Woman's hands holding and showing COVID-19 vaccine passport

Vaccine Passports: Rethinking Cybersecurity Best Practices

The beginning of COVID-19 vaccine rollouts globally has signaled the path to reopening of international borders, which also quickly led to the introduction of new verification methods such as vaccine passports or digital vaccine certificates. We have seen the launch of EU’s digital vaccine passport and plans for Japan to have its vaccine passports be accepted by over 10 nations within just two months. Australia, for its part, has recently updated the Medicare Express App to include digital vaccination certificates.

Soon, most citizens globally will be required to show a valid digital vaccine certificate to travel or access certain venues. But questions around the security and privacy of data with the use of these vaccine certificates and related contact tracing applications have also become areas for concern.

Making sense of security and data privacy concerns

It’s no secret that threat actors have been quick to pivot and capitalize on the trends arising from the COVID-19 pandemic to conduct malicious activities. They have tailored their phishing lures, which involves targeting towards things like the vaccine supply chain or offering people quick access to the vaccines at varying prices. For instance, fake  COVID-19 certificates are now being sold on the darknet for as low as US$34 (£25).

There is little doubt that the widespread digitization of these vaccine passports will offer value to those wishing to profit from this new scheme via fake applications and QR code verification systems. Cybercriminals can easily do so by intercepting the traffic to direct unsuspecting users to another system, such as phishing websites or applications that give a fictitious reading. In fact, I was personally able to download a fake Android version of the United Kingdom’s (UK’s) NHS (National Health Service) COVID-19 application, that provides made-up check-in verification without any tracking data synced to a government system. A similar trend is happening in Australia, wherein links for downloading fake check-in apps are circulating on the web and mobile messaging groups, to circumvent existing contact tracing measures.

Cybercriminals can also expand their attack surface by setting up fake email addresses and phone numbers purporting to be from a legitimate government agency or healthcare institution, asking other individuals to apply for a vaccine certificate in countries such as the UK and India.

Simply put, threat actors are leveraging the demand for vaccine passports to illicitly obtain information, hijack accounts and sell personal identifiable information using their old tricks. As vaccine passports are expected to become a permanent fixture in the future of travel and accessing venues, not being able to detect and stop these threats can hinder a governments’ ability to stop the spread of the virus and is opening a new underground market for cybercriminals to exploit for illicit gains.

Looking at mobile security to safeguard vaccine passport data

While the vaccine passport applications being developed by governments will likely be secure, there is the risk of users falling victim to other malicious applications that they may have inadvertently installed on their mobile devices.

Because mobile devices are now a staple feature in both personal and business activities – with more people having transitioned to working from home – it is critical for employees and businesses to prioritize mobile security, whether the mobile device is company- or employee-owned. Mobile malware is becoming increasingly common and could allow threat actors to potentially access sensitive PII stored in a vaccine passport application on an infected device. In most cases, simple solutions can provide improved protection and promote cyber resilience:

  1. For users, they must be more vigilant on the links that they access or applications that they download from the web, by checking the legitimacy of the source and exercising caution when sharing PII on the web. If possible, having a mobile threat defense or antivirus solution running on their devices which can detect malicious activities that are trying to gain access to their information, also serves as an additional layer of defense.
  2. For businesses, a zero-trust security strategy should be implemented to continually verify each user and device, as well as limit access to their critical assets.
  3. For governments and developers of mobile applications, specifically for vaccine passports or collecting vaccination data, having systems in place to ensure security and privacy of data are important as wide-scale rollouts gather pace in the months or years ahead.

Final thoughts

While the future of travel remains uncertain, countries around the world are looking at vaccine passports as the ‘door opener’ for a return to normalcy and to revive the global travel and tourism industry. At the same time, threat actors know too well that being able to take advantage of the current pandemic has been a very lucrative activity over the last 18 months. Individuals are also more susceptible to cybercrimes during this time of uncertainty, and cyber criminals are leveraging this vulnerability to pivot their attacks.

Successful implementation of any vaccine passport scheme requires #privacy-preserving and #security by design principles. Failing to do so, risks further setback to the recovery process that we are all so ready to embrace. #respectdataClick to Tweet

From a technological perspective, the successful implementation of any vaccine passport scheme rests on some basic principles – these should be privacy-preserving and secured by design. Failing to do so, risks further setback to the recovery process that we are all so ready to embrace.


Director of Engineering at BlackBerry