QR Codes Are A Fraud Risk
The end of QR might be in sight (geddit?) just as its inventor predicted.
Dateline: Kampala, 4th October 2024.
Earlier this year The Federal Trade Commission (FTC) issued a warning about the "growing abuse" of QR codes and it is certainly the case that QR crime is growing. So given that we saw the 50th anniversary of the first barcode transaction this year, perhaps we should start thinking about what will come next.
Jet Propelled
Fifty years ago, in June 1974, the first swipe of a Universal Product Code (UPC) standard black and white stripes barcode occurred at a Marsh’s Supermarket in Troy, Ohio. (It was for a 67-cent pack of Wrigley’s Juicy Fruit gum, by the way).
Twenty years on from that, in 1994, Mr Masahiro Hara got tired of having to scan six or seven barcodes on every box of parts that zoomed past on the assembly line at the Toyota car parts factory where he worked. He couldn’t help but wonder why they were still using those limited capacity 1970s barcodes when there was so much more data that needed to be read. After studying a game of Go, he came up with the two-dimensional barcodes that we now know as the QR Code.
Twenty years on and in 2014, QR codes were being used for all sorts of things and Mr Hara was awarded the European Inventor Awards “Popular Prize” and at which point he said that that QR codes would likely only last about a decade before they were replaced by something more sophisticated.
Well, they haven’t been yet, and here we are in 2024, and QR codes are everywhere. Was Mr Hara wrong?
with kind permission of Helen Holmes (CC-BY-ND 4.0)
I don’t think so, because there is a big problem with QR codes and that is fraud. The problem surfaced as soon as QR codes entered the consumer mass market all around the world. In China, scammers have been caught placing fake parking tickets — complete with QR codes for easy mobile fine payment — on parked cars. In the Netherlands, a QR code scam exploited a legitimate feature within a mobile banking application to swindle the bank’s customers.
In Germany, phony emails containing QR codes have lured eBanking customers to malicious websites under the guise of reviewing privacy policy updates to their accounts. Yes, scam QRs in official-looking e-mails. As Jamie Bartlett points out today, for all the talk of AI-powered cybercrime and ‘zero-day vulnerabilities’, the humble phishing email carries on, undefeated. “As everyone in the cyber-security industry knows, criminals do not mess with a winning formula”.
(In fact this so-called “quishing” is on the rise. When it comes to phishing e-mails with QR codes in them, millennials are the prime targets, especially in the finance, legal and healthcare sectors.)
In the UK criminals have taken to the streets pasting stickers of malicious QR codes onto car parking machines, tricking drivers into entering bank account or credit card details into a fake phishing site. As it happens, it was my own sister almost falling for one of these scams that alerted me to the sheer scale of the problem, even though I knew it was far from a new phenomenon.
(I can remember reading in the South China Morning Post that in March 2017 some 90m Yuan were stolen via QR code scams in Guangdong alone — a suspect in one case was found to have replaced merchants' legitimate bar codes with fake ones that embedded a virus to steal personal information — and that across China a quarter of viruses and trojans were coming in via QR so I knew it was only a matter of time before we began to see the same problems here.)
There Are Alternatives
So while QR codes are indeed convenient for making payments and more, they do pose serious security risks such as leading users to malicious websites or triggering unintended actions. What, then, should we use instead?
Contactless is a good choice for some things. It is a decade since I first wrote that one of the issues with QR codes is that they have no security and a few years later I wrote an article pointing out that contactless ought to be safer than QR codes because the relevant standards included the ability to digitally-sign tags — although I did also note that no-one used it — whereas anyone could easily create bogus QR codes.
Sitting at a restaurant table, tapping rather than scanning — using Near-Field Communication (NFC) technology — allows for quick and secure close-range communication between devices and unlike QR codes, which can be scanned from a distance, NFC demands proximity, offering an added layer of security. NFC tags can be embedded in various objects and are increasingly used for contactless payments and access control and the chips in these tags can support very sophisticated security measures.
There are other longer range wireless options too, such a Bluetooth Low Energy (BLE) and Ultra Wide Band (UWB) that could also be used to send information to a consumer device and it would be relatively simply to add cryptography and digital signatures so that phones could reject bogus connections.
At longer range, one might also imagine digital watermarks embedded in images or videos could be used to transmit information. These are less visible and more difficult to tamper with than QR codes.
A bit further down stream, however, we might find ourselves using smart glasses that can recognise what we are looking at and offer up a selection of appropriate options: if I’m looking at a poster advertising a forthcoming Hawkwind concert on the Tube, then there would be no need for me to scan a QR code because my smart glasses should be able to read the poster and go online to the relevant booking site automatically. From there it is a short step to Augmented Reality (AR) where the infrastructure itself adds interactivity and security, users where can interact with dynamic content that is more challenging to replicate or alter maliciously.
AI Does Not Need QR
That is actually where Mr Hara thought we would be in 2024. As I write I am sitting in a train carriage and there is an advertisement for some form of fast food on the end wall, The advertisement sports a QR code. But surely smart phone (as Mr Hara reasoned) should be able to read the advertisement and give me the option of seeing where the nearest outlet is or what the special offers are today. My iPhone can already recognise text, it wouldn’t seem that much of stretch to get it to pull out URLs automatically, check their validity and display them so that you can see where you are going to.
(The parking machine that almost trapped my sister would not need a QR code if her phone could simply read the sign and apply some basic AI to work out how much to pay and who to pay it to.)
As the relevant AI and vision technologies mature, they are likely to become more widespread and potentially replace or augment QR codes — first in applications where higher security is required, such as payments and other financial services. While QR codes are likely to remain in use for many cases due to their familiarity and ease of implementation (I’d rather have a secure Bluetooth connection to the TV in my hotel room, but there you go), we in the fintech world really should be planning to roll out more secure alternatives as a priority.
Are you looking for:
A speaker/moderator for your online or in person event?
Written content or contribution for your publication?
A trusted advisor for your company’s board?
Some comment on the latest digital financial services news/media?