Visiting public places in many regions of the country requires the presentation of a QR code confirming vaccination. It is also usually necessary to show an identity document. In the course of such checks, it often turns out that a student tried to enter a shopping center with a pensioner’s code, and a girl with a friend’s “cewar”. For such substitutions, real punishment threatens – both administrative and criminal. Particularly stringent measures are envisaged in the event that the QR code has been stolen. More details can be found in the material of Izvestia.
How attackers can get hold of a QR code
According to the chief expert of Kaspersky Lab Sergey Golovanov, There are two main fraudulent schemes associated with the use of QR codes: the sale of “qwars” that lead to phishing pages that imitate official resources, and the purchase of real matrix codes from cybercriminals.
– In the first case, it is very important for the reviewers to make sure that the link in the address bar is correct. In the second, it will be almost impossible to detect something amiss, – says the expert, stressing that regulators are taking active measures to resolve such situations.
Viktor Ryzhkov, leading information security expert at the CROC IT company, added that during the pandemic, a shadow market for the sale of fake QR codes has formed… When clicking on the matrix barcode, the inspector gets to a fake site that is visually similar to the check page on public services and contains all the information necessary for verification: passport data, date of vaccination and other information.
– However, when using such a service, the buyer may pay and not receive even a fake QR code, – said the expert. “Moreover, in the event of a leak of personal data of citizens, fraudsters can theoretically sell them, and use the buyers for the purpose of blackmail. For example, to call citizens with the threat of transmitting information about the falsification of the QR code to law enforcement agencies and demanding a ransom “for removing data from the database.”
According to Ryzhkov, the stolen QR codes of vaccinated Russians are also sold on the black market. In such a scenario, the main problem for the buyer will only be verification with the ID, which is very likely to be forged.
Experts believe that it is quite possible to get access to a functioning “cewar”. Do not forget that A QR code is information that is stored, as a rule, not only on the portal of public services, but also on a mobile device or in a user’s mailbox. Therefore, the methods used by the cybercriminals are not fundamentally new: guessing a password from a mailbox or a public service account. The critical factors here are the complexity of the user password and the use of two-factor authentication at login.
Photo: Izvestia / Zurab Javakhadze
– On the other hand, a QR code is visual information, in no way protected from copying… Therefore, an additional vector of attack appears: the attacker only needs to be in close proximity to the victim while presenting the QR code and use the camera of his smartphone or other means of photo and video recording, ”the CROC specialist warned.
Cybersecurity expert Sergei Vakulin agrees that QR code theft is possible. Attackers are able to gain remote access to the device on which the information is stored, as well as to capture the code when presented in shopping centers, cafes, and transport.
How to protect a QR code
To prevent theft of QR codes, Viktor Ryzhkov advises to be careful when displaying them in public places, and also not to forget about the traditional rules of cybersecurity:
- set a complex password and set up two-factor authentication for access to the public services portal and mailbox;
- use security software for mobile devices;
- do not click on suspicious links delivered both in emails and through QR codes.
Photo: Izvestia / Dmitry Korotaev
Reviewers should also be on the lookout. The expert recommends matching QR codes using an official application or a QR code scanner with a whitelist matching function. And also visually check the domain name specified in the referral link: the gosuslugi.ru address should not contain errors or other descriptions.
– It is quite possible that soon there will be new ways to protect QR codes, including from free copying, – Ryzhkov suggested.
What is the threat of theft or forgery of a QR code?
Judicial practice is gradually being supplemented with cases related to forged vaccination documents. Buying a fake certificate entails criminal liability (part 3 of article 327 of the Criminal Code of the Russian Federation). The maximum sentence is up to one year in prison. The use of someone else’s or fake QR code is still outside the legal framework.
– If the QR code contains a hyperlink to the vaccination certificate with the number, date of birth and date of vaccination, such QR code will be considered an official document. Thus, the use of a knowingly forged QR code can lead to criminal liability under paragraph 5 of Art. 327 of the Criminal Code of the Russian Federation… The sanction in this case will vary from a fine of 80 thousand rubles to arrest for up to six months. If such data is not found when navigating through the QR code, then there will be no grounds for applying this article. However, there remains the risk of being brought to administrative responsibility due to non-compliance with the requirements for sanitary and epidemiological control, Art. 6.3 of the Administrative Code, – explained the lawyer Julia Kremer.
Assignment of someone else’s QR code or digital certificate can be considered as the seizure of someone else’s personal data, noted the lawyer for financial disputes Anna Gretskaya.
Photo: Izvestia / Artem Korotaev
– For such actions, administrative responsibility is established under Part 1 of Art. 13.11 of the Code of Administrative Offenses of the Russian Federation (“Violation of the procedure established by law for collecting, storing, using or disseminating information about citizens (personal data).” A citizen can receive a fine in the amount of 2 to 6 thousand rubles, a legal entity – from 60 thousand to 100 thousand. rubles, – the lawyer clarified.
Moreover, violation of the inviolability of private life is already subject to criminal liability (Article 137 of the Criminal Code of the Russian Federation). It is guaranteed in the event that an attacker illegally collected or disseminated information constituting a personal or family secret of the victim, which may be information about vaccination. For this, a fine of up to 200 thousand rubles or imprisonment for up to two years is provided.
Problems will also arise if an attacker takes possession of a QR code from someone else’s gadget, Anna Gretskaya warned. The information stored in the computer is protected by law. Copying, deleting or blocking it can lead to serious penalties. According to Art. 272 of the Criminal Code of the Russian Federation, for such actions a fine is provided in the amount of 200 thousand rubles or imprisonment for up to two years.