Scammers may target COVID status authentication, cyber experts warn

When the UK is preparing to try “COVID status authentication” in some domestic environments, cybersecurity experts warn that certificate authentication is difficult and can be vulnerable to fraudsters. Did.

so Review Announced on April 5, the UK Government has announced that it will begin trials of COVID status certification in certain situations, including large-scale events.

Certification can be demonstrated in three ways: up-to-date vaccine status, negative immunochromatography or PCR tests, or proof of innate immunity.

Eerke Boiten, a cybersecurity professor at Demont Fort University, said there could be exploitable loopholes.

Identification mechanism is too high

Taking the evidence of negative testing as an example, certification “needs to be closely tied to the people who actually took the test,” Boyten told NTD Wednesday.

This means that the identification needs to be checked both when the test is done and when the results are presented to the event organizer.

To address the issue of identification, Boiten said, “To connect a person to a certificate, you probably need something like biometrics, but biometrics is as reliable as most people wanted. We are not ready to do that. “

He added that setting up infrastructure at all test sites and event venues would be a “significant investment”.

“Therefore, there is probably a balance between protecting against the risks of those who obtain fake certifications and considering the actual costs involved in dealing with those risks.”

In addition to money, Boiten said it costs a lot to make sure the system works.

“For this to work perfectly, a fully biometric-based identity system needs to work,” he said. “But that’s a huge cost to society.”

This is a privacy and autonomy issue, Boyten said. In a sense, certificates aim to restore people’s normal freedom of life, while working systems need to be established at the expense of freedom.

From his experience as a cyber expert, Boiten personally prefers “short-term inconvenience” rather than losing the long-term freedom of knowing that we are not in the ultimate surveillance society. Said. “

According to a government review, this certification may have played an important role “as a temporary measure” and will never be used in environments such as critical public services, public transport, and critical stores. is.

Counterfeiting and other scams

In addition to the issue of identification, there is also the risk that the authentication itself “may be completely fake”.

“When private companies enter this area of ​​creating vaccination apps, certificates, etc., they just look credible enough and people can accept it,” Boiten said.

“More [apps] It’s easy to come up with a fake because it’s generally accepted, “he said.

According to Boyten, he is vulnerable to fraud during a pandemic because he is accustomed to receiving unexpected messages from the government and getting out of the comfort zone.

“Many cybercrimes occur when people are just outside their comfort zone,” he said.

Professor Bill Buchanan, a cyber expert at the University of Edinburgh Naepia, also said that forging these certificates is “very easy” because “there is little inherent security”.

Purchasing fake certificates can expose people to more fraud.

“Someone might pay for a £ 100 certificate, but then they could figure out their contact details and move on to a higher level of fraud,” Buchanan said. Told NTD. “The opportunities for that are enormous.”

Buchanan said the NHS and the public sector “use what’s called a digital signature to build a credible infrastructure and actually prove that something is really right without actually downloading a particular app. I want to be able to do it. “

Alexander Zhang, a report by Jane Werrell of NTD, contributed to this report.