Since Wednesday afternoon, pharmacists can no longer issue digital COVID certificates. The operator, the German Pharmacists’ Association, blocked all access after a security gap became known. No date has yet been announced for the resumption of service.
At the moment, pharmacists only receive the message: “It is currently not possible to issue digital vaccination certificates.” And further: “As soon as it is possible to issue digital vaccination certificates for your pharmacy again, we will inform you immediately.” Some pharmacists feared that their access would be blocked before word got around that all pharmacies nationwide were affected.
The portal for the issuing of vaccination and recovery certificates is provided by the German Pharmacists Association (DAV). Originally it was only open to pharmacies that are members of a state pharmacy association. Under pressure from the Federal Ministry of Health (BMG), the DAV set up access for non-members. Exactly this “guest access” now seems to have become a problem.
Self-made gateway: the guest access
Until now, non-members had to identify themselves to the DAV with an official operating permit and proof of operation in order to receive guest access. The proof of operation had to be provided by a current “notification of the night and emergency service fund”. In addition, the DAV charged a registration fee of 200 euros.
This is where reporters from the Handelsblatt have apparently started. With “professionally forged documents” the reporters have “generated guest access for a non-existent pharmacy owner,” the DAV announced in an indignant-sounding statement.
I mean: The Handelsblatt has submitted two forged evidence, the DAV did not recognize the forgery and set up a guest access. How “professional” this evidence really was can be read shortly in the Handelsblatt.
Two certificates and the server is gone
As a proof of concept, the reporters issued a pair of certificates and informed the DAV about their success. After consulting the BMG, the pharmacists’ association blocked access to all pharmacies.
In the official statement, the DAV cleverly limits the problem to the existence of the state-prescribed guest access. A total of almost 17,900 pharmacies are registered with the portal, of which only 470 access via guest access. The association leaves open why the DAV also blocks access for club members.
The DAV was able to ascertain the existence of the pharmacies with the members of the association using the data in the membership directory. With regard to guest access, the DAV states that they check the operating facilities “several times a week”.
Review before reopening
Now there is an additional check going on: “Up to this Thursday noon there was no evidence of other unauthorized access, the creation of which with fraudulent intent is only conceivable with considerable effort and criminal energy.”
The DAV therefore assumes that the more than 25 million vaccination certificates issued by pharmacies “were all issued by legally registered pharmacies.”
At the same time, the DAV is reviewing the introduction of additional security measures to prevent future misuse of the portal. The DAV does not want to put the certificate server back online until after consultation with the BMG. This is not likely to happen this week.