of administration and security.

Administration in a blink of an eye

Speed, in fact, is a major contributor. If the clients have to wait a lot, the whole experience, even if other factors are OK, seems slow and boring. Time is money and each of us intends to proceed efficiently with our tasks – both the customer and the bank.

ID scanners play a great role in the speed of administration, in addition to their other benefits. Instead of manually typing customer data to the system, the scanner device automatically digitalizes the document data using OCR (Optical Character Recognition) and sends it to the bank system. This way, the regular input time (can be several minutes) reduces to only a few seconds.

As a result, customer registration happens in a blink of an eye and will not take lengthy minutes.

Data entry with 100% accuracy

Having automated data entry is efficient not just for the speed, but for eliminating typing errors. According to the statistics, each 100th manually typed character is incorrect 1 . Such flaws of customer data can contribute in various internal data problems and also in the future communication with the customer.

An ID scanner device does not fail, it offers 99+% recognition rate and guarantees that no data errors get in the system. BCR and BRD Banks benefit from an OCR engine that has been fine-tuned for more than 20 years.

Secure privacy by default

When managing customer data, privacy is key. Still, in many front office applications, banks or telco companies make photocopies of ID documents. This is a risky way of storing personal data as related news have proved it several times – how these photocopies got lost or were taken over by someone should not have had access for that.

A digital data storage system, however, makes sure that the data remains in the system, encrypted, this way protecting it from unauthorized access. When the ID scanner digitalizes the data, there are no copies made – the document itself will not have any duplicates, only the data is transferred to the bank system. Having such secured data management, the bank can easily comply with GDPR as well (General Data Protection Regulation).

There is more for front offices

Smart solutions this way

Documents verified automatically

In addition to all benefits listed earlier, a major feature of ID document scanners is the automatic document verification function. Nobody can expect bank managers to be ID forgery experts.

The scanner, with a purpose-made software is capable of performing a forgery check to detect whether the identity card or passport was modified or may be a copy of a genuine document. Using altered documents, unauthorized transactions can be made easily by criminals (impersonators) without such equipment.

A shocking statistics: the total value of fraudulent transactions annually is around €1.8 Billion, according to the latest European Central Bank (ECB) report2

Read relevant news – how criminals withdrew $45,000 using fake IDs:
https://www.cbc.ca/news/canada/toronto/vaughan-fake-id-1.4903684

Benefits – summarized

For the bank

  • better focus on the customer
  • eliminating customer data errors in the system
  • skipping privacy risks of personal data
  • avoiding losses due to unauthorized transactions

For the customers

  • advanced customer experience, quick administration
  • peace of mind about how their personal data is managed
  • professional, high-tech environment during the process

Learn more about the mentioned products

Combo Smart e-Passport Reader

Combo Smart passport reader

If you are not an expert in ID verification, don’t worry. Combo Smart has got you covered.

 

  • Automatic verification of IDs
  • Reads both printed and RFID data
  • Ideal for KYC and AML
  • No moving parts, outstanding reliability

PRMc passport reader

A high-end ID / passport verification device for mission-critical applications

  • Special dual optic system
  • Multi-spectrum document analysis
  • JURA IPI decoding
  • Highest RFID standard compliance

Sources:

1 average benchmark value in corporate customer management sector

2 https://www.nets.eu/solutions/fraud-and-dispute- services/Documents/Nets-Fraud-Report-2019.pdf

Adaptive Recognition Case Study: Singaporean banks redefine the usage of ATMs

Adaptive Recognition Case Study: Singaporean banks redefine the usage of ATMs

ATMs have been part of our environment for such a long time that most of us cannot remember what is abbreviated by these three letters. It is the Automated Teller Machine, where we can take out cash from our bank accounts, without having an appointment in the bank office. We have been using these machines and never expected how much more these platforms could be capable of – if backed up with some innovation.

Quick project facts

  • Location: Singapore
  • Products: Combo Smart Kiosk passport reader
  • Key functionality: self-service customer verification
  • Year of installation: 2017-2020

ATM vs. VTM

To understand the future of ATMs, let’s define VTM first: it stands for Video Teller Machine – an ATM itself, but a smart one with live video connection, capable of extended functionality.

ID scanners in DBS ATM

DBS newsroom

VTMs provide round-the-clock branch banking services to customers, with the option of virtual teller assistance via live-video streaming. In addition to providing services such as balance enquiries, change of particulars and statement requests, the DBS/POSB VTMs are able to dispense internet banking security tokens and allow for customers to apply for debit cards and obtain them instantly.

In addition to the regular ATM functionality, you have all the mentioned extra services, and the only thing needed for getting access is:

  • having a video chat
  • identifying yourself at the machine

Self-service identification: ✓

We come in the picture at the identification phase, as our passport reader devices are integrated in the kiosk. These models are designed especially for built-in usage, offering a super-quick reading and authentication of local IDs and international passports. One of the advantages of such technology is the self-service usage: these scanners perfectly fit in the ATM / VTM procedure as anyone can use them and verify his / her identity within seconds, even without special expertise.

Combo Smart Kiosk passport reader

Combo Smart Kiosk Scanners

Smooth passenger flow – made possible by integrated, super-fast ID verification

  • Ideal for e-gate / kiosk integration
  • Designed for personal travel documents
  • Automatic data reading and verification
  • Self-service operation

This innovation lets the customers use services:

  • without scheduling an appointment
  • without waiting in the bank office
  • even when the bank is closed

Though it is a great benefit for customers, the bank had multiple motivations when implementing this function: including costs, too. In fact, the labor cost and the rent of office spaces are too expensive – and constantly increasing. This is also why the bank wanted to find ways to service their customers better without physically being in the bank premises during office hours. It turned out to be definitely a win-win: an easy service both for the bank and the customers.

 

More to come

This technology was first introduced by DBS Bank in Singapore, back in 2017, thanks to the powerful cooperation between Adaptive Recognition Singapore, GRG Banking and DBS Bank (including POSB Bank).

Since then, the innovation has affected others: a new roll-out is planned for 2020 by OCBC Bank, for example. In that project, we are proud to share with you, that the same Combo Smart Kiosk passport readers are used. Expect updates shortly, till then, learn more about the project from this video: