The FTC Is Concerned About QR Codes (And So Am I)
David Birch
International keynote speaker, author, advisor, commentator and investor digital financial dervices. Recognised thought leader around digital currency, digital ID and digital assets. Follow dgwbirch.bsky.social
The Federal Trade Commission issued a warning about the "growing abuse " of QR codes. Scammers are exploiting the lack of security around QR codes both online and offline. They embed QR codes into emails as an image so that security software isn’t able to detect that the link is malicious. They show QR codes on bogus websites to encourage people to download malware. They paste bogus QR codes over real ones in cities around the world and trick people into going to scam websites. People including, as it happens, my sister.
QR Scams Abound
There’s been a rash of scams in the UK where the criminals target car parks and put up posters with their own QR codes on them or put their own QR codes on stickers that they put on top of the genuine codes. People think they are scanning genuine parking app codes, but they are instead directed to an internet site or app run by scammers.
This is the scam that almost caught my sister, who was visiting some friends and parked her car in a public car park. She went to look at the schedule of charges and there was a handy sign advising drivers with smartphones to pay via a QR code. She scanned the code and was directed to a superficially plausible website. After giving her debit card details to what she thought was a legitimate car parking company, my sister fortunately spotted that the website was wholly fraudulent and was able to alert her bank in time to block transactions. But plenty of other people are getting caught in these scams as QR codes are quickly becoming a favourite tool in the criminal fraternity, with one cybersecurity vendor saying that QR featured in a fifth of phishing campaigns it detected in the first weeks of the final quarter of last year.
A few years ago, in connection with a couple of projects I was working on at the time, I looked at the idea that mobile operators do something about the potential for scams by creating a digital signature standard for QR codes so that phones could be set by default to ignore unsigned codes. This never happened, as I’m sure you are aware, and QR codes became popular precisely because anyone could read them, anyone could use them, anyone could write them.
Many years ago, I wrote a blog post about Kazakhstan because it had the highest penetration of EMV terminals in the former Soviet Union. Anyway, some 16 years after I wrote that blog post, I finally got to make a chip and PIN transaction in Kazakhstan for myself. I stopped in for a coffee whilst having a wander around the leafy streets near my hotel. I was the only person who did this, by the way, because everyone else who bought coffee used QR. QR was everywhere, from the main streets to the tourist attractions to the mountain tops.
It goes without saying that being early into QR payments, meant being early into QR fraud. A good example was scammers placing fake parking tickets — complete with QR codes for easy mobile fine payment — on parked cars. And first to discover some other fun side effects too. A woman in China who wanted to post photos of the dishes from a hotpot restaurant she visited with her friend accidentally included a QR code that was stuck to the table for ordering and paying for meals… and subsequently received an approximately $60,000 bill at a restaurant after other people who saw the code scanned it and placed orders!
Some years ago I also wrote an article pointing out that NFC ought to be safer than QR codes because NFC included a standard for digitally-signing tags, although I did also note that no-one used it, whereas anyone could easily create bogus QR codes. Osama Bedier , at the time VP of Wallet & Payments at Google, said that NFC was a better technical solution than QR codes, calling them one of
which I thought was a good way to describe the situation.
领英推荐
Even the man who invented QR codes said that they were an interim technology that would be gone by now! In fact he predicted that the QR code would be replaced by something more sophisticated, suggesting that in the future smart software would simply recognise things in the real world and would not need codes at all.?
Take Care
So how can you protect yourself today? Well, here’s what the Federal Trade Commission says : If you see a QR code in an unexpected place, inspect the URL before you open it. If it looks like a URL you recognise, make sure it’s not spoofed — look for misspellings or a switched letter. Don’t scan a QR code in an email or text message you weren’t expecting — especially if it urges you to act immediately. If you think the message is legitimate, use a phone number or website you know is real to contact the company.
Wise words, but an actually secure infrastructure based on digital identities would be better.
Book Dave
Are you looking for:
Virtual Chief Information Security Officer (vCISO) @ Thrive | CISSP | MBA | FullStack DevOps SecOps SecDev
4 周Then there’s always GS1 https://www.dhirubhai.net/posts/gs1_gs1barcode50-qrcode-poweredbygs1-activity-7211713025551052803-kE4J
CEO and Co-founder at IPOSUP and HCE Secure
4 周Clearly QR codes are not meant for unattended environments such as car parks. QR codes are generally used in merchant and customer face to face transactions such as UPI in India where merchant recipient name is part of the protocol. Account numbers and sort codes fraudsters problem is now overcome by banks by providing validation apis!
Tumu Whakarae (CEO) | Director | NZTech Board | API Council | Te Tai Hiki
4 周Ross Jackson
Product Development Executive and Advisor
1 个月Code jacking has a long history going back to the beginning of QR codes. That combined with URL shortening (another sketchy convenience that erodes trust), users are at a big disadvantage.
Software Security - Applied
1 个月I've been wary of any public QR codes since I heard about poisoned QR on ATMs in Singapore years ago. Education is key.