Fake health vaccine passes, with a few names, have been on the rise for days D’Adolf Hitler Or SpongeBob SquarePants, European countries withdrew poorly protected cryptographic keys, and French and Polish authorities began an investigation.
“We are well aware of the fraudulent handling of the QR code of the European Govt certificate,” a European Commission spokesman told AFP on Friday.
Since Wednesday, some Internet users have claimed that forums and social networks contain secret cryptographic keys used to generate the correct QR code for the European Health Pass.
This code contains the identity of the holder and information about his vaccine status or immunity.
As a source, these users have created valid codes with imaginary names like Adolf Hitler or SpongeBob.
However, private encryption keys have not been compromised, the AFP European Commission has promised, rejecting the path of technical failure and condemning it as “illegal activity” instead.
In some cases, the certificates say, “certificates were created by people with valid credentials to access national information technology organizations.”
But according to experts, Internet sites, including northern Macedonia (a country outside the EU, but integrated into the European Health Organization since August), lack the most basic security and generate many fraudulent codes.
“Every country has one or more signatures, and in each pass we find the key that signed it,” explained AFP Gaëtan Leurent, a cryptography researcher at the National Institute of Scientific and Technical Research.
For the system to work, all the servers used to sign the pass must be properly protected. “If a service is open and anything is signed, in practice it is the same thing,” he said.
To address the shortcoming, member states of the eHealth Network – public health across the EU – have agreed that “to prevent two fraudulent certificates, they will be considered invalid through verification applications.” The Macedonian portal was also disabled.
In France, the TousAntiCovid Verif application was updated Thursday morning.
The eHealth Network will work to “improve invalidation and revocation systems so that such events can be made more expeditious”.
The case is not completely closed because the origin of some fraudulent health passes remains a mystery. The vaccine certificate in the name of Mickey Mouse appears to have been signed by French officials, while others may have been signed by Polish services, possibly in collusion with health professionals.
The European Commission says both countries have launched an investigation. Contacting the Directorate of Health, however, could not be immediately confirmed.
In September, QR codes of real health passports of Emmanuel Macron and Edouard Philippe were circulated on social media, with caregivers consulting the president’s vaccine file according to the first health insurance, and second internet users scanning it from a magazine photo.
“Music geek. Coffee lover. Devoted food scholar. Web buff. Passionate internet guru.”