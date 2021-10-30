“We are well aware of alleged fraudulent manipulation of the QR Code of the European Covid certificate,” a spokesperson for the European Commission told AFP on Friday, October 29.

HEALTH PASS – Faced for a few days with the dissemination of fake vaccination health passes, some of them in the names of Adolf Hitler or SpongeBob, European countries have ended up revoking poorly protected cryptographic keys.

As specified Checknews, Wednesday, a user with the Polish pseudonym began to offer QR codes valid for 300 dollars (260 euros). When another asks for proof by creating a pass in Hitler’s name (since reported fraudulent), it does so and sends it to him.

Since then, some claim on forums and social networks to have the secret cryptographic keys used to generate a valid QR code of the European health pass.

North Macedonia questioned

However, the private encryption keys have not been compromised, assured AFP the European Commission, which rejects the track of technical failure and denounces instead an “illegal activity”.

In some cases, “the certificates were generated by people with valid credentials to access national IT systems,” says the institution.

But according to experts, internet portals including that of North Macedonia (a country outside the EU but integrated since August into the European health system) also lacked the most basic protections and have generated many fraudulent codes.

It is in this way that after having recovered the key and having gone to an unprotected site, the specialized media Numeramamanaged to generate a fake health pass. The site in question was no longer accessible on Thursday morning. Numerama, the key having been modified.

Fraudulent certificates are blocked

“Each country has one or more signatures, and in each pass, we find out which key it was signed by,” Gaëtan Leurent, cryptography researcher at the National Institute for Science and Technology Research, told AFP. digital.





For the system to work, all the servers used to sign the pass must be properly protected. “If a service stays open and signs anything, in practice it’s a bit the same thing” as if the key had been stolen, he added.

To remedy the flaw, the member states of the European Union-wide eHealth public health network have agreed to “block the two fraudulent certificates so that they are considered invalid by verification applications”. The Macedonian portal has also been deactivated.

In France, the TousAntiCovid Verif application was updated on Thursday morning. The eHealth network will also work on “improving invalidation and revocation systems, in order to be able to react even more quickly to such cases”.

A mysterious pass in the name of Mickey Mouse

The case is not completely closed because the origin of some fraudulent health passes remains a mystery. A vaccination certificate in the name of Mickey Mouse seems to have been signed by the French authorities, others by the Polish services, perhaps thanks to complicity among health professionals.

In France, the General Directorate of Health, contacted by CheckNews, indicated that the National Health Insurance Fund (CNAM) “investigated the origin of the fraud and thus identified a [carte de professionnelle de santé], which would have allowed this fraud in France ”.

The cases of fraudulent QR codes would therefore be due ”to the behavior of isolated individuals (…). The French private keys have not been stolen and are not compromised, as may have been relayed ”. An investigation is underway, just like in Poland, and a complaint has been filed.