The free digital vaccination card is intended to simplify travel within the European Union. The "Green Certificate" not only contains information about a corona vaccination but also the results of rapid tests and the about recovery from a previous Covid 19 infection. The German version of the digital vaccination card should be ready for use by the end of June. COVID certificates, which can be checked for authenticity using the certified app "COVID Certificate Check", have been issued in Switzerland since 7 June. This concept, however, also harbours the enormous potential for data theft. An improved IAM (Identity and Access Management) can provide a remedy.
The basic idea is as simple as it is practical and will make everyday life much easier for those who have received a Covid 19 vaccination. Anyone who wants proof that they have been vaccinated simply has to present a QR code; either on-screen via the app or as a printout. The code contains all the necessary vaccination data as well as a digital signature. While this is convenient, the digital identity of the vaccinated persons is by no means as well protected as would be technically possible and desirable for data protection reasons.
The security concerns expressed by IT experts are manifold: Potential weak points for cybercriminals range from the transfer of data from the previous yellow paper vaccination card to computer systems to the manipulation of the ID card code in vaccination centres, doctors' surgeries, hospitals and pharmacies – as the vaccination card is to be produced on-site in the future directly after the vaccination.
The greatest risk in this connection is computers infected with malware, which could enable hackers to gain remote access. In addition, computer systems are often not protected by a modern IAM (Identity and Access Management) system, which prevents third-party access through password-free or multi-factor authentication. Once intruders have gained access, they can create fake vaccination cards with relatively little effort.
Criminals are hoping to make millions in profits by making the green certificate easy to forge. Once they overcome the initial obstacles and have bypassed authorisation management, it takes less time and material to forge the digital vaccination card than would be required to make a copy of the paper version. This has consequences: On the darknet, the number of providers luring customers with pre-orders is on the rise.
Boundless freedom – even for hackers?
Apart from vulnerable computers in individual vaccination stations, there is also a fundamental security problem: the Europe-wide validity of the green certificate could prove to be the system Achilles' heel. To ensure that border officials and airport staff, for example, can verify the validity of QR codes presented by travellers, an exhaustive list of all digital keys that can be used to sign vaccination certificates must be stored in the verification devices. Each EU country is therefore required to share the trusted keys issued to doctors' surgeries and vaccination centres with the other member states using an interface.
An approach that data protection expert Carmela Troncoso of the ETH Lausanne, Switzerland, sharply criticised in an interview with the Neue Zürcher Zeitung: "For this system to work, it is vital that these digital keys are not stolen, the IT systems and servers of hospitals and vaccination centres are not hacked, and no one who administers vaccinations is open to bribes – and that applies to each and every country participating in the programme." To avoid abuse, a non-digital solution, such as a standardised security paper that is difficult to forge, is a better alternative, Troncoso said.
More security with IAM
It is unlikely that a paper document will prevail at a European level at this point in time. This makes it all the more important to close existing gaps in the IT equipment of doctors' surgeries and vaccination centres: A robust IAM in combination with password-free or multi-factor authentication can make a decisive contribution to preventing unauthorised access to the vaccination infrastructure.
If, for example, an attacker has succeeded in obtaining the user name and password of an authorised person, e.g., by means of a successful phishing attack, this data could, in the worst case, provide the gateway for further hacking access to the affected system. This is not the case with IAM, which adds a second layer of security: Instead of solely relying on the password, IAM requires an additional security check based on an additional factor – such as the user confirming their login attempt via fingerprint scan in a connected mobile app. Without successful multi-factor authentication, the IAM denies access; effectively preventing an attack using spied-out login credentials.