INTRODUCTION
QR (Quick Response) code is probably a familiar term for most people today. In recent years, the usage of it has been growing rapidly in many countries. So, what is QR code and how can it used? In a nutshell, QR code is a technology that stores data and it is only readable by image capturing devices. Simply using a mobile phone to scan the code and its data will be captured. Easier than taking a selfie for sure.
In Singapore, one can easily spot many QR codes everywhere. Let us look at some real life applications of QR codes to better appreciate its existence:
Use of QR code in newspaper advertising:
Use of QR code for Taxi payment:
Use of QR code to rent a bike:
http://wimages.vr-zone.net/2017/02/st_20170121_dabike21qxxc_2888374_2.jpg (Accessed 16 January 2018)
Use of QR code for quick payment:
https://thenextweb.com/asia/2012/02/ 10/paypal-trials-qr-code-mobile-shopping-on-singapores-metro-service (Accessed 19 January 2018)
One of the most popular functionalities of QR codes is translating URLs (Uniform Resource Locator) — the web address that users intend to go. Instead of typing the long URL to his or her phone, a mobile phone user can just scan the code to retrieve the URL. It makes for greater ergonomics with the smart-phone.
The other trendy usage for QR codes is quick payment. In China, QR code payment is transforming the payment industry. It is no longer a new thing, but you may still be shocked by how extensive and widely adopted it is. Not only are proper establishments integrating QR code payments into their business infrastructure, but street stalls are also adopting such means as well in efforts to maintain pace with the times. While it may look visually appealing, what if the poor seller’s QR code sticker is replaced by a malicious sticker that transfers money to a hacker’s account?
A street stall in China:
With the convenience that QR codes bring, we tend to forget the security risks that arise from it. There is usually a trade-off between security and convenience. Now, we will look at some QR code fraud practices that could impact normal end-users like you and me.
WHAT’S THE BIG DEAL?
Simplicity and myriad uses provided by QR codes have revolutionized payment methods, especially in mainland China after the introduction of AliPay where nearly every vendor accepts payment by QR code. However, widespread use also resulted in large scale manipulations.
“Currently, over 23 percent of Trojans and viruses are transmitted via QR codes. The [difficulty] threshold to make QR codes is so low that fraudsters can implant Trojans and viruses into a QR code very easily…[o]n the other hand, consumers cannot verify the authenticity of QR codes by eye and are therefore prone to be deceived if criminals paste their fake code over the original one.”
— Deputy Liu Qingfeng, chairman of voice recognition cloud service provider iFlytek.
In Guangdong province of China, about 90 million yuan (US$13 million) has reportedly been stolen via QR code scams, according to a report this March of 2017 in the Southern Metropolis Daily. Unfortunately, for the unsuspecting consumer and law enforcement agencies, QR codes are easily penetrated and manipulated, and cannot be verified as genuine by the human eye. These two factors have made the cybercriminals’ task that much easier. Furthermore, a malicious QR code redirection is more effective as compared to a malicious shortened URL misdirection which was pointed out by an article published by the Massachusetts Institute of Technology.
Criminals have discovered a method called “QRLjacking” that can use QR codes to infect your smartphone with malware, trick you into visiting a phishing site or steal information directly from your mobile device. For more in-depth details about the QRL jacking attack, you can head on to OWASP and Github.
An article published in “Trustworthy Ubiquitous Computing” journal by Springer provides a proof-of-concept of how easy it is to change and attack sticker QR codes. With the use of rent-a-bicycle services skyrocketing in Singapore, the physical exploitation of QR stickers poses a great risk to users.
Mohamed Abdelbasset Elnouby, an Egyptian security researcher and penetration tester at Seekurity Inc., demonstrated proof-of-concept of hijacking social media services like Whatsapp and WeChat that require “Login with QR code” (see image below).
WHAT CAN WE DO TO PROTECT OURSELVES?
After knowing the risks of using QR codes, does it mean we should stop using it? Perhaps instead of avoiding it, we shall embrace it tactfully. The boons that QR codes bring outweigh the risks of it. Furthermore, both QR code distributors and end-users could reap benefits from it. For example, QR code distributors could change the URL that the QR code is pointing to without changing the QR code itself. This allows the distributors to save advertising cost. When there is a new event or product, instead of printing new flyers or banners, changing the redirecting URL from the QR code will be sufficient for certain situations.
Thus, just like any other technology, users could follow good security practices to protect themselves from cyber crimes while enjoying the benefits of the technology. Likewise, It is possible to use QR codes with acceptable risk.
Here are some steps end-users can adopt to protect themselves from QR code scams:
- Use secure QR Code reader apps such as “Norton Snap QR code”. Such apps typically allow end-users to view the URL and offer the feature of blocking malicious websites.
- Check the URL displayed before going to the website, and make sure the URL is the valid address according to the advertisement. For instance, http://www.fairprice[.]com.sg is entirely different from http://www.fairprice.com.sg-giftcard[.]com.
- Feel and touch the QR code before scanning. If it feels like a sticker or it doesn’t fit very well in the background, DO NOT scan the code.
- Be very careful when the redirected URL asks for confidential information. Never share personal data unless the website is absolutely trusted.
To Sum Things Up
QR code technology is easy-to-use and widespread. With its versatility, it can be used for anything and everything. However, a careless scan without verification could cause one’s phone to be compromised. As a result, important and confidential data could fall into hackers’ hand. Be watchful and alert whenever QR codes are involved. Cultivate basic cyber-security hygiene. Most importantly, enjoy the convenience of QR codes bring! Do not allow the bad guys destroy our right to enjoy technology.
