There are “counterfeit” health codes. This off-the-shelf app lets us know how low the cost of fraud

As the number of confirmed cases increased, people were again wearing masks as required. Subway stations at transportation hubs such as airports and high-speed rail stations that could pass through automatic temperature measurement have re-blocked the fences and need to show the local health code to pass.

Traveling has become more troublesome, but people are also a little relieved. After all, the health code can determine whether the user has been to a medium- to high-risk area, which has a great effect on preventing the inflow of cases.

But what if the health code shown by pedestrians is fake?

Google Play removed apps, can imitate health codes

On January 11th, a Weibo of the user @路議先生 attracted widespread attention. This Weibo picture shows that there is an application called "Health Code Demo" on Google Play, which can simulate different display styles and patterns of health codes, resumption codes, and pass codes in various regions.

Although the developer emphasized in the detailed introduction that this application is only for demonstration purposes, remind users not to use it in scanned occasions to avoid unnecessary misunderstandings. However, this application can customize the display of functions such as city, region, and name, plus the ability to switch the status of green code, red code, and orange code. Everything is to help users fake, so as to avoid relying on digital tools to determine users today Epidemic prevention system of dangerous degree.

Although Google Play removed the app the next day, we can still see more information about the app. For example, the application has been updated 12 times, and each update has improved the fidelity. The app was already at version 1.6.0 when it was removed. The last update was on December 26, 2020. It seems that it has been on Google Play for half a year.

The number of downloads of more than 1,000 times and the evaluation of 3.1 points given by 29 people also prove that some people really find this application useful.

▲ The picture comes from: @路大会

After this situation aroused concern, the user @犬大星大狗狗ADL directly reported through 110. After receiving the report, the police conducted an investigation based on the developer's contact information shown in the picture within three minutes. The investigation found that the address was living in a Japanese person and there was no Paipai technology company written by the developer. And we also saw many Zhejiang Paipai technology companies in the enterprise search, but none of them corresponded to their addresses and businesses.

Perhaps because of the great impact of this matter, the police also found the developer in the shortest time. The latest development of this matter is that the developer has been taken criminal compulsory measures by the Hangzhou Xihu District Public Security Bureau. The notification information shows that "the developer developed a health code demo app and uploaded it to the application market without authorization, which seriously disrupted social order."

According to the email address of the developer's contact information, we searched the developer's GitHub page, and the home page showed that the other party had participated in GitHub's open source project since 2013. Before this application was widely concerned, the developer also showed the open source code on GitHub, which has now been deleted.

▲ Developer's GitHub interface

We found this offline app, and after experiencing it, we found that this app did not set the national health code, and only configured it in Beijing, Zhejiang, Shandong and other places. The real-time updated time and editable name in the App can indeed be fake, but the health code pages in other regions are obviously different.

The QR code scanned in the "Health Code Demo" is currently unrecognizable, but judging by the link, the QR code is likely to lead the reader to the Google Play download interface.

▲ The "health code demonstration" we saw is almost indistinguishable to the epidemic prevention system in some areas

He Shiyou, CTO of Aifaner, told us that the application of this simulated health code is technically very simple. It is actually an imitation of the front-end page. He can make the same application in tens of minutes. "The front-end technology of the health code itself is not complicated, the back-end data docking is the difficulty of this system."

Fragile digital identity, hard to distinguish between true and false

In the health code system, ordinary users have some loopholes to exploit. Users who use the "Health Code Demo" will not be discovered as long as they are not scanned by the code. There were news reports that someone used screenshots to try to get through, but was discovered by the responsible volunteers.

The reason why the developers made special configurations for the health codes in Beijing, Zhejiang, and Shandong is that in order to prevent users from using screenshots, the developers have added real-time time to the health codes to prevent users from taking screenshots. It was solved technically by the developer.

▲ Picture from: "New York Times"

The health code system is a reliable and effective system, but it is also a fragile system. Many people may take advantage of the quarantine checkpoint because they don't want to seek medical treatment in the local area, find it troublesome, or feel that they are not ill. However, once a confirmed case spreads the virus through similar evasion measures, it is the epidemic prevention system itself that is destroyed.

The existence of the "Health Code Demo" app is actually just a microcosm of life in the digital age. In this era, our lives are more convenient, but the threshold for fraud may be lower. Digital identity cannot be fully believed. It may be a virtual, forged identity, or it may be an identity authorization without knowing it.

▲ Picture from: Global News

Douyin and Yuan Longping’s account suspicions that have recently caused discussion are one of them. Xinhua News Agency reported that Yuan Longping had no knowledge of this account, while Douyin stated that the establishment of the account was the result of multiple communications between the company where Yuan Longping was the legal representative and Douyin. The company also provided Yuan Longping’s authorization letter and Yuan Longping’s identity. Certificate information and other necessary materials for certification.

Therefore, on the issue of Yuan Longping’s Douyin account, it is not contradictory that Yuan Longping himself did not know and that Douyin obtained the authorization of Yuan Longping’s digital identity, but in reality I may not know it. This is still a matter of authorization information and I don’t know about it. There are more cases where I didn’t know anything about it, and people used the information gap to harvest the sinking crowd.

▲ Picture from: @新华视点

"Slaying pigs" and "Selling Tea Girl" are real cases, using seemingly real identities to shape personal settings, reducing the alertness of conversation users, making them feel that they are socializing, and then harvesting. The fake Jin Dong and fake Dong Qing, who have attracted the attention of everyone, even harvest users through short videos to create a halo image.

In this digital age where it is difficult to distinguish between true and false, there are too many loopholes that can be drilled, making it easy to believe.

In the digital age, I believe it becomes easier

It used to be difficult for strangers to trade. But in the digital age, click on the credit agreement of Zhima Credit Score on the second-hand platform, and those three numbers will become proof of your identity, and the other party will choose to trust because of your high credit score. Although there are still risks, after all, you cannot confirm that the user of this account is indeed a person with a high credit score, and there is a risk of fraud with a high credit score.

▲ The classic "terrier picture" you never know if the Internet chatting with you is a dog. Picture from: imgflip

But in the digital age, this has become the choice of more and more people.

It is also easy for people to believe the "truth" of the digital age. More and more people can fabricate a fact based on a screenshot, or pretend to be an insider to reveal some "insiders." And this kind of news like yes and no can often be spread quickly through WeChat groups. The reason is that these group chat screenshots are too close to ordinary people. It can restore the information scene to the greatest extent and make people convincing.

▲ Picture from: Titanium Media

In real life, if your friend asks another to borrow money from you, you will definitely think it is a liar. However, after a friend's QQ account was hacked, many people would have no doubt that the money was transferred to the account designated by the other party. This is a case that believes it has become easier.

Applications like "Health Code Demo" are actually just a microcosm, which tells us that fraud in the digital age may be easier than we thought. In the past, the cost of engraving fake official seals and applying for fake certificates is lower today. Taking a picture, changing a number, and even coding a person's avatar and ID have become a more reliable way in the digital age.

▲ In the Internet age, coding makes information more credible

In the Pinduoduo Zhihu response incident, many people were unable to confirm whether the original screenshots of the brand were forged. The main reason is that everyone has a certain understanding of the cost of fraud. With simple screenshots and stitching, everyone can make a big news, and the cost of digital fraud is not high.

The master of Bilibili up @證继線 has demonstrated how to modify the dynamic information of the webpage. Through the "check" function, anyone can easily modify the content in the webpage information.

▲ The webpage can be easily modified. The picture comes from: @載继線

For people who understand and master tools, there is basically no technical threshold for doing similar things with their own knowledge. The only restriction to them is law and morality, but morality alone is not enough. Even if the technology runs fast enough, the law must catch up as soon as possible. Otherwise, when an infected person walks at will with a fake health code, it may ruin the efforts of most people who follow the rules.

The tools provided by the developers of the "Health Code Demo" may already be at risk of endangering public safety. With the rapid response of the police, we will learn more. But what is certain is that it is difficult for developers to justify themselves by saying "just develop display tools, don't know what users will do with them".

After all, algorithms and tools do not have values ​​and thinking, but people do.

Not too interesting, not too optimistic.

#Welcome to follow Aifaner's official WeChat account: Aifaner (WeChat ID: ifanr), more exciting content will be provided to you as soon as possible.

Ai Faner | Original link · View comments · Sina Weibo