NYC’s New COVID Vaccine Passport Is Simply ‘Glorified Photo Storage App’, Critics Say



[ad_1]




New York's COVID Safe app has confirmed these photos of a plastic rabbit, a cat in a box, and a bottle of lotion as vaccination cards.

The arrow

New York’s COVID Safe app has confirmed these photos of a plastic rabbit, a cat in a box, and a bottle of lotion as vaccination cards.

Intrepid Gothamist reporters

Photos of cats, Mickey Mouse, even a takeout menu from a barbecue restaurant: New York’s COVID SAFE app users have found they can upload just about any photo in the new vaccine verification software.

Although the app only debuted this week, its vulnerabilities have come under scrutiny as the city announced a new policy requiring proof of at least one dose of a COVID vaccine. -19 for entry to indoor dining rooms, gymnasiums and entertainment shows.

“The New York City app is nothing more than a glorified photo storage app,” said Brian Linder of cybersecurity research firm Check Point. He added: “When someone shows a photo of a card in this app, it is believed to be real, but there is absolutely no verification.”

City officials have said it is up to staff at restaurants, gyms and event spaces to verify the authenticity of images in the app, which is no different than bouncers checking driver’s licenses in local areas. bars.

“The NYC COVID Safe app was designed with privacy in mind and allows someone to digitally store their CDC card and ID,” said Laura Feyer, spokesperson for Mayor Bill de Blasio, in a press release sent by email. “Someone checking immunization cards at the door of a restaurant or venue would see that these examples are not appropriate immunization cards and act accordingly.”

Other acceptable evidence of immunization status under city policy include paper cards issued by the Centers for Disease Control or the state-run Excelsior Pass, which draws from a database based on the blockchain technology. It is the same platform used to secure cryptocurrency transactions like Bitcoin. People vaccinated outside New York can show proof of vaccination from the affected state or country, de Blasio said earlier this week.

But the COVID SAFE app is creating an opening for a black market based on fake vaccine cards. While a bill criminalizing the falsification of vaccine records under state law now awaits the signature of Governor Andrew Cuomo, the opportunity for fraud is rampant on many levels.

“Protecting this process from fraud has never been more urgent, so that the health and safety of the public are not compromised by malicious actors using fraudulent vaccination cards or passports,” said Senator d State Anna Kaplan (D.-Long Island), who introduced the bill in her chamber earlier this year. “The ‘Truth in Immunization’ bill that I drafted will serve as a powerful deterrent to prevent people from lying about their immunization status, and it must be enacted without delay.

For example, the COVID Safe app’s reliance on photographic evidence relies on users submitting clear images of their cards. Friends who wish to bypass the system can simply share a valid card among themselves and hope that a bouncer doesn’t notice.

“I think it’s … very hard to read, especially if you take a photo and it can be blurry,” said Saoud Khalifah, CEO of Fakespot, which tracks down online retail scammers. . “It’s just not a scalable solution. “

Fake vaccination cards flourished on the dark web, Etsy, and other online forums as the vaccine rollout began in the country.

“We saw this quite dramatically in the early days when these cards were for sale – you could pay anywhere from a few dollars to more to buy a real card, a physical card on a place called the dark web,” Linder said. “Today, again, you can use Photoshop to create one and load it into the [COVID SAFE] application.

But the security of personal information can also be vulnerable on the apps themselves, Linder added, even with the Excelsior Pass built using IBM’s blockchain technology.

“Now you have personally identifiable information and an app that is neither verified nor verifiable, but creates a false sense of security, perhaps for a restaurant owner or even for someone at the airport. or at the station or wherever, ”Linder said.

Some potential Excelsior Pass users have also reported problems checking their immunization status, particularly if they received their doses from private doctors or pharmacies who may not have uploaded the correct information to the network. State.

Khalifah said that the blockchain technology in the Excelsior Pass is also not as transparent as it could be.

“So generally blockchains are public. And they provide a place where you can get consensus between different computers around the world, and kind of an open platform, ”he said. “In this case, it’s closed, and it’s private. And we don’t really know what’s going on behind the scenes.

A request for comment from the state’s health ministry was not immediately returned on Friday.

The additional barriers to using the Excelsior Pass may cause people to use the city’s less reliable app instead, Linder added.

“If people can’t do it, or if they haven’t been vaccinated, they just use the New York City app, which is literally so easy to tamper with,” he said. “Why would anyone bother with a digitally fair, digitally verifiable app, when I can just upload a photo of what looks like my fake vaccine card into the New York app they’re using?” “

[ad_2]

Source link