Photo: Oliver Berg / dpa
Digital certificates for immunized persons should make life a little less complicated in the corona pandemic.
But now there is a problem with the system: Since Thursday, at least pharmacies in Germany are no longer allowed to issue digital certificates for people who have been vaccinated or recovered from Covid-19.
Apparently, fraudsters can use Photoshop tricks to pretend to be a pharmacist and thus steal individual QR codes without a security check.
As the »Handelsblatt« reports, the two IT security experts André Zilch and Martin Tschirsich apparently succeeded in registering a fictitious pharmacy via guest access to the online tool »Mein Apothekenportal« of the responsible German Pharmacists' Association (DAV).
With the access it was possible to issue vaccination certificates officially signed by the Robert Koch Institute, with invented names, any vaccination date and freely selectable corona vaccine.
The loophole apparently only affects pharmacies.
According to the industry magazine “Apotheken-Adhoc”, certificates can currently still be issued there in vaccination centers and medical practices.
In the past, however, many vaccinated or convalescent people resorted to the option of having the QR codes issued in pharmacies after a vaccination.
The consequences of the security gap are difficult to assess.
According to the “Watson.ch” portal, some certificates from Germany have appeared in Switzerland at least.
According to the research, corresponding certificates were illegally offered in messenger apps for 200 euros each.
However, it has not yet been confirmed whether the QR codes come from the pharmacist's tool.
Online access for pharmacies remains blocked for the time being
The Federal Association of German Pharmacists' Associations (Abda) doubts that the portal was used commercially to produce fake QR codes. An association spokeswoman told SPIEGEL that there were "two fake certificates" in circulation. However, access for pharmacists remains blocked until the problem has been resolved. "We are working flat out on a solution." It is not yet possible to give a specific date when the tool will be reactivated.
In the past five weeks, 25 million citizens have had their digital vaccination certificate issued retrospectively in one of around 18,000 pharmacies in Germany. Of these, 470 pharmacies were registered via guest access. The federal government decided to take the detour via pharmacies, as digital certificates and apps did not yet exist at the time of many vaccinations. In some federal states, citizens also receive the certificate by post if they have been vaccinated in a vaccination center. A QR code is shown on the letter, which can be scanned with smartphone applications such as the Corona warning app, CovPass and Luca. The apps in turn display a QR code that can be used at borders, airports,to certify immunity in restaurants and at concerts and serve as a digital alternative to the yellow vaccination certificate. In order to get to the falsified QR codes, the hackers reported the imaginary “sun pharmacy” according to the “Handelsblatt”, filled out a form with the address of an apartment building, falsified an operating permit and the letter notification for money from the night and emergency service fund.
FDP makes Jens Spahn jointly responsible
The letter with the access data for the portal arrived within two days.
The query of the so-called telematics ID was apparently not a major hurdle either. Instead of the clearly assigned code for medical facilities, Zilch and Tschirsich are said to have entered an arbitrarily chosen number and still received access.
The hackers' conclusion: the certificates issued so far should be »all invalid«, since individual codes could not be withdrawn.
Abda goes too far.
The spokeswoman for the federal association says: "Anyone who has gone to a pharmacy as a patient with their vaccination certificate in order to have a certificate issued there knows that they have not eaten a fake pharmacy."
The FDP meanwhile makes Health Minister Jens Spahn (CDU) jointly responsible for the problems with the certificates. The FDP parliamentary group had already requested a digital vaccination pass in 2019, said FDP health expert Christine Aschenberg-Dugnus of the "Augsburger Allgemeine" on Friday. “We could have saved today's chaos and a lot of money if the federal government had acted in good time.” If the QR code had been directly transferable since the start of the vaccination campaign, it would have meant less effort for the citizen and was also safer. The Ministry of Health did not respond to a written request from SPIEGEL on Friday morning.