Analysis & Opinions - The Atlantic
Why Vaccine Cards Are So Easily Forged
Sometimes a little security theater isn’t the worst thing.
My proof of COVID vaccination is recorded on an easy-to-forge paper card. With little trouble, I could print a blank form, fill it out, and snap a photo. Small imperfections wouldn’t pose any problem; you can’t see whether the paper’s weight is right in a digital image. When I fly internationally, I have to show a negative COVID test result. That, too, would be easy to fake. I could change the date on an old test, or put my name on someone else’s test, or even just make something up on my computer. After all, there’s no standard format for test results; airlines accept anything that looks plausible.
After a career spent in cybersecurity, this is just how my mind works: I find vulnerabilities in everything I see. When it comes to the measures intended to keep us safe from COVID, I don’t even have to look very hard. But I’m not alarmed. The fact that these measures are flawed is precisely why they’re going to be so helpful in getting us past the pandemic.
Back in 2003, at the height of our collective terrorism panic, I coined the term security theater to describe measures that look like they’re doing something but aren’t. We did a lot of security theater back then: ID checks to get into buildings, even though terrorists have IDs; random bag searches in subway stations, forcing terrorists to walk to the next station; airport bans on containers with more than 3.4 ounces of liquid, which can be recombined into larger bottles on the other side of security. At first glance, asking people for photos of easily forged pieces of paper or printouts of readily faked test results might look like the same sort of security theater. There’s an important difference, though, between the most effective strategies for preventing terrorism and those for preventing COVID transmission.
Security measures fail in one of two ways: Either they can’t stop a bad actor from doing a bad thing, or they block an innocent person from doing an innocuous thing. Sometimes one is more important than the other. When it comes to attacks that have catastrophic effects—say, launching nuclear missiles—we want the security to stop all bad actors, even at the expense of usability. But when we’re talking about milder attacks, the balance is less obvious. Sure, banks want credit cards to be impervious to fraud, but if the security measures also regularly prevent us from using our own credit cards, we would rebel and banks would lose money. So banks often put ease of use ahead of security.
Want to Read More?
The full text of this publication is available via The Atlantic.
For more information on this publication:
Belfer Communications Office
For Academic Citation:
Schneier, Bruce.“Why Vaccine Cards Are So Easily Forged.” The Atlantic, March 8, 2022.
The Author
Bruce Schneier
- Adjunct Lecturer in Public Policy, Harvard Kennedy School
- Fellow, Cyber Project
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Analysis & Opinions
- The Atlantic
Every Emergency Needs to End, Even COVID-19
Analysis & Opinions
- Project Syndicate
Is Globalization Over?
Analysis & Opinions
- Project Syndicate
Peak China?
In the Spotlight
Most Viewed
Analysis & Opinions
- Project Syndicate
If Trump Returns
- Belfer Center for Science and International Affairs, Harvard Kennedy School
Belfer Center Fellow Peter Ajak Navigates Challenges from Lost Boy to South Sudanese Activist
Paper
- Belfer Center for Science and International Affairs, Harvard Kennedy School
Attacking Artificial Intelligence: AI’s Security Vulnerability and What Policymakers Can Do About It
My proof of COVID vaccination is recorded on an easy-to-forge paper card. With little trouble, I could print a blank form, fill it out, and snap a photo. Small imperfections wouldn’t pose any problem; you can’t see whether the paper’s weight is right in a digital image. When I fly internationally, I have to show a negative COVID test result. That, too, would be easy to fake. I could change the date on an old test, or put my name on someone else’s test, or even just make something up on my computer. After all, there’s no standard format for test results; airlines accept anything that looks plausible.
After a career spent in cybersecurity, this is just how my mind works: I find vulnerabilities in everything I see. When it comes to the measures intended to keep us safe from COVID, I don’t even have to look very hard. But I’m not alarmed. The fact that these measures are flawed is precisely why they’re going to be so helpful in getting us past the pandemic.
Back in 2003, at the height of our collective terrorism panic, I coined the term security theater to describe measures that look like they’re doing something but aren’t. We did a lot of security theater back then: ID checks to get into buildings, even though terrorists have IDs; random bag searches in subway stations, forcing terrorists to walk to the next station; airport bans on containers with more than 3.4 ounces of liquid, which can be recombined into larger bottles on the other side of security. At first glance, asking people for photos of easily forged pieces of paper or printouts of readily faked test results might look like the same sort of security theater. There’s an important difference, though, between the most effective strategies for preventing terrorism and those for preventing COVID transmission.
Security measures fail in one of two ways: Either they can’t stop a bad actor from doing a bad thing, or they block an innocent person from doing an innocuous thing. Sometimes one is more important than the other. When it comes to attacks that have catastrophic effects—say, launching nuclear missiles—we want the security to stop all bad actors, even at the expense of usability. But when we’re talking about milder attacks, the balance is less obvious. Sure, banks want credit cards to be impervious to fraud, but if the security measures also regularly prevent us from using our own credit cards, we would rebel and banks would lose money. So banks often put ease of use ahead of security.
Want to Read More?
The full text of this publication is available via The Atlantic.The Author
Bruce Schneier
- Adjunct Lecturer in Public Policy, Harvard Kennedy School
- Fellow, Cyber Project
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Analysis & Opinions - The Atlantic
Every Emergency Needs to End, Even COVID-19
Analysis & Opinions - Project Syndicate
Is Globalization Over?
Analysis & Opinions - Project Syndicate
Peak China?
In the Spotlight
Most Viewed
Analysis & Opinions - Project Syndicate
If Trump Returns
- Belfer Center for Science and International Affairs, Harvard Kennedy School
Belfer Center Fellow Peter Ajak Navigates Challenges from Lost Boy to South Sudanese Activist
Paper - Belfer Center for Science and International Affairs, Harvard Kennedy School
Attacking Artificial Intelligence: AI’s Security Vulnerability and What Policymakers Can Do About It
