This appeared a few days ago:
Australian vaccination certificates easy to forge
An online security firm specialising in identity protection has warned that the federal government‘s digital Covid vaccination certificates will be easy to forge without better security.
There is concern that vaccination certificates aka vaccination passports which currently include a person’s name, date of birth and document number can be easily altered and copied.
The government made digital certificates available in June and this week added the ability to store them in Apple Wallet on iPhones and Google Pay on Android devices.
Yesterday South Australian Senator Rex Patrick sought to demonstrate the forging of a vaccination certificate.
There is a report that the federal government’s Expenditure Review Committee has agreed to add QR codes to certificates. This would allow someone to verify the authenticity of a certificate against a government web page that includes the certificate owner’s details.
Government minister Stuart Robert yesterday wouldn’t detail the strength of the security of the vaccination certificates. A spokesman for Mr Robert said the adoption of security would be an “iterative” process.
“Since mandating the recording of Covid vaccinations on the Australian Immunisation Register, the Government has iteratively updated proof of vaccination certificates including bolstering security measures and the government will continue to iteratively update the proof of vaccination certificates.”
Trax Print chief technology officer Robert Ablinger said cyber criminals were capable of forging a QR code verification system if that were adopted.
He said the black market in fake vaccination certificates was already well developed and there were unvaccinated people desperately wanting them. You needed specialist technology to get around this, he said.
“We utilise this technology over in the UK, in the Netherlands and in Aruba. We’re doing this not only for vaccination certificates but also for test certificates for Covid test centres.”
He said forgers in Europe typically charged about 150 euros ($240) to forge travel certificates.
Scanning a QR code takes on the certificate takes authorities to a fake government verification site.
“It takes a scammer probably an hour to build a website that looks identical to a government website, and they can actually get a name of a web page or a domain name that is very similar to what it would look like if they went there. It looks 100 per cent legitimate.”
Mr Ablinger said it wasn’t hard to upload a fake certificate to Apple Wallet.
Apple Wallet does lets users upload their own certificates and there is online software available to build a mobile wallet, such as Pass2U Wallet and Pass4Wallet.
It is understood Google Pay only allows Covid certificates to be uploaded from authorised and verified entities. The origin, authenticity and integrity of the issuing entities are checked using digital signature verification.
A source told The Australian that in employment situations it might be better for employers to verify vaccination status of staff by checking using the document number on a government verification website.
Cassandra Cross from the QUT School of Justice said she had no doubt there would be attempts to forge Australian digital vaccination certificates.
More here:
Makes one wonder just how carefully thought through this all was and if it was properly appreciated just how valuable some may find a fake credential.
On a similar theme we have:
‘I am still waiting’: some Australians turned away from getting Covid vaccine because of register errors
More reports have emerged of problems with the national vaccine register, causing confusion and frustration
Last modified on Tue 3 Aug 2021 09.25 AEST
Incorrect or missing records on the national immunisation register are causing some people to be turned away from getting a Covid-19 vaccine in locked-down Sydney, while others are being wrongly recorded as receiving the “hepatitis” jab or no vaccination at all.
On Saturday, Guardian Australia reported that Sydney bus driver Ke Hua was wrongly recorded as fully vaccinated on the Australian immunisation register (AIR), despite not having a single dose, causing significant confusion when he showed up at Royal Prince Alfred hospital for his jab.
More reports have now emerged of significant problems with recording Covid-19 vaccinations on the register, which is administered by Services Australia and serves as the main database of a person’s immunisation status.
Many of the reported errors appeared to be linked to the mass NSW vaccination hub at Homebush.
Sydney resident Gary, who asked his surname not be used, received a first vaccine dose at the Homebush hub early last month, but it was not recorded on the register.
“Due to this anomaly I was refused my second jab this week,” he said. “The vaccination centre managed to confirm verbally that the first shot had occurred but refused (the second dose) without written proof.
“This took another hour - I have already spent hours on the phone to NSW health, AIR and [the] national virus hotline but no one can help or advise when this will be updated.”
Another Sydney man told the Guardian he has waited for two weeks for his online records to be updated with his second dose, which he received at the Homebush centre.
He was told there was a widespread problem affecting records of people who got their jab at the site. He was handed a form to fill out to correct the record.
“I lodged my form over a week ago but still have not heard anything, although they say it will take up to 10 days to process,” he said. “I don’t immediately need the record of vaccination, but I am sure that others will need it for work, so it is not a good situation. With the strong focus now on vaccines, it is important that people are able to get a record of their vaccination.”
Wayne Berkowitz, also from Sydney, was vaccinated at Homebush and said his immunisation record has still not been updated after receiving his second dose on 15 July.
More here:
Seems the Register has at least some issues with data entry / validation as well.
Equally we also see a little political contention:
‘Really uncomfortable’: Coalition MPs speak out against vaccine passports
By Anthony Galloway and Rob Harris
August 4, 2021 — 6.15pm
A growing number of Coalition MPs are speaking out against the use of vaccine certificates for domestic travel and attendance at venues and events, with at least two threatening to cross the floor if the government brings on legislation.
The Sydney Morning Herald and The Age on Wednesday revealed the government’s expenditure review committee of cabinet last week backed a proposal for QR code vaccination certificates for international travel, linking people’s vaccination status on their MyGov accounts with new digital certificates.
Prime Minister Scott Morrison confirmed this week national cabinet was also discussing extending the measure to domestic travel but stressed any move to allow businesses to ask patrons for proof of vaccinations would have to be made by the states.
Tasmanian Liberal senator Eric Abetz said while he encouraged everyone to consider getting vaccinated as soon as possible, “vaccine passports should not be a blunt instrument to force people to be vaccinated by locking them out of society”.
“Denied or limited access to government and private businesses goods and services should not be based on one’s medical status and the idea of a domestic ‘vaccine passport’ is a dangerous one that can create a class of citizens,” he said.
More here:
So, at all sorts of levels we seem to need to get our act together. The case for having a robust and trustworthy vaccine credential in pretty clear but issues around just how long it lasts, how are boosters handled etc. can make the whole thing a bit tricky.
We know how to make high integrity documents – driver’s licenses etc. so what we need sorted is the policy around expiry, what they can be used, who can demand one and so on.
Watch this space!
David.
2 comments:
Developing iteratively says it all. That word iterative has become synonymous with “have no idea where to start or what to do.
The chances of them thinking it through are approximately zero. Especially if they have "co-designed" it. They do like their buzz words. Must get it from their fearless sales manager, Scotty.
Post a Comment