The introduction of Covid travel pass schemes could unravel if measures are not taken to combat the threat of fake vaccination and counterfeit test certificates that are increasingly being sold on the Darknet and via the messaging app Telegram.
While African countries are yet to adopt the planned Covid passport schemes of the European Union (EU) and UK, which will provide a certificate in the form of a QR code or as a paper document, to show if a traveller is vaccinated, immune to the coronavirus or has a negative test result, there are various mobile digital initiatives being taken into consideration in the region to validate Covid requirements for international travel.
For example, the International Air Transport Association’s (IATA) mobile travel pass, which stores and manages travellers’ verified certifications for Covid-19 tests or vaccines on a mobile app, has been trialled by Ethiopian Airlines and RwandAir. The African Union and Africa Centre for Africa Centre for Disease Control and Prevention (CDC) have also been piloting the Trusted Travel Pass programme in member states, which allows passengers to upload their Covid-19 test and vaccine results to an online portal to receive a QR code for travel.
In addition, some countries are requesting digital copies of Covid test results from the apps of accredited pathology labs, as Pankaj Bhula, regional director: Africa at Check Point Software Technologies, explains.
“During a recent trip to Kenya, a passenger was not permitted to board our flight after failing to produce a soft copy of their Covid-19 test results. The passenger had produced a physical copy of a Covid-19 test result and when local authorities asked to see the report digitally, the gentleman refused. Upon investigation, it was found that the physical copy of these results was forged.”
Without a global unified approach to verifying the validity of certificates, and the large number of apps being used for following Covid protocols for travel, the fragmented rules and ambiguity play into the hands of hackers and fraudsters, according to Check Point Research (CPR).
CPR has discovered a 500% increase in the number of forged certificate vendors from March to May, showing that the demand to evade inspections is high as travel restrictions are being lifted due to the increase in vaccinations. Customers could be either people who have tested positive, refused to take a test, or are unwilling to have the vaccine. It could also be down to the exploitation of innocent users looking for information and guidance, who are lured to fraudulent or suspicious domains, thinking they are genuine.
Travellers need to be wary of misspelled websites and only install verified apps from official sources. They should also be wary of QR codes themselves, as they can serve as a gateway to information stored on the device. Hackers replace legitimate QR codes with one that launches a malicious URL or tries to download customised malware when scanned. The malicious code can then steal the login credentials used for other apps on the user’s phone – such as banking and retail apps – and even make payments.
“We urge governments to come together and act quickly to combat the increased sales of fake certificates on Telegram and the Darknet. Without a central system, it becomes much easier for hackers and fraudsters to fall through the cracks,” says Bhula. “Individuals must also remember that a QR code is nothing more than a quick and convenient way to access a website link; a link that in many cases they don’t even see.
“It is not possible, therefore, to be certain that the resource is legitimate, and an attack could have already started. While countries and organisations will aim to ensure digital travel pass schemes are safe and secure, hackers will always evolve to exploit new opportunities, and so we strongly advise everyone to use a mobile security solution that will protect their devices and data against phishing, malicious apps and malware.”