FILE PHOTO
September 09, 2021 - 6:00 AM
Now that B.C. residents can obtain their vaccine cards, they may be wondering just how secure they are.
Pretty secure, according to Tony Anscombe, Chief Cybersecurity Expert with ESET, an international company specializing in digital security.
“All software has vulnerabilities,” he told iNFOnews.ca from San Francisco. “It’s impossible for somebody to turn around and say, yes a system is 100 per cent secure.”
He used the example of the Quebec vaccine passport, which is similar to the B.C. model, that had a glitch in the app that allowed hackers to upload fake QR codes into the app. The was quickly fixed, Anscombe said.
There was also a problem where QR codes from some politicians were accessed.
READ MORE: Quebec defends vaccine passport system after politicians' QR codes allegedly hacked
The thing about the B.C. system is that, even if someone was to get ahold of a QR code, it provides very little information.
The display on cell phones only contains a person’s name, date they got the card and whether they are fully vaccinated, partially vaccinated or there is no record of them being vaccinated in B.C.
That’s a good thing because it doesn’t contain enough information to do anyone much good.
The downside is, without a date of birth on the card – as is done by some jurisdictions – someone with the same name can use it, even if they’re not vaccinated, Anscombe said.
READ MORE: Here’s how to get your B.C. COVID-19 vaccination card
People will have to show government issued photo ID along with the vaccine card to get into certain venues.
By not having a birthdate, that makes it harder to verify ID but the downside is that matching birth dates on the two pieces of ID is time consuming.
In some venues, like sporting events or large restaurants where workers are busy, it’s more likely they would skip that step anyways, Anscombe said.
Some vaccine passports also say what type of vaccine was administered and on what date. That opens the door for someone, say at a restaurant, to take a photo of the passport instead of a scan then match that with the email address that was used in make a reservation to start a phishing effort to gain more personal information.
Again, the lack of such information of the B.C. card is a plus.
“The best system I’ve seen is actually from a supermarket pharmacy in the U.S.,” Anscombe said. “The QR code was in real time. When somebody scanned your QR code it then sent a text message to the person whose QR code it was and asked them for authentication: ‘Somebody is scanning your QR code. Are they permitted to see your status?’”
While the B.C. system seems quite secure – even if someone could hack into a phone they could only access vaccination information since vaccine databases are kept separate from general health records – things could change over time.
If, for example, B.C. decided that people needed to get a booster shot and chose to allow people to schedule those shots through the vaccine app, that could open the door to more information being available, Anscombe said.
As for whether the Government of B.C. could use the app to track who attended a certain event, that’s unlikely he said.
“If you go to a concert, when they scan your QR code, does that mean they’re recording that you’ve been to this concert?” Anscombe asked. “If your government started collecting data on where you’ve been for contact tracing purposes it might be useful as long as it’s on a very temporary basis. To my knowledge, I haven’t seen anybody collecting any location or things like that.”
Besides, he pointed out, in Canada, governments have to have explicit consent to do such tracking.
To contact a reporter for this story, email Rob Munro or call 250-808-0143 or email the editor. You can also submit photos, videos or news tips to the newsroom and be entered to win a monthly prize draw.
We welcome your comments and opinions on our stories but play nice. We won't censor or delete comments unless they contain off-topic statements or links, unnecessary vulgarity, false facts, spam or obviously fake profiles. If you have any concerns about what you see in comments, email the editor in the link above.
News from © iNFOnews, 2021