Exclusive
Status: 11/30/2021 6:42 pm
The business with digital forged vaccination certificates is in full swing. Corresponding QR codes from home and abroad are traded in online forums. Research by report Munich also shows that apps often fail to recognize counterfeits.
Fake digital vaccination certificates are very popular with vaccination opponents. Fraudsters gain access through accomplices in pharmacies and issue QR codes to order.
report Munich has tested various digital fantasy QR codes as well as fraudulently created codes, including one from a Munich pharmacy that was searched by the Bavarian police last October. The public prosecutor’s office is investigating. An employee is said to have issued false electronic vaccination cards. The reporters were also able to find these and other pharmacy IDs from Bavaria and Hesse in an online forum in which digital vaccination certificates are offered for sale.
Accomplices in the pharmacy
An employee of the pharmacy had given criminals access to the pharmacy IT. At night, her accomplices produced almost 1,000 digital vaccination records on the real names of vaccine opponents. The personal data of the customer on the ID card matched that on the digital vaccination certificate. In the pharmacy no one knew anything about the machinations.
Although the case was already exposed in October, the reporters managed to upload a digital certificate from the pharmacy to the CovPass app by the beginning of last week. In the CovPassCheck app, the certificate appeared as “valid” – that is, valid. Only after notification to the authorities was the certificate blacklisted in the CovPassCheck app and is no longer valid. The Munich pharmacy certificate is still valid in a Corona test app from Luxembourg.
Central to confidentiality
An insider describes how important secrecy is for the fraudulent activities in a vaccination passport forum. Certificates have been created in pharmacies in the “zip code area 8xxxx”, one in an apo[theke] in 6xxxx and last but not least one from Mr. S. der ja in Munich […] was zip code 8xxxx “. The insider warns that one should not make the pharmacy identification public. It is enough to sell a single digital vaccination certificate” to the wrong person or to make a single sample public with some nonsense name, and you have the creator to the eggs and can block all certificates that this issuer has created “.
Regardless of the case of the Munich pharmacy, Thomas Siebert from the Bochum-based IT security company GData observed that there were hardly any entries in the blacklists of the Corona Warn app and the CovPass app: “The consequence of not updating the blacklists is It goes without saying that the people who walk around with an unjustifiably obtained certificate cannot be caught, “said Siebert.
Order from abroad
In an online forum, it was also possible to get in touch with providers of falsified digital vaccination certificates. There a person with the pseudonym “Covidpass Meister” recommended the journalists to switch to digital vaccination certificates from other EU countries, which are more expensive, but safer: “They cannot be blocked as easily.” After a sample of GData and report Munich neither the Corona Warn app nor the CovPassCheck app recognized foreign forgeries.
For IT expert Siebert, the flaw lies in the specification of digital vaccination records prescribed by the EU: “There are massive problems in the process of revoking certificates. It is the case that there are some differences between European countries in how the whole thing is handled In principle, the country maintains its own processes, its own blacklists of, for example, pharmacies that have illegally issued certificates. “
Request for a callback
It is unclear what a recall of digital vaccination records, whether national or international, could look like. According to Thomas Siebert, that could now turn into a boomerang.
EU Parliament Vice-President Nicola Beer calls for the possibility of a Europe-wide recall of falsified digital vaccination certificates. In an interview with report Munich says she: “A look at the numbers in some German regions shows that we are in the middle three-digit range when it comes to counterfeiting – all the alarm lights must be on. The situation is so acute across Europe that we simply cannot allow some to sneak proof of vaccination with three clicks on the Internet and buy it. “
No solution in sight yet
The Federal Ministry of Health responsible for the CovPass system admits on request that there is still no solution to the problem of cross-border use of digital vaccination certificates: “A European interoperable solution for blocking individual vaccination certificates is currently being created,” said a spokesman for the ministry. Until when is not known.
Since the storage of the data as well as the created PDF documents, according to the Federal Association of German Pharmacists’ Associations, is not intended and, due to the lack of a legal basis, is also not permitted, the buyers of certificates that have already been fraudulently issued can no longer be traced.
“Close loophole”
Nicola Beer explains that she does not want to throw data protection overboard, “but the craft would be a lot more difficult for criminals if not only the authentication was secured in several stages, but if one hand in Europe knew what the other was doing: currently Counterfeits are only blocked nationally – there is no cross-border comparison of the so-called backlists. What is blocked in Germany may be read out as valid in France or Slovenia. We urgently need to close this IT loophole and make a Europe-wide recall possible. “
Beer calls for a central blocking register for the EU Commission: “In this way, member states could react to nationally listed counterfeits and also withdraw them from circulation in their own country. This would allow us to tighten the necessary screws in the security structure across Europe.” In addition, the Vice-President of the European Parliament calls for a level of sanctions that is as harmonized as possible across the EU.
Business is likely to grow
According to experts, the trade in fraudulent digital vaccination certificates will continue to increase. Because many pharmacists are meanwhile skeptical at the slightest suspicion when vaccination books that appear dubious are presented in the pharmacy.
A pharmacist explains that she no longer issues digital vaccination certificates. “Falsifications occurred mainly in October and a lot now in November. Always, more and more every day. By the end of the day, around 80 percent of the vaccination records that were presented really didn’t look real anymore and were also proven to be fakes.”