Have you been vaccinated against COVID-19? Do not post photos of your card!
Fortunately, step by step, the Brazilian population is finally being immunized against COVID-19, a disease caused by the new coronavirus (SARS-CoV2) and which has shaken the world economy. Our country is working with a reputable range of immunization providers (CoronaVac, AstraZeneca, Pfizer, Sputnik V, and Janssen) and the vaccination schedule is apparently being properly adhered to.
There's only one problem with this: a trend that emerged as the younger population began to be vaccinated. We're talking about the act of posting photos of vaccination cards on social media — an understandable act since there is a lot of excitement in sharing with friends and family the fact that you are protected against such a dangerous disease. However, behind this seemingly innocent act lies a huge danger to a person’s privacy.
In the rush to "share the news", many internet users forget that the vaccination card provided by health institutions usually contains personal data of the person being immunized, including full name, Individual Taxpayer Registry (CPF, in Brazil), the Unified Health System (SUS, in its Brazilian acronym) registration number, and other details such as the vaccination post where the vaccine was applied, the manufacturer of the immunizing agent, the batch used and the dates of applications...You may not believe it, but that's enough for a cybercriminal to scam you over the internet!
Innocent card? No, a source of personal data!
Let's see: in addition to your full name and Individual Taxpayer Registry (which alone are enough for a criminal to trick you into a simple scam), your SUS registry or healthcare provider code can be used by criminals who have illegal access to system applications to easily locate you. There, even more information on the vaccinated person can be obtained, including date of birth, ID number, email address, telephone number, parents' names, and so on. Of course, they'll also find an address — and, to make sure it's not outdated, they'll cross-check it with the vaccination post registered on your card.
This is all the criminals need to use your identity to shop online, apply for loans, and perform other fraudulent misrepresentation scams. Since SUS data, for example, is not always up-to- date, the vaccination card can be used by criminals as a “double-check” to ensure that the information is fresh. Add this to the fact that many Internet users don't protect their social media properly, allowing anyone to view their posts, and you've got a disaster in the offing.
Not to mention, of course, the risk of phishing — knowing that the person has taken a certain vaccine, from a certain laboratory and from a specific batch, fraudsters can very well impersonate medical institutions (including the manufacturer of the immunizing agent) and send an email advising you to take some unsafe measure. A satisfaction form to get even more sensitive information or a malicious attachment full of malware that will infect your machine...
A common but dangerous habit
Posting photos with sensitive information is nothing new. A similar case occurred when a famous financial institution began sending credit cards to its first consumers. Proud to be part of a select group, Internet users posted photos of the card and displayed their numbers, expiration dates and even the CVVs (verifier codes), which was more than enough for a malicious agent to “inaugurate” them with a fraudulent purchase.
The same happens with newly hired people at large companies, who proudly display their new badges that can contain sensitive data. So, remember: before sharing any photos on social media, take a good look at it and check for any information that could compromise you in the future.
Article translated from: Se vacinou contra a COVID-19? Não poste fotos de sua carteirinha! — Perallis Security