By Paul Prudhomme
THE idea of requiring COVID-19 vaccine certificates to enable people to travel, attend public events, or enter their places of work has generated quite a bit of political discourse in recent weeks.
And while some authorities may be banning the certificates altogether on the grounds that they violate personal freedoms, there’s another concern relative to vaccine certificates that needs to be addressed: the increased exposure of personally identifiable information (PII) or protected health information (PHI).
The problem is that many COVID-19 testing and vaccination records globally contain dates of birth (DOBs), which are key ingredients in fraudulent credit card applications and other forms of financially motivated identity theft.
As of June 16, 2021, 4.6% of Malaysian population has received their vaccine and the Malaysian Government has made preparations to speed up the National COVID-19 Immunisation Programme.
PHI from healthcare data breaches typically commands higher prices on dark web marketplaces where attackers sell it, because PHI is more likely than non-health PII to contain DOBs and other key ingredients in identity theft. So, it only makes sense that vaccine certificates are likely to become targets for criminals looking for PHI that contains DOBs.
Another risk is that criminals might compromise legitimate vaccine certificates for fraudulent use by unauthorised third parties, which would have public health implications. A black market for stolen vaccine certificates is likely to emerge, given the scale of anti-vaccine group in Malaysia, as well as the government’s plans on taking legal actions against this growing group.
In this scenario, people unwilling or unable to receive vaccinations would pay for unauthorised access to compromised vaccine certificates for their own use. The public health ramifications could be serious if, for example, an unvaccinated person who might be carrying the virus dines in a restaurant and infects other people.
Digital solutions need improvement
The Government had introduced the MySejahtera app in April 2020 as an effort to monitor the spread of COVID-19 in the country by enabling users to perform self-health assessments. Now, the app enables Malaysians to keep track of their vaccination status and includes a digital certification for those who had completed both doses of COVID-19 vaccine.
However, in order to use the app, citizens have to enter information into the system, which appears to have technical problems occurring from time to time.
This may lead to an opportunity for cybercriminals to compromise legitimate vaccination records with a combination of names, DOBs and identification card numbers, which fraudsters can easily obtain from PII databases in underground criminal communities.
Be aware of the risks
The use of vaccine certificates poses security and privacy risks that warrant careful consideration by policymakers, businesses, and the general public. There are ways to double-check if a certificate is fraudulent by requiring the person to also present a second form of identification. But any type of vaccine certification system should not require people to expose their DOBs.
Lastly, don’t make it easier for the criminals – don’t post photos of your vaccination certificate which has your personal information on social media. – June 18, 2021
Paul Prudhomme is the Threat Intelligence Advisory head at IntSights.
The views expressed are solely of the author and do not necessarily reflect those of Focus Malaysia.
