Analysis & Opinions - The Atlantic

Why Vaccine Cards Are So Easily Forged

| Mar. 08, 2022

Sometimes a little security theater isn’t the worst thing.

My proof of COVID vaccination is recorded on an easy-to-forge paper card. With little trouble, I could print a blank form, fill it out, and snap a photo. Small imperfections wouldn’t pose any problem; you can’t see whether the paper’s weight is right in a digital image. When I fly internationally, I have to show a negative COVID test result. That, too, would be easy to fake. I could change the date on an old test, or put my name on someone else’s test, or even just make something up on my computer. After all, there’s no standard format for test results; airlines accept anything that looks plausible.

After a career spent in cybersecurity, this is just how my mind works: I find vulnerabilities in everything I see. When it comes to the measures intended to keep us safe from COVID, I don’t even have to look very hard. But I’m not alarmed. The fact that these measures are flawed is precisely why they’re going to be so helpful in getting us past the pandemic.

Back in 2003, at the height of our collective terrorism panic, I coined the term security theater to describe measures that look like they’re doing something but aren’t. We did a lot of security theater back then: ID checks to get into buildings, even though terrorists have IDs; random bag searches in subway stations, forcing terrorists to walk to the next station; airport bans on containers with more than 3.4 ounces of liquid, which can be recombined into larger bottles on the other side of security. At first glance, asking people for photos of easily forged pieces of paper or printouts of readily faked test results might look like the same sort of security theater. There’s an important difference, though, between the most effective strategies for preventing terrorism and those for preventing COVID transmission.

Security measures fail in one of two ways: Either they can’t stop a bad actor from doing a bad thing, or they block an innocent person from doing an innocuous thing. Sometimes one is more important than the other. When it comes to attacks that have catastrophic effects—say, launching nuclear missiles—we want the security to stop all bad actors, even at the expense of usability. But when we’re talking about milder attacks, the balance is less obvious. Sure, banks want credit cards to be impervious to fraud, but if the security measures also regularly prevent us from using our own credit cards, we would rebel and banks would lose money. So banks often put ease of use ahead of security.

Want to Read More?

The full text of this publication is available via The Atlantic.
Read Full Article
For more information on this publication: Belfer Communications Office
For Academic Citation: Schneier, Bruce.“Why Vaccine Cards Are So Easily Forged.” The Atlantic, March 8, 2022.

The Author

Recommended
In the Spotlight
RSS
Brittany Janis and Melissa Shapiro write about the "Exploring Arctic Sustainability" program which brought together nearly 20 Indigenous youth from Alaska, Canada, Mongolia, Norway, and Sweden for a week of climate leadership training and dialogue.
Calder Walton writes in this Times piece that China is conducting an espionage onslaught against Britain unlike that undertaken by Western governments themselves. "It is broad, deep, accelerating, and multi-domain," he says.
Energy economist Severin Borenstein in this conversation with Robert Stavins discussed the many significant challenges facing the nation’s electricity power sector in the latest episode of “Environmental Insights: Discussions on Policy and Practice."
Most Viewed

Tags