Fake Check-Ins And False Vaccine Certificates Are On The Rise In Australia

The pandemic is highlighting how the cracks in our digital systems can be used against us.

Hand holding phone with vaccine passport against blurry digital background of black with yellow numbers

Want more Junkee in your life? Sign up to our newsletter, and follow us on Instagram, Twitter and Facebook so you always know where to find us.

Vaccination fraud and fake check-ins are on the rise in Australia. And while one involves software that allows fraud, the other is another glitch in a system created by the Australian Government — and both could provide the opportunity for people to sidestep COVID health regulations that limit the spread of the virus as we return to a version of normality.

Recently The Guardian reported that fake check-in apps were circulating on the encrypted messaging system, Telegram, among anti-lockdown and COVID-19 conspiracy groups. According to the publication, the app allows the user to enter their name and check-in venue to create a confirmation screen that mimics that of the official State Government check-in apps. They can create faux confirmation check-ins for NSW, Victoria and Queensland, and of course, they don’t forward the user’s information to a government agency.

Dr Shaanan Cohney, Senior Lecturer from Melbourne University, told Junkee that fundamentally, there’s a problem with the way the apps are designed. “If the only way you’re verifying a check-in or a vaccination certificate is by looking at something quickly on a user’s screen, you’re always going to have problems,” said Cohney.

Dr Cohney notes the immense urgency on these apps at the time of development, “which probably meant the thought in the app design left security as an afterthought, and primary functions such as the contact tracing came first.”

“This is a fairly common phenomenon…When you don’t design your apps with people who might misuse it in mind… [it] makes it very difficult to retrofit security later on. And I think that’s what we’re seeing here,” Cohney added.

The Guardian found the links to the fraudulent check-in apps being promoted in six anti-lockdown groups totalling almost 15,000 members.

Vaccine Certificates Are Also Vulnerable

Moving onto vaccination proof, the ABC recently reported that a flaw in the Medicare Express Plus app means vaccine certificates can be created without actually having been vaccinated.

The issue was highlighted on Twitter, though the loophole has been withheld, so as to not popularise the fraudulence. A software developer called Richard Nelson was mucking around on the Express Plus Medicare app when he found a loophole that allowed him to create a vaccine certificate even though he hadn’t been vaccinated. It can include a name and date of birth, along with the authentication animation.

“This particular kind of vulnerability normally stems from a lack of cryptographic protections that ensure the integrity, the authenticity of data being received,” explains Dr Cohney.

Nelson told the ABC he’s attempted to share the information and loophole with the Government several times but not heard back. Solving the issue would require an update to the Medicare app, says the ABC. Additionally, the Prime Minister has reportedly flagged the vaccine certificate will be overhauled in October.

These are not the first flaws in the digital systems that we have turned to or quickly created during the COVID-19 virus outbreak.

The COVIDSafe app was infamously unpopular and riddled with flaws. It didn’t work on an iPhone when the screen was locked, and, according to The Saturday Paper, provided the ability to takeover someone’s phone via Bluetooth.

This is the first pandemic that has strongly relied on digital devices to help manage the outbreak, establishing whole new behaviours in the general public. Many of us now don’t give second thought to checking into each and every shop, cafe and cab we get into. In February 2020, the very thought would have been alien.

And the necessities of the pandemic are very easily highlighting cracks in our digital systems that can be used against us.