Fake CDC cards, digital health certificates spreading amid COVID privacy concerns

The twin concerns of privacy and trust are coming to the fore in social dialogue around digital health passes and COVID-19 vaccination credentials.

The American Centers for Disease Control (CDC) has issued guidance prohibiting the use of data collected from vaccine recipients in commercial marketing, which World Privacy Forum says is a good move. Now the privacy advocacy group wants the same guidance extended to systems for proving vaccination.

WFP Executive Director Pam Dixon spoke to the CDC’s ACIP Committee (Advisory Committee on Immunization Practices), urging protections for the point of vaccination to be extended to digital health passes and vaccination credentials. For entities that have hybrid operations split between healthcare, where personal information is protected by HIPAA, and other businesses lines, such as supermarkets containing pharmacies, patient data must be confined to the healthcare side.

The WFP also expresses some concern over the breadth of HIPAA waivers extended for COVID.

Fakes abound

Fraudulent COVID status documents are being found on messaging apps like Telegram and the dark web in increasing number, according to the testimony of government investigators and cybersecurity professionals reported by The Wall Street Journal.

Fake CDC cards have been found for sale on Amazon, eBay and Etsy, and a bar owner in California was arrested for selling fake cards in May. A homeopathic doctor in California was arrested in July for providing CDC cards claiming vaccination with a specific Moderna lot when issuing something referred to by the Journal as “immunization pellets.”

While the CDC cards issued in the U.S. include virtually no protection against spoofing, the EU’s Digital COVID Certificate (EUDCC) is supposed to be more secure. Despite this, around 500 fakes have been sold in the past few months from around 30 social media profiles in Italy. A spokesperson for Telegram said the platform has shut down channels for selling fakes at the request of the Italian government.

Fraudulent credentials continue to be sold, however, in at least several European countries, often costing €100 (US$118). While demand increased after Italy announced proof of vaccination as a requirement for some travel and events, the fakes are not expected to defeat verification systems.

As with other clandestine online transactions, cybersecurity experts warn that buyers often end up receiving nothing at all.

U.S. Customs and Border Protection (CBP) describes officers at the port of Memphis seizing hundreds of counterfeit CDC cards on a nightly basis, often in the form of low-quality blanks from China bound for different cities around the U.S.

Minimal effort is put into disguising the cards, and CBP says all of the shipments are from China.

Buying, selling and using counterfeit COVID-19 vaccination cards are all crimes in the U.S.

“These vaccinations are free and available everywhere,” comments Michael Neipert, area port director of Memphis. “If you do not wish to receive a vaccine, that is your decision. But don’t order a counterfeit, waste my officer’s time, break the law, and misrepresent yourself. CBP Officers at the Area Port of Memphis remain committed to stopping counterfeit smuggling and helping to protect our communities. But just know that when you order a fake vaxx card, you are using my officers time as they also seize fentanyl and methamphetamines.”

Rollouts continue

Gulf Air has extended its trial of the IATA Travel Pass to more its Dubai, Frankfurt and Paris routes, as well as to passengers with non-biometric passports, using iOS and Android devices.

The Kingdom of Bahrain’s national carrier plans to implement the digital health pass for more routes in the future.

Pakistan is launching a mobile app based on its NADRA biometric database to allow citizens and foreigners vaccinated in the country to prove their status.

Tariq Malik announced the ‘PAK Covid-19 Vaccination Pass,’ which presents the bearer’s status through a QR code and can be stored in digital wallets like Apple Wallet.

Article Topics

biometrics  |  data protection  |  digital ID  |  fraud prevention  |  health passes  |  IATA Travel Pass  |  identity verification  |  mobile app  |  privacy  |  travel documents  |  World Privacy Forum