E-commerce sites urged to filter fake digital vaccination cert ads

Users urged to report such ads to Cyber999, CyberSecurity Malaysia’s help centre managed by MyCERT


E-COMMERCE platforms are urged to filter products advertised on their platforms to curb any sale of fake digital Covid-19 vaccination certificates by irresponsible parties.

CyberSecurity Malaysia CEO Datuk Dr Amirudin Abdul Wahab said e-commerce sites can filter products advertised on their platforms either automatically or manually, with possible variations of spelling, for example, “vaccine” or “v4cc1n3” to remove the products.

In cases where some sellers do get through, he said users should take the responsibility to report them and the e-commerce administrators should take immediate action.

He also noted that apart from e-commerce and social media platforms, there are several fake vaccination certificates sold on the dark web by sellers claiming to be from abroad, mostly from Europe.

“Usually, these irresponsible sellers utilise free platforms such as blogs and social media to advertise their products, make it viral and reach their target audience.

“It would be harder for social media platforms to filter words such as ‘vaccine’ or ‘certificate’, as they may be used in a bona fide discussion.

“We advise users who are aware of such advertisements to report to Cyber999, our help centre managed by Malaysia Computer Emergency Response Team or MyCERT, which is a department within CyberSecurity Malaysia,” he told The Malaysian Reserve.

He explained that the help centre would then contact the blog or social media platform on which the fake digital vaccination certificates are being advertised, to get the advertisement removed.

Meanwhile, to improve the authentication of digital vaccination certificates, Amirudin said a unique identifier such as a QR code is among the fastest solutions for authentication, which can be printed for individuals who do not own smartphones such as senior citizens and school children.

“We suggest combining the existing QR code in the certificate with a digital signature to increase authenticity and security.

“This QR code can be digitally signed using public key infrastructure as evidence that the digital vaccine certificate is original.”

Amirudin suggested that users should also be verified via MyKad to ensure legitimate certificate ownership.

He emphasised that among the greatest vulnerability in cybersecurity is the human factor. Amirudin said although keeping digital certificates in smartphones and physical cards should be sufficient, the implementation is critical as faced by many other countries across the globe.

“Staff at business premises must scan customers’ digital certificates, restrict entry only for fully vaccinated individuals and be cautious of suspicious individuals who provide screenshots or printed digital certificates that are modified or fabricated.

“We advise premise owners to verify and compare customers’ names, identification cards and vaccination dates on both the MySejahtera application and the printed card to ensure the details match.”

Amirudin also said that premise owners must remember that an individual is considered fully vaccinated only 14 days after the second dose of either the Sinovac, Pfizer and AstraZeneca vaccines or after 28 days for single dose vaccines, namely Johnson & Johnson and Cansino.

Recently, a social media user revealed that the digital vaccination certificates are being sold online at RM15 each, where the certificate displays information such as a photograph of the certificate holder as well as the date and location of the vaccine dose given.

The netizen questioned how the authorities would differentiate between genuine and fake certificates, if the public can easily forge them.

Following that, the Royal Malaysian Police said it has started looking into allegations on the sale of fake digital Covid-19 vaccination certificates as claimed by the Facebook user.

In a statement, Bukit Aman Criminal Investigation Department director Datuk Seri Abd Jalil Hassan said the investigations are currently being conducted under Section 22(d) of the Prevention and Control of Infectious Diseases Act 1988 and Section 233 of the Communications and Multimedia Act 1988.

He reminded the public not to get involved in falsifying and selling digital vaccine certificates, while urging those with information about the incident to contact the nearest police stations.

Similarly, the Health Ministry had also warned that it will take stern action against anyone who tries to forge the digital Covid-19 vaccination certificate in the MySejahtera application.

Users who encounter any cybersecurity threats or incidents can report to the Cyber999 help centre through the hotline 1-300-88-2999, email at [email protected] or by downloading the Cyber999 app at Appstore or Google Play.

For critical incident reporting, users can call +019-2665850 24 hours a day, seven days a week.