Under the name “Green Pass”, QR codes are to serve as a digital Covid Certificate for vaccinated, tested and recovered persons, not only in Austria but throughout the EU. And thus represent an official document. Nevertheless, everybody can easily issue himself such Covid Certificate.
A QR code that contains only a link to a central, well-protected database, is relatively secure. After all, authorities enter the data, and such secure database can hardly be falsified from the outside.
But for data privacy reasons, this is not possible, so the query must be made offline. This means that all data needs to be directly in the QR code and that there is no data matching for verification.
So, as reported in ORF, you are supposed to “print out your own QR codes, photograph them or save them on your smartphone and – if asked – show them”. So there is no need for any other details like stamps, official annotations, etc. All you need is a printout or photo of the QR code. Any QR code reader app can be used for scanning at entrance tests.
QR codes have been around since the late 90s of the last century.
Therefore, the systematics/algorithms of coding and thus the creation of QR codes is “open source”, i.e. publicly well known. Even on Wikipedia, there is a detailed description, i.e. anyone can produce a QR code free of charge with appropriate, freely available software, which contains, for example, the “Covid Certificate” data. This takes less than two minutes.
Of course, you can include authentication features in this QR code, which have to be recognized by a “Covid Certificate App”, i.e. a special QR code reader. But using a real code, it is very easy to put these features in a fake as well.
Anyone who thinks – like some of those responsible – that the risk of forgery is low and therefore justifiable, is unfortunately wrong.
Because although the digital Covid Certificate has not even been launched yet, there are already active offers for its forgery.
On Telegram, RTL discovered the trade among Corona deniers. Particularly easy is the app “Corona Green Pass Austria” from the dubious owner trueaustrian, who advertises via social media and WhatsApp. Here you just enter your data and you get the desired QR code.
For the search term “Covid Certificate forgery” there are already more than 500,000 Google entries. TV and print media are also already reporting.
Sure, the advantages of QR codes are tempting. Because this solution is practical to use, requires little technical infrastructure and hardly any explanation for users.
In addition, the use of QR code technology is free of charge.
But in return, security against forgery falls by the wayside, which should actually be a no-go for an official certificate.
Modern data codes such as the Speech Code or the Japanese Uni Voice Code offer more complex algorithms that are not publicly accessible.
They are also particularly secure because the software used to create them is only available to vetted B2B customers.
This is why a Speech Code variant is included in the portfolio of the global player HID Global as a security feature for passports.
Scanning is just as fast and offline as with a QR code, and the associated app is available free of charge for iOS and Android in the app stores.
And what’s more, SpeechCode is also barrier-free thanks to its audio function!