Covid vaccination status can be faked in minutes in Service Victoria app, developers warn – The Guardian Australia

As state trials new system using animated holograms, experts say federal government should have used an international standard format with a digital signature
Last modified on Wed 13 Oct 2021 02.48 BST
Developers say it takes just minutes to fake vaccination status through the Service Victoria app, as the state trials the new system ahead of lifting lockdown later this month.
When the state reaches its 70% double-dose vaccination target, fully vaccinated people will be able to enjoy new freedoms such as going to the pub or cinema, getting a haircut and attending weddings or funerals.

On Monday, the Victorian government launched an update to the Service Victoria QR code check-in app, which allows users to share their Covid-19 vaccination certificate via the Medicare Express app or MyGov account with the app.
Once enabled, a person’s vaccination status appears when they check in to a venue, along with an animated hologram of the Victorian government logo.
The animations are one of the security measures the Victorian government has used to stop people presenting fake versions to access venues that do not allow unvaccinated people.
However, software developer Jim Mussared was one of several developers who were also able to fake the vaccination status in the Service Victoria app in less than 10 minutes.
Sign up to receive an email with the top stories from Guardian Australia every morning
Mussared said the process was “really simple”. Others had also managed to build their own version of the app from the ground up, complete with recreating the hologram animations upon check-in.
Mussared said it showed the need for verification using digital signatures.
“The key point is that apps cannot be trusted. Triangles, animated effects, etc, can always be faked or forged, often very quickly,” he said. “Much more so than the physical equivalent.”
He said the failure was the result of the federal government not using an international standard format with a digital signature in all forms of the vaccine certificate.
Software developers have previously worked out how to fake the vaccine certificate in the federal government’s Medicare Express app.
A spokesperson for the Victorian Department of Premier and Cabinet said the state was trialling proof of vaccination through the Service Victoria app in regional Victoria and would not take lightly any attempts to forge vaccination status.
“Fraud is a criminal offence, one that both state and federal governments take very seriously.”
New South Wales exited lockdown on Monday, but the state has yet to launch its updated Service NSW app that includes vaccination status, with trials in regional areas only beginning this week.
🔹First Look

This is the VaxPass.

1. It’s in testing phase now.

2. In the next few days we will undertake closed pilots in some regional areas.

3. At this stage we are still on track for statewide roll-out on 18 October…
Service NSW will allow businesses to verify a customer’s vaccination status through the “check a licence or credential” function on the Service NSW app which will allow them to scan a QR code on a customer’s digital certificate to ensure it is valid.
Ultimately, however, using the Service NSW app to verify vaccination status is optional, and people can otherwise choose to present their Medicare Express app, the certificate through their wallet app on their phone, or a paper certificate from the Australian Immunisation Register.