Please see security expert comments below on vaccine passport security.
<p><strong>What security risks should governments keep in mind when progressing vaccine passports initiatives?</strong></p>
<p>There are a number of short-term risks that should be kept in mind along with some longer-term ones. Short term, the security of the applications being developed to support this effort needs to be built by design and not thought of after the application is released. Misuse cases (common attack vectors and tactics) need to be tested upfront and the application should be remediated as a result. Attackers have shown time and time again that they care about this data for multiple reasons and any application vulnerabilities will be used by them to access this data. Secondarily, you have the exchange of all of this data through various governments and third parties. This exchange and verification of data become crucial in any consideration of risk for digital vaccine passports.</p>
<p><strong>What can cybercriminals do with stolen vaccine passport data?</strong></p>
<p>This type of system makes it a big target for phishing as a vector to lure people into clicking or downloading an app that may or may not be malicious. Attackers have and will continue to set up fake apps and websites that seem legit and trick users into giving them all kinds of information. Secondarily, this presents a present and future risk to the privacy of health data. Organizations, individuals, and governments need to consider where the line for personal health information and the free exchange thereof stops.</p>
<p><strong>What security features should vaccine passports have?</strong></p>
<p>Interestingly enough, no formal standards for this type of technology have been defined. Best security practices and following a HIPAA (US-based standard) model would be needed to ensure the privacy and security of the data.</p>
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics