India's Tryst with Fake RT-PCR reports and Why regular QR doesn’t help

As per reports, over 100 tourists were caught with counterfeit RT-PCR test reports in Uttarakhand, India. Not long ago, we had written a blog post about a massive breach in the same state with an article titled - What! 1,00,000 fake COVID-19 test certificates that went undetected

TOI article

Even as some states enforce strict RT-PCR test requirements for admission, people across the country are now resorting to editing old RT-PCR test reports or creating entirely new ones on their laptops. To curtail fake RT-PCR reports, the government recently made it mandatory that all test reports must come with a QR code so that the test results can be verified electronically.

But with countless free PDF editors and QR code generators available online, a fake report can be created in minutes. And if someone doesn’t know how to create one, any roadside cyber cafe can help make one for as little as Rs 200.

The use of non-secure QR codes in RT-PCR tests

The RT-PCR verification system with regular QR codes has inadvertently built-in loopholes that bad actors take advantage of. Even though producing fake RT-PCR reports is a punishable crime according to the law, it has not stopped the generation of RT-PCR reports which can be tampered with at will, as also the creation of totally fake reports. This is because the system to create & verify such regular QR codes is open to manipulation.

Is penny-wise pound-foolish on the part of even established laboratories?

While secure QR code technologies were already available, the possibility of saving a few rupees or possibly ignorance had possibly caused the labs to go in for non-secure QR code systems, which has been taken advantage of.

Standard QR codes have little or no security. So it is not surprising that the bad actors resorted to creating PDF files of RT-PCR tests without any consideration for the consequences in terms of spread of the virus. In fact sometimes it maybe easier to fake reports from established labs to give the impression of authenticity. This causes a lot of damage to the credibility and reputation of even such established labs.

Does a centralised QR code system alone help?

Since thousands of geographically dispersed labs generate Covid reports, it’s impossible to have a centralised QR code generation system unless it’s run by the government or health authorities and all the labs log on to a common platform to generate. For Vaccine certificates, usually, the health ministry runs the program; hence centralised certificate generation with QR is possible. In any case, the discussion is about having a secure vs non-secure system. URL based QR codes have two fundamental problems - QR phishing and the fact that regular QR scanners, while scanning the codes, also capture private and confidential information, which can be leaked to servers across the world without the knowledge of the person concerned.

And then one has to consider unstable internet connection or even air-gapped environments with no data connectivity

The current mechanism, even in the case of URL redirected QR codes, is that the standard scan of the URL is difficult with an unstable internet connection or in an air-gapped environment.

Another aspect to consider is that very few officials at airports are actually scanning the QR code on the RT-PCR test reports. This is because the airline staff or airport authorities need to use their mobile or smartphone with a reliable internet connection to scan it and they may simply not be doing it. In such a situation, it is hard to determine the authenticity of PDF reports by merely looking at them. A secure QR code solution can work in offline mode with the use of a dedicated app to verify the authenticity of the information within it.

Issues with verification of RT-PCR reports in the current set up

• There is no centralised website to check RT-PCR test reports for authenticity.

• In most cases, if you scan the QR code on the report, it simply opens the digital copy of the same report.

• There should be a proper mechanism - either an app/ website for the end-users to check the authenticity of their tests.

Eight reasons why Secure QR Codes is the correct QR code solution

1. While a Secure QR code looks like a regular QR code for the naked eye, it differs significantly in terms of the security it provides.

2. A secure QR code can be either printed or produced as an e-certificate. In both forms, a secure QR code certificate is tamper proof, easily verifiable and trustworthy and offers a far higher level of security.

3. Secure QR offers a similar level of security as a blockchain implementation at a fraction of its cost.

4. Secure QR offers a simple, easy, and affordable mechanism for the issuer to issue a tamper proof certificate.

5. Secure QR code makes it easy for the verifier to verify offline where there is no internet or where the internet environment is unstable.

6. Secure QR codes have higher embedded security compared to URL based QR codes - no QR phishing and no leakage of personal data.

7. It maintains information integrity without the need for database connectivity.

8. These certificates can be revoked/updated for scenarios where this is needed (though this feature comes with a special type of Secure QR code called EDC codes that will require data connectivity for verification).

Unless the QR code is made secure at the source (secure QR code), bad actors will take advantage of its simplicity and lack of security in their malicious intent to either create fake documents or tamper them by replacing them with their own ’new QR code’ which would defeat the very purpose of preventing manipulation of such documents.

Here is an image of a lab certificate with a secure QR code solution

Sample Lab report with Secure QR Code

You may also be interested in -

• Fake Covid Certificates and Health Passes Easily Available on Social Media Platforms
• Hybrids in QR Code – a reality with HDC
• What! 1,00,000 fake COVID-19 test certificates that went undetected?