Warning of serious risks to air travel from fake COVID-19 test and vaccination certificates

Following the UK government’s decision to suspend all travel corridors, which came into force on 18 January 2021, passengers arriving to the UK were said to be faced with unprecedented scenes at London Heathrow Airport (LHR), with long delays, social distancing rules breached, altercations between passengers and border officials, £500 on-the-spot fines and passengers being refused entry to flights for holding invalid COVID-19 certificates.

The UK now requires that all arriving passengers provide verifiable proof of a negative COVID-19 test taken no more than 72 hours before departure to England.

CEO of VSTE Enterprises (VSTE), Louis-James Davis, has warned of the very real and serious threats facing airlines, airports and passengers from fake COVID-19 test certificates and vaccination record cards, social distancing breaches and the use of health passports with ‘unsafe’ QR code and barcode technology, which have to be scanned within close proximity. He also warned of the serious implications of potential data breaches using ‘unsecure’ code scanning technology in health passports.

There has reportedly been an alarming rise in the number of fake COVID-19 test certificates available on the black market, with instances of counterfeit negative test certificates in Brazil, France and the UK. Passengers who carry fake COVID-19 test results in order to travel undermine the sector’s efforts to limit the spread of the disease and open up air travel again.

The possibility of barcodes and QR codes being hacked is also a real issue and, therefore, any airline who considers using this form of authentication for COVID-19 testing risks a breach of passenger data.

In 2020, British Airways (BA) was fined a record £20 million for a 2018 data breach on 400,000 of its customers, which affected their personal and credit card data. It now faces one of the biggest ever group privacy claims in UK legal history, as reported in the Financial Times. 

According to VSTE, QR codes can be subject to a process called ‘attagging’, or ‘cloning’. The process of ‘attagging’ is where a genuine QR code is replaced by a cloned QR code, which then redirects the person scanning that code to a similar website where personal data can be intercepted and breached. In India alone, there are said to be over one billion fraudulent financial transactions each day using QR codes. As the scanning user journey is the same, it is only tech-smart individuals that may notice that the domain name has changed.