Gotta do it for the ‘Gram (Instagram), as the kids might say. After a year in quarantine, you just got your first shot or final shot of the COVID-19 vaccine. In your exuberance, you post a shot of your freshly minted vaccination card online. At this point, most of us have seen this play out at least once or twice on social media. The vaccination card post for many celebrating that small victory to return to a feeling of pre-2020 normal in postings similar to the below photos. I completely empathize with the sentiment because we’ve all experienced a lot of adjustment and pain throughout this last year. We’re trying to find the small things—like getting vaccinated! The problem is sometimes the wrong people are watching, people who can potentially weaponize and or monetize the personal identifiable information (PII) you just posted.
In a previous blog, Digital Shadows (now ReliaQuest) found examples of criminals pivoting into forging vaccine documents, and recently there have already been several cases of people traveling with forged documents or law enforcement breaking up criminal rings exclusively trading in vaccine proof.
In this blog, we’ll take you on a quick look about why you should think twice about what you share online and how cybercriminals can potentially leverage your vaccine card selfie for financial gain.
Proof of Name and D.O.B.for Fraudulent Activities
In the case of criminals serving up personal data in dark web markets, it may be just the name and birthday that make a difference. This information may help create a persona for sale, or give attackers the puzzle pieces to help validate other data they may already have. Considering consumer information and profiles can be sold for pennies and small dollar amounts online, having your name and birthday in a public post may allow scammers access to a variety of opportunities. This is due in some part to birthdays often serving as an additional identification factor for many services, such as with banking, utility, or phone accounts. This also dangerously lowers the barrier of entry to your personal data, and when used with other information, such as an address or other similarly available data, criminals may attempt to take over accounts.
OSINT (Open Source Intelligence) can be incredibly effective in the hands of an expert, or even a novice. From the information included on a standard US CDC vaccination card, one can glean information such as: name, date of birth, administering location, date of immunization, type of immunization, and lot number of the vaccine. Depending on the photo, OSINT researchers can go even further to possibly pinpoint where exactly the photo was taken, what time of day, the type of camera, or find other revealing clues about the person.
Forgeries and Tampering
All that from a vaccination card? Afraid so. There’s also more about posting cards that’s troubling. Outside of a few countries producing certified vaccination passports and similar documents, there doesn’t appear to be a lot to protect common vaccine cards, like anti-forgery or anti-tampering measures you might see with other official documents. We definitely haven’t seen any in use for vaccine cards in the US or Europe out of the samples we’ve seen. With many countries worldwide now looking at adding a so-called “vaccine passport” or other vaccine proof for travel, and possibly even for work, a document showing that the shot regimen is complete could become a boon for criminals.
In any case, with a high-enough resolution photograph and some decent graphic design skills, criminals could use portions of found images to produce realistic forgeries. There are already dozens of examples of vaccine cards posted online either via social media or in news stories, that it would seem fairly trivial to generate your own fake version.
Recommendations for Hygienic Posting
One, I’ve been wanting to use this meme in a cybersecurity post, so, thank you, Digital Shadows (now ReliaQuest) for the opportunity, and two, really…What are you doing? I know the moments are exciting but try to rein in the posts that display so much of your personal information.
Instead, you can:
- Share a picture of the vaccine sticker!
- Take a picture with the healthcare worker who gave you the shot!
- Get a great selfie in front of the clinic or hospital!
- Use text and/or emojis instead of a picture to share your happiness!
- Tell people instead of posting a photo!
But please, don’t use the card itself. Right now you should treat that card with the same attention and care as any other important identification document. Gently nudge people in your circle to be careful if you see it happening within your corner of the world, but also make sure you’re not being too cavalier with your information either. We’ve already talked about how bad people are with passwords and how a lot of your other information gets sold, just showing that there’s a market for anything in the cybercriminal underground.
But Sean! I’m human ,and I want to belong! If you are an oversharer by nature, make your account as private as possible and keep the circle of followers close, as in no randos.. It’s wonderful to share all the joys with your friends and family. Really, it’s just about being safer out there, and making yourself a harder target. Take a cue from Generation Z and make a Finsta (fake Instagram) for just those moments and really close people.
Criminals have tons of opportunities, the methods and means, time, and financial motivation to steal, acquire, and buy all of the personal information floating out there, so why give them the easy ones for free? Be a harder target by giving those impulses a second thought, and maybe don’t post all of your information. If you have given into those impulses, Digital Shadows (now ReliaQuest) can help you monitor what’s exposed. You can get a 7-day free trial of Searchlight to see what we’re talking about. It’s not time to burn down all of your social media and retreat to a cave, but it’s good to understand what your risk is and take control of it.