The following article has been published exclusively with the intentions of being used for education and training purposes. The author (Luke Labenski), War Room Blog, and RSM do not condone nor approve the usage of the information provided below for malicious purposes. Fraud and forgery are punishable by law and can be met with significant jail time as well as fines.
It is inherently impossible to please everyone, especially when it comes to developing protocols and documentation regarding public safety that impact the health of individuals. No matter your opinion on the proposed introduction of required vaccines by states throughout the country, the push for such a mandate presents a risk as old as documents themselves – forgery. Forgoing political and social views on the legislation surrounding the COVID-19 vaccine requirements, it became apparent to me that the lack of centralized documentation around an individual’s vaccine status was going to be an issue. As vaccines need to be distributed quickly and in massive quantities, the development of such a backend record was simply not feasible. In addition, the transparency of social media and the option to order cards for medical clinics online provides and individual with all of the information required to produce passable vaccine cards from the comfort of your own home printer.
The Catalyst for Fraud
While the Center for Disease Control and Prevention (CDC) and the Department of Health and Human Services (HHS) prioritized the safe and rapid distribution of vaccines to citizens, the ability to develop adequate watermarking and special printing for these cards was not a primary concern. Ultimately, it was decided that vaccine cards were to be printed double sided on plain cardstock. The only identifying marks on these cards would be the CDC and HHS’s crests in the upper right corner, which realistically are not complex enough to dissuade even the laziest of criminals with access to a search engine. However, even these crests were made entirely obsolete, as a sample card image was published in full resolution to the CDC’s website.
During the height of the initial vaccine push, the HHS, in partnership with the CDC, published the following images onto their website along with the exact dimensions of the cards. This was done to provide medical clinics with the ability to order vaccination cards quickly and efficiently for individuals who received their initial doses of the vaccines. However, whether the risk was deemed too insignificant, or whether it was just an oversight from the department, the images provided fodder for what proved to be among the simplest cases of identity fraud and forgery that the healthcare industry has ever seen.
Watermarked COVID Vaccination Record Cards via the CDC Webpage
Upon seeing these images, I was immediately curious in the same way that many cybersecurity professionals are when seeing a door to a server closet wide open in front of them. Within 35 minutes of downloading the CDC provided images, I managed to successfully produce an exact replica of my own vaccine card, complete with CDC stamp and perfect sizing, thanks to their open listing.
Spoofed COVID Vaccination Card
Social Media’s Influence on Identity Theft
The only remaining step in successfully forging this card would be to obtain lot numbers and their corresponding dates for vaccines. This proved to be the easiest step out of the entire process, as before I could set up a Twitter image scraper, a quick search for “vaccine card” sorted by “images” gave way to hundreds, if not thousands of results. I was able to successfully identify pictures of individuals on social media displaying their vaccination cards, some covering their name but leaving the lot numbers and dates wide open, while others chose not to cover anything at all.
An Individuals Vaccination Card Acquired via Social Media
Spoofed Vaccination Card Printed. Author DOB and Lot Number Obfuscated
The entire process, from start to finish, took approximately two hours and left me with a card identical to my own, but with lot numbers from someone I had never met before. The simplicity in which these cards are designed has baffled me, as I question the level of serious merit put into the agreed-upon proof of vaccine. This is especially true for those who do not carry their card around with them, instead only using a picture as evidence of vaccination; this effectively adds another layer of obfuscation, as one cannot physically check weight and paper-feel. Imagine trying to decipher two identical looking $100 bills by photograph only, impossible for even the sharpest of eyes. In the future, I imagine that there will be some method of authentication beyond an easily reproducible paper card. However, the issue of a Twitter user posting their lot numbers online still remains, and indicates just how security-adverse many end users are. If nothing else, I took this as a metric of how incredibly important just a small amount of user training can be in preventing phishing attacks on end users through the data they post on social media.
This article was written by RSM Risk Consulting Associate Luke Labenski