The start of the rollout of the COVID-19 vaccine around the world paved the way for the reopening of international borders, which also quickly led to the introduction of new verification methods such as vaccine passports or digital vaccine certificates. We have seen the launch of the EU digital vaccine passport and Japan’s plans to have its vaccine passports accepted by more than 10 countries in just two months. Australia, for its part, recently updated the Medicare Express app to include digital vaccination certificates.
Soon, most of the world’s citizens will need to present a valid digital vaccine certificate to travel or access certain sites. But issues regarding data security and privacy with the use of these vaccination certificates and associated contact tracing applications have also become matters of concern.
Understand data security and privacy issues
It’s no secret that threat actors have quickly pivoted and capitalized on trends arising from the COVID-19 pandemic to carry out malicious activity. They’ve adapted their phishing lures, which involves targeting things like the vaccine supply chain or offering people quick access to vaccines at varying prices. For example, fake COVID-19 certificates are now sold on the darknet for as little as US $ 34 (£ 25).
There is no doubt that the widespread digitization of these vaccine passports will offer value to those who wish to take advantage of this new regime through bogus apps and QR code verification systems. Cyber criminals can easily do this by intercepting traffic to direct unsuspecting users to another system, such as phishing websites or apps that give fake reads. In fact, I have personally been able to download a fake Android version of the UK’s National Health Service (NHS) COVID-19 app, which provides invented record verification without any tracking data. synchronized with a government system. A similar trend is occurring in Australia, where links to download fake recording apps are circulating on the web and mobile messaging groups, to bypass existing contact tracing measures.
Cybercriminals can also expand their attack surface by creating fake email addresses and phone numbers purportedly from a legitimate government agency or healthcare facility, asking others to request a certificate of vaccination in countries like the UK and India.
Put simply, threat actors are leveraging demand for vaccine passports to illegally gain information, hijack accounts, and sell personally identifiable information using their old tricks. As vaccine passports are expected to become a permanent fixture in the future of travel and site access, failure to detect and stop these threats can hamper the ability of governments to stop the spread of the virus and open up a new underground market for cybercriminals to exploit for illicit purposes.
Review mobile security to protect vaccine passport data
While government-developed vaccine passport apps are likely secure, there is a risk that users may fall victim to other malicious apps that they may have inadvertently installed on their mobile devices.
As mobile devices are now a staple feature in personal and business activities – with more and more people making the transition to working from home – it is essential that employees and businesses prioritize the job. mobile security, whether the mobile device is owned by the company or by employees. Mobile malware is increasingly common and could allow malicious actors to potentially access sensitive personal information stored in a vaccine passport application on an infected device. In most cases, simple solutions can offer better protection and promote cyber resilience:
- For users, they should be more vigilant about the links they access or the applications they download from the web, verifying the legitimacy of the source, and being careful when sharing IPIs on the web. If possible, running a mobile threat defense solution or an antivirus solution on their devices that can detect malicious activity that tries to gain access to their information, also serves as an additional layer of defense.
- For companies, a zero-trust security policy should be implemented to continuously check every user and device, as well as to limit access to their critical assets.
- For governments and mobile app developers, especially for vaccine passports or immunization data collection, it is important to have systems in place to ensure data security and confidentiality, as large-scale deployments accelerate in the months or years to come.
While the future of travel remains uncertain, countries around the world view vaccine passports as “the door opener” to get back to normal and revive the global travel and tourism industry. At the same time, threat actors know all too well that being able to profit from the current pandemic has been a very lucrative business over the past 18 months. Individuals are also more susceptible to cybercrime in these uncertain times, and cybercriminals are taking advantage of this vulnerability to pivot their attacks.
From a technological standpoint, the successful implementation of any vaccination passport program hinges on certain basic principles – these should be privacy-friendly and secure by design. Failure to do so risks the recovery process that we are all so ready to embrace in another setback.