Christopher Staab, President of the Loyalty Security Association says: “The pandemic didn’t allow fraudsters to hide transactions within the greatly reduced volume of travel sales. Fraudulent travel transactions currently stick out like a sore thumb. So, travel fraudsters have been taking over accounts and maturing them this past year, honing their Account Takeover skills. I fear fraudsters will now turn these improved skills towards taking over “Covid-19 Passports” in earnest, as they contain valuable personal data for committing additional cyber fraud.”
ATOs typically occur with one criminal group or actor taking over accounts – credit card, loyalty, health accounts, etc., which are then sold, particularly on Social Media sites and the Dark Web. Different criminal actors purchase these accounts, which they then use for both the account’s intended purpose, which is to provide proof of vaccination, though obviously not for the actual person attached to the account, in the case of “Covid-19 Passports,” or to commit further criminal activities.
It is common that people use the same usernames and passwords across multiple accounts, allowing cyber criminals to takeover additional accounts of the same account holder of the compromised one. Plus, the data within a compromised account may sometimes be used to open additional new accounts in the account holders name or even to create a “Synthetic ID” using the account holder’s personal details.
This is where “Covid-19 Passports” are particularly attractive to cyber criminals since health care data is extraordinarily rich with personal details. “Covid-19 Passports” are already for sale on the Dark Web, as reported by the BBC on 23rd March 2021.
Christopher Staab, President of the Loyalty Security Association goes on conclude: ““Covid-19 Passports” are attractive to fraudsters and already for sale on the Dark Web. With them being rolled out so quickly and with so many parties involved, including governments, additional data security concerns are likely to emerge. The massive fines, which can arise from running afoul of Data Privacy Laws, such as the European Union’s GDPR, can easily wipe out any additional revenues that travel businesses gain from implementing electronic “Covid-19 Passports.” I urge airlines and travel businesses considering implementing “Covid-19 Passports” to proceed with due diligence and with the utmost caution.”
