Corona pass can be doctored, warns IT security expert

Two clicks on an internet browser might enable you to dine outdoors later this month, but would it be worth a spell in prison?

Fears have been raised that people in Denmark will be able to fake the information on a corona pass.

Easily done
Peter Kruse, the founder of IT security company CSIS, points out to DR that it “does not take a genius” to reuse the result of an old test to make it look like it is one carried out within the last 72 hours.

“It is virtually impossible for a teacher or a hairdresser to check whether a test result is legitimate when the results are issued as they do,” he lamented. 

All it takes is two clicks on an internet browser, he added. 

Should have been fixed
Kruse blames security holes on sundhed.dk concerning both the test result and date, which he believes could have been easily avoided.

Last week, sundhed.dk changed its website so speedy test results can be displayed, but missed an opportunity to sort out the security holes. 

“They should have taken this into account – it’s annoying,” added Kruse.

Offenders are likely to receive twice the normal punishment for fraud, so quite a lengthy prison sentence is likely. 

Mass fraud unlikely, says chief
Nevertheless, Morten Elbæk Petersen, the head of sundhed.dk, has told DR he  does not think there will be a stampede to commit fraud. 

“It would be a case of forgery, which is punishable,” he reasoned.

“The corona pandemic has shown that Danes follow the rules and do not abuse the trust we as citizens have in each other. Therefore, our expectation is also that citizens will use our solution responsibly. This has been our experience so far.”