As the UK prepares to trial “COVID-status certification” in some domestic settings, cyber-security experts warned that a certificate could be hard to authenticate, and could leave people vulnerable to scammers.
The certification could be demonstrated by three means: an up-to-date vaccine status, a negative lateral flow or PCR test, or proof of natural immunity.
Eerke Boiten, professor of cyber security at the De Montfort University, said that there could be exploitable loopholes.
Identification Mechanism Too Costly
Taking proof of a negative test as an example, the certification “will need to be closely tied to the people that actually have taken the test,” Boiten told NTD on Wednesday.
This means identification needs to be checked both when the test is done, and when the result is presented to an event organiser.
To address the identification issue, Boiten said, “You probably need something like biometrics to connect the person to to the certificate, but biometrics are not really in a state where you can do that reliably to the degree that most people wanted to be.”
What’s more, setting up the infrastructure at all test sites and event venues would be “quite an investment,” he added.
“So there’s probably a balance to be had here between safeguarding against the risk of people having having fake certifications, and looking at what would actually cost to address that risk.”
Besides money, Boiten said there’s a greater cost in making sure the system works.
“To get this working perfectly, you need a complete biometric-based identity system working,” he said. “But that’s an enormous cost to society.”
This is an issue of privacy and autonomy, Boiten said. In one way the certificate is meant to restore people’s freedom to live their lives normally, but on the other hand, a system that works will need to be established at the expense of liberty.
Speaking from his experience as a cyber expert, Boiten said he personally would rather have some “short term inconvenience” than losing “longer term freedoms knowing that we’re not in an ultimate surveillance society. ”
According to the government’s review, the certification could have played an important role “as a temporary measure,” and that it would never be used in settings such as essential public services, public transport, and essential shops.
Forgery And Other Scams
Besides the identification issue, there’s also the risk that the certification “itself might be entirely fake.”
“Once private companies get into this sphere of producing vaccination apps or certificates, or whatever, it only needs to look authoritative enough and then people may accept it,” Boiten said.
“The more [apps] are generally accepted, the easier it will be to come up with a fake one,” he said.
Boiten said it people are more susceptible to scams during a pandemic because they are more used to getting unexpected messages from the government, as well as being out of their comfort zones.
“A lot of cybercrime happens in situations where people are just outside their comfort zone,” he said.
Professor Bill Buchanan, a cyber expert from the Edinburgh Napier University, also said it’s “extremely easy” to forge these certificates because “we have fairly little inherent security.”
Buying a fake certificate may also open people up to more fraud.
“It might be for a 100-pound certificate that someone would pay. But then they have that person’s contact details and then could move on to higher levels of fraud,” Buchanan told NTD. “The opportunity for that is massive.”
Buchanan said he would like to see the NHS and the public sector “build trustworthy infrastructures with what’s called digital signing, so that you can actually prove that something is actually correct, without actually having to download a certain app.”
Reporting by Jane Werrell of NTD, Alexander Zhang contributed to this report.