The European Union has finally lifted the ban on Americans, and travelers from countries within the 27 member EU, that has been in place since early 2020. Travelers within the EU can now download a digital or paper health certificate, or vaccine passport, containing essential information.

The EU has no unified COVID-19 tourism or border policy, but has been working on a travel certificate for those who have been tested, vaccinated, or recently recovered from COVID-19. The certificates contain a QR code with security features that allow people to move between European countries, without having to quarantine or undergo extra coronavirus tests. While the vaccine passport is meant for EU citizens, travelers from other countries can also obtain one, if they qualify.

EU vaccine passport QR code increases security and privacy risk

In March, the European Commissioner in charge of vaccines outlined requirements for a non-compulsory health certificate, or vaccine passport, equipped with a QR code to track medical records of European citizens. The health certificate is available from websites of the Ministries of Health for each EU country. The scanned QR code makes it easy to verify that the certificate holder has been vaccinated against COVID-19. It also provides information on the origin of the vaccine, if the individual has already been a carrier of the virus, and if they have antibodies. More details can be found here.

No doubt, the health certificates are going to proliferate the use of QR codes across Europe. While this makes it very convenient for health authorities, it increases privacy risk and possible data theft potential for EU travellers. It should be noted that QR codes are vulnerable to cyberattacks. QR codes are opportunistic targets for hackers. They embed malware, substituting legitimate QR codes with malicious ones, then direct users to phishing sites without detection. Simply put, hackers use QR codes to illicitly obtain information, hijack accounts, and steal identities and data.

How to protect myself from security and privacy concerns regarding EU vaccine passport QR code use

In most cases a threat actor would need to control the QR code to manipulate it in a way to perform their malicious acts. What concerns should travels be aware of and how should they protect themselves if this QR code is in their possession?

  1. Treat this EU vaccine passport like your regular passport. It contains personal data that you don’t want to expose. Only allow authorized security personnel at boarders and checkpoints or health care personnel scan your QR code.
  2. Utilize the digital passport where possible as it will be less likely to lose. A paper copy can be more easily misplaced. If you do get the paper copy keep it with your passport and other travel documents and if you dispose of the QR code, make sure to do so more permanently than just throwing it in the trash.
  3. There will be scams and other angles targeting getting access to EU vaccine passports. Treat this passport like any other healthcare data. Do not give access to anyone but authorized healthcare providers or security personnel where need for travel purposes. Make sure to get a valid EU vaccine passport through legitimate channels as there will likely be scams trying to sell fake or cloned vaccine passports.
  4. If anyone attempts to get you to scan a QR code, you should always question the source as QR codes are an easy way to target an unsuspecting user and load malicious apps or attempt to capture sensitive data.

How can QR codes be abused

Ivanti recently conducted a survey of over 4,100 consumers across the U.S., U.K., France, Germany, China, and Japan, on QR code sentiment and usage. The growing threat associated with QR code usage was confirmed, as 51% of survey respondents have concerns when using QR codes, yet scan them anyway. One-third of respondents were unaware of QR code risks and didn’t recognize the need to protect their mobile devices.

The use of QR codes via the new EU vaccine passport will certainly impact and increase traveler’s concerns about privacy and security. In fact, according to the Ivanti study, 31% of respondents have had a QR code misdirect their mobile device to a suspicious site or cause other troubling actions.

QR code security threats are certainly problematic. However, there is technology that can protect mobile devices against such abuses. Because mobile devices are used for personal and business activities, it’s critical for both consumers and businesses to prioritize mobile security for their employees, whether the mobile device is company or employee owned. A zero trust security strategy should be implemented to continually verify each asset and transaction, before permitting mobile device users to access the corporate network.

Ivanti provides QR code risk protection

A mobile security defense is the best protection against mobile device risks. Ivanti mobile threat defense (MTD) solution protects and remediates known and unknown threats that target iOS and Android mobile devices. It’s quick and easy to onboard devices, and provision them over the air, with all the apps, settings, and security configurations required. Ivanti MTD will protect any iOS, macOS, Android, and Windows 10 endpoint, across today’s perimeter-less digital environments.

Ivanti MTD protects against attacks with detection and remediation at the device, network and application level. No action by the user is needed, making it easy to achieve 100% adoption, without impacting user productivity.

While the EU’s vaccine passport appears to be a sensible and convenient approach towards restoring normalcy to European economies, QR codes clearly present a risk, both privately and corporately. Malicious code, brought in by employee mobile devices, can comprise an organization’s digital systems and data. A mobile threat defense solution, like Ivanti MTD, provides peace of mind, with the assurance that mobile devices logging into business digital infrastructure are protected.