• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Uncategorized > Counterfeit COVID-19 Cards? An Analysis of Vaccination Record Security

Counterfeit COVID-19 Cards? An Analysis of Vaccination Record Security

September 7, 2021 By Jonathan Slusar

The following article has been published exclusively with the intentions of being used for education and training purposes. The author (Luke Labenski), War Room Blog, and RSM do not condone nor approve the usage of the information provided below for malicious purposes. Fraud and forgery are punishable by law and can be met with significant jail time as well as fines.

It is inherently impossible to please everyone, especially when it comes to developing protocols and documentation regarding public safety that impact the health of individuals. No matter your opinion on the proposed introduction of required vaccines by states throughout the country, the push for such a mandate presents a risk as old as documents themselves – forgery. Forgoing political and social views on the legislation surrounding the COVID-19 vaccine requirements, it became apparent to me that the lack of centralized documentation around an individual’s vaccine status was going to be an issue. As vaccines need  to be distributed quickly and in massive  quantities, the development of such a backend record was simply not feasible. In addition,  the transparency of social media and the option to  order cards for medical clinics online provides and individual with  all of the information required to produce passable vaccine cards from the comfort of your own home printer.

The Catalyst for Fraud

While the Center for Disease Control and Prevention (CDC) and the Department of Health and Human Services (HHS) prioritized the safe and rapid distribution of vaccines to citizens, the ability to develop adequate watermarking and special printing for these cards was not a primary concern. Ultimately, it was decided that vaccine cards were to be printed double sided on plain cardstock. The only identifying marks on these cards would be the CDC and HHS’s crests in the upper right corner, which realistically are not complex enough to dissuade even the laziest of criminals with access to a search engine. However, even these crests were made entirely obsolete, as a sample card image was published in full resolution  to the CDC’s website.

During the height of the initial vaccine push, the HHS, in partnership with the CDC, published the following images onto their website along with the exact dimensions of the cards. This was done to provide medical clinics with the ability to order vaccination cards quickly and efficiently for individuals who received their initial doses of the vaccines. However, whether the risk was deemed too insignificant, or whether it was just an oversight from the department, the images provided fodder for what proved to be among the simplest cases of identity fraud and forgery that the healthcare industry has ever seen.

Watermarked COVID Vaccination Record Cards via the CDC Webpage

Upon seeing these images, I was immediately curious in the same way that many cybersecurity professionals are when seeing a door to a server closet wide open in front of them. Within 35 minutes of downloading the CDC provided images, I managed to successfully produce an exact replica of my own vaccine card, complete with CDC stamp and perfect sizing, thanks to their open listing.

Spoofed COVID Vaccination Card

Social Media’s Influence on Identity Theft

The only remaining step in successfully forging this card would be to obtain lot numbers and their corresponding dates for vaccines. This proved to be the easiest step out of the entire process, as before I could set up a Twitter image scraper, a quick search for “vaccine card” sorted by “images” gave way to hundreds, if not thousands of results. I was able to successfully identify pictures of individuals on social media  displaying their vaccination cards, some covering their name but leaving the lot numbers and dates wide open, while others chose not to cover anything at all.

An Individuals Vaccination Card Acquired via Social Media

Spoofed Vaccination Card Printed. Author DOB and Lot Number Obfuscated

Conclusion

The entire process, from start to finish, took approximately two hours and left me with a card identical to my own, but with lot numbers from someone I had never met before. The simplicity in which these cards are designed has baffled me, as I question the level of serious merit put into the agreed-upon proof of vaccine. This is especially true for those who do not carry their card around with them, instead only using a picture as evidence of vaccination; this effectively adds another layer of obfuscation, as one cannot physically check weight and paper-feel. Imagine trying to decipher two identical looking $100 bills by photograph only, impossible for even the sharpest of eyes. In the future, I imagine that there will be some method of authentication beyond an easily reproducible paper card. However, the issue of a Twitter user posting their lot numbers online still remains, and indicates just how security-adverse many end users are. If nothing else, I took this as a metric of how incredibly important just a small amount of user training can be in preventing phishing attacks on end users through the data they post on social media.

This article was written by RSM Risk Consulting Associate Luke Labenski

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Jonathan Slusar

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.