What! 1,00,000 fake COVID-19 test certificates that went undetected?

Uttarakhand is a tiny hill state in North India with a population just about the size of Sweden. It attracts almost a fifth of its population as tourists over four weeks, usually during the Kumbh Mela. The Kumbh Mela is extremely popular amongst the people of India and happens at defined intervals as per a religious calendar. Millions converge from all over the country for a holy dip in the River Ganges.

Kumbh Mela in the news

In 2021, during the congregation, the authorities had rightly insisted that COVID protocols be followed. Each visitor or entrant was supposed to carry a COVID-ve test certificate from an authorised testing laboratory. All authorised testing laboratories are ideally connected to the central ICMR database that maintains all COVID test results with an associated SRF (Specimen Referral Form) number.

Yet, the Indian Health Ministry was caught off guard when in mid-June, it ended up launching an investigation into the allegations that over 1,00,000 COVID-19 test reports for the Kumbh Mela were fake .

The criminal investigations apart, we want to discuss the reason for such fake certificates in such large numbers.

• A Global Phenomenon

• Flawed Technology Used By Issuer

• Lack Of Thought On Verification Environment or Ease of Verification

• The Way Forward

A Global Phenomenon

Such generation of fake certificates, as in Kumbh Mela, is not an isolated incident. From Cyprus to Bangladesh, fake COVID-19 test certificates are now a global phenomenon . The generation of fake COVID certificates is widely prevalent globally, and many instances of fraud have been detected across the world. In the past, there have been situations where planeloads of people were asked to return to their home country because of fake certificates or such fraud detected at border crossings. Why does this happen again and again and again? The answer possibly rests on two main factors .

Flawed Technology Used By Issuer

The first is what steps are being taken at the source (issuer) to ensure that the COVID test certificate generated is tamper-proof and authentic. Suppose the creation and generation of the certificate itself is not secure. In that case, bad actors will continue to tamper with these documents with impunity. The current system of having simple QR codes or codes that redirect to a URL is not the best method to ensure the security of the COVID test certificate. The reason is QR phishing and the fact that generic QR readers may suck information and pass them on to servers across the world and this sensitive and private information can then be misused.

Using Secure QR Code for Covid Certificte generation and verification

With Qryptal Secure QR code technology, the QR code generated at the source is secure and digitally signed by the private key of the issuer. It contains precise information that is required to be verified. In this case, it could be the individual’s identity and the result of the COVID test, along with any other reference information. In addition, this solution can work in a centralised generation environment, where laboratories across cities and provinces can generate a secure, tamper-proof QR code, usually issued and processed by a central authority or lab.

Lack Of Thought On Verification Environment or Ease of Verification

The verification method and it’s simplicity is even more critical. The third-party verifier would need to have quick and easy access to a system that would instantly validate a certificate with a simple scan – akin to a passport verification at the immigration counter. Except that in this case, the verifier might be in a remote location, off-grid, with or without internet access. In some cases, the verifier would not even be in the office and would be at a gate or an entrance. There are multiple issuers (labs and service providers) of these COVID reports and even more decentralized verification locations making the task more difficult and challenging.

Like all successful document security systems - a more straightforward, effortless, and quicker verification is the key to ensuring the document’s security & in having a properly working system which is embraced by all. With a Qryptal QR code, the verifier can scan the QR code using a government/ health authority approved app either on a smartphone or use a web validation mechanism where the device camera is used via the browser or the documents containing the QR code are uploaded as images or PDFs. So almost instantaneously, one would identify whether the test reports/certificates issued came from an authorised source and be able to verify it’s contents.

If a scanned QR code is not from the authorised or an authenticated source, the authorised app wouldn’t be able to read the QR code. In cases like the Kumbh, the authorities could have immediately identified the fake labs and quarantined the entry of those with tampered or forged COVID test certificates.

The Way Forward

Irrespective of the quantum of fraud - 10, or 100 or 100,000 cases – the way forward is –

1. The issuer must ensure certificate security features at source and issue non-tamperable digitally signed certificates, and

2. The verification must be made simple, quick, and practical to work in physical-digital formats and both in online and offline environment

Sample Antibody report with Secure QR Code

All this can be achieved with Qryptal QR code solutions which range from simple implementations to complex large enterprise implementations using either cloud or on-premise deployment and yet provide a seamless integration for the security of the certificates.

You may also be interested in -

• Digital Signing Certificate Management for generating EU Digital COVID Certificates
• 4 Questions to ask before any implementation of QR Codes for Covid Lab Reports
• Integrating document security into COVID Test Reports?