The digital vaccination certificate is here. And as always: be careful with sensitive health data. Spreading the digital replacement for the yellow vaccination booklet online may help fraudsters.
The same applies to the digital vaccination pass, which also applies to the yellow booklet: Don’t just show it everywhere – and don’t share it on social media or send screenshots. The reason: The QR code can be easily imported into the Corona warning app or CovPass app on other phones. Third parties could come into possession of valid vaccination certificates.
This is what Holger Bleich from the specialist magazine “c’t” says, for example. There are already users on Twitter who draw attention to this. However, experts give the all-clear: Security expert Manuel Atug from the Chaos Computer Club (CCC) points out that the system only works in conjunction with users’ ID cards anyway:
Controls can be incomplete
In order to check the digital vaccination status of a user, dealers, restaurant operators or event organizers can use the CovPassCheck app to scan the user’s QR code in the CovPass app or the Corona warning app. The CovPass-Check-App can be recognized by the white app symbol with a blue sign – in contrast to the CovPass app with a blue symbol and a white sign. More about the system read here.
Bleich from “c’t ‘” also points out that copies and forgeries are noticed when comparing them with the check app and a photo ID. However, the question is how important this is taken at individual points with the control. Users on Twitter also warn against lax controls. That is why Bleich’s advice is to use the certificate for official occasions such as traveling or for border traffic.
In everyday life it is sometimes helpful to ask skeptical questions: “If someone checks the vaccination status at the beer garden, I would be shown that this is really the check app,” says Bleich.
QR code contains personal data
However, there are other reasons why you should avoid sharing the QR code of your digital vaccination certificate online. With the help of the freely available CovPassCheck app, anyone can scan this code and get personal data: In addition to the vaccination status, examiners can also see the first and last name and date of birth.
That sounds like little information, but such personal data can be enough to get further information from users – for example the address – and thus to commit identity theft.
The Federal Office for Information Security advises on its website to “keep the date of birth” secret if possible. And Christian Lueg, security expert at Eset says: “A first and last name as well as a date of birth open the door to identity theft for criminals. This information is enough to check the creditworthiness of your victim and to abuse it for commercial credit fraud. Internet users should be economical with it Handle your data and always think carefully about what you want to disclose and where. “
– .
