“No chance for Corona inspectors to detect vaccination certificate forgers. Nevertheless, this could be changed very easily.“

Interview with profiler Peter Hessel

Bayreuth.- For some time now, 3G, 2G or 2G+ access control is part of our everyday life. In Germany, these abbreviations mean “vaccinated, recovered, tested“ while abroad it is called “Corona-compliant access control.”

Not only the name of the process is somehow cumbersome, also the correct realization of the checks has its pitfalls. Only those who actually know how to detect forged vaccination certificates and ID cards, can ensure a safe access. ID card? What does the ID card have to do with the vaccination certificate? Quite simple: it is not only the vaccination certificate itself that needs to be checked but also whether the personal data on the vaccination certificate match the data on the ID card. This step is called “validation.“

Let´s have a detailed look at both steps and talk to Peter Hessel on the matter. He is chief inspector and “Diplom-Verwaltungswirt“ at the Hessen Police, working at the police headquarters in Frankfurt am Main.

As Head of Central Investigations in the Special Services Directorate he was responsible for the Hessen Police´s conception for combating document crime. He is a trained document adviser and inspector, leader of the document inspection authority of the police department in Frankfurt a. M., a longtime and experienced seminar lecturer – in short: a profiler who provides concrete ideas for the correct verification and validation of vaccination certificates.

Mr. Hessel, we want to start with step one: let´s assume I need to check a digital vaccination certificate. That is just a QR code most people have on their mobile phone. So how can I determine if the QR code is genuine or fake?

Peter Hessel:
With the naked eye? That´s not possible at all! It can only be done by technical means. You need an approved barcode or QR code reader and a suitable software.  Or an approved app. A mere visual inspection is not sufficient. The inspectors must be aware of how forgers proceed: they forge what works the easiest and cheapest way. A picture with a QR code and a name is quickly reproduced. 2D QR codes like those of our digital vaccination certificate are actually prone to falsification. The reproduction of 3D QR codes is more difficult here. And it is much more difficult and therefore much more secure if the data is integrated in the insurance card of the health insurance company. Here, data can be stored in the magnetic stripe or chip. That is also possible with the ID card: many people do not know at all that in the ID document, there are data groups which can be assigned with certain information. This is also a safe place for personal data. But now we have to cope with the situation that a QR code must be checked. And that is why you have to take it very seriously.

What if someone presents the yellow vaccination booklet? These little stickers with information about the vaccine – can you verify that as a layperson?

Peter Hessel:
No! No chance. Even experts such as pharmacists have a hard time doing that. Just an example: at the moment, both the yellow vaccination booklets and the little stickers are actively traded on the known internet platforms. Five plain vaccination booklets for 12,99 euros and in addition ten BioNTech stickers for 125 euros per unit. This is not nonsense, it is reality. The stickers include a printed watermark and a batch number. You cannot distinguish them from the original. Here we are talking about pure research via Google. Darknet offers are not included at all. And those who do not want to get vaccinated are willing to walk this path and to pay the money. For me that is a clear case of document laundering: because with a forged vaccination booklet like that, people go to the pharmacist and receive a genuine digital EU vaccination certificate. Hence, at the slightest suspicion, the pharmacy personnel should contact the issuer, i.e. the doctor´s office or the vaccination center.

The staff members at the entrance often use, for example, an app to check the QR code. Now let´s go to step two: a complete and correct verification requires not only the inspection of the vaccination certificate but also the ID card. But you cannot do it with an app like that. So how can I quickly compare the data with a visual inspection?

Peter Hessel:
The inspectors have to overcome two challenges. First, the certificate data need to be compared to the data on the ID card. This might work with the German ID card because you know the document quite well and you know where to find the data. But with the German passport, things will get more challenging. The reason for that is that you do not hold it in your hands that often. Regarding a Romanian ID card or Spanish passport, for example, untrained staff is not able to determine within seconds on which page of the document these data are located. In that case the inspectors might even have to take the passport in their hands, turn the pages and search – and finally, the visitors or guests have to show the inspectors where to find the information. These are situations we as the police do not want to see.

Second, when doing a visual inspection, the staff members need to know at least some of the standard security features to detect counterfeit documents. That means not only name and date of birth need to match, but also the photo on the document with the person in front of them. Managing time and personnel for a safe and secure control is extremely laborious. This is also the reason why someone might turn a blind eye. Or that the inspectors just look to see if the guest presents a document which looks halfway like a passport. 

From your point of view as an expert, what are the indications of counterfeit documents? Are there areas in the document which need to be examined more closely?

Peter Hessel:
Yes, in my opinion, you can follow a little checklist for the passport or ID card:  

Firstly: do image on document and face of person in front of you match?

Secondly: does the signature look like handwriting? Or are the letters as regular as in a computer font?

Thirdly: plausibility check! Is the age stated in the ID card and the person´s actual appearance harmonious?

Fourthly: take a look at the machine-readable zone, abbreviated MLZ. The MLZ includes several security features which are internationally standardized. For example, the writing of the digits 3 and 4: the upper curve of the “three“ is a straight line and the “four“ has an open shape. If the “three“ has two rounded curves and the “four“ is printed as a closed digit, then something is wrong! The problem here: doing that takes time and practice.

You and your colleagues use special scanners to verify the documents. Does the usage of existing technology also make sense with Corona-compliant access control?

Peter Hessel:
Yes, definitely! There is no other way and with regard to safety, it also does not make sense. There are many different well-proven solutions on the market. From the established ID scanner to mobile solutions. Of course, this involves investments, but they are manageable.

Currently, access control is a really sensitive topic. In the worst case, errors may lead to COVID-19 infections. On the one hand, security plays a major role while on the other hand, speed is also very important. After all, you want to avoid queues because of the safety distances. So how can you accelerate the whole procedure?

Peter Hessel:
From the police point of view, the answer to the question is simple: information and communication in advance is crucial. The airports and border control are the best examples. In these areas, the travellers are comprehensively informed in advance so that they know what to expect and which documents they need to have ready. Newsletters prior to the event, posters on site, handouts and so on…if you want to have your guests´and visitors´understanding, you have to explain, what is being done and why it is necessary.  

In addition to that, a really good concept for access control is necessary. This is just a calculation example. How many people have to access within a certain time? How many seconds takes the verification process per person? From that a lot of insight can be gained. For example, that the admission times need to be extended forward if it is a hall or a stadium.

Of course, for all those who have to cope with this task, it would be helpful to have nationwide coherent regularities – as well as uniform penalties if someone does not adhere to the prescribed checks.

One last question: what is your advice for security services and inspectors?

Peter Hessel:
Confidence is good, but control is better! Prevention and security cannot be measured. That is why many now shy away from investing in hardware and training for their staff members. Nevertheless, this is the wrong way to react in this pandemic! Only security leads us back to a normal everyday behavior like in the time before Corona. This especially refers to the 2G, 3G and other kinds of access control.

Peter Hessel, thank you very much for your time and the helpful information!

A note on our own account: Together with DESKO, Peter Hessel offers document training sessions for all professions which have to deal with access control.