Vaccine passports could be prone to fraud and security issues

Interesting discussion on what it means to digitise part of the health record for millions, perhaps billions, of people…:

To look at the cybersecurity and fraud issues, Digital Journal sought the views of Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre.

Mackey pinpoints several challenges, starting with: “The definition of “vaccinated”. Outside of the Yellow Card, more formally known as the international certificate of vaccination for yellow fever, there really isn’t an internationally accepted means to confirm if an individual has met a vaccination requirement.”

Looking further, he notes: “Considering the Yellow Card is itself a paper document signed by a medical professional who supervised the actual vaccination, that model would be difficult to replicate given the scale of Covid-19 vaccination requirements – and that’s before we get to the potential security implications.”

Mackey says that several mobile app providers are working on a scheme: “A number of businesses have been founded to provide mobile apps that attest to the COVID-19 state of the bearer. The security implications of those mobile apps are similar to any healthcare app – any medical data on a person is of prime value to an attacker.”

Here lies a problem, says Mackey: “The reason medical data is so valuable stems from how personal it is. Even if the medical data is limited to a simple statement of vaccination, the nature of the pandemic makes even that data rather valuable. For example, if there were a bug in the app or underlying service that caused it to display to someone that a vaccination protocol hadn’t been completed when it had, then such an error could result in the traveller being denied entry or worse.”

Original article