The FTC Is Worried About QR Codes. Good.
Guidelines are helpful, but security would be better.
Dateline: Amsterdam, 4th June 2024.
The Federal Trade Commission issued a warning about the "growing abuse" of QR codes. Scammers are exploiting the lack of security around QR codes both online and offline. They embed QR codes into emails as an image so that security software isn’t able to detect that the link is malicious. They show QR codes on bogus websites to encourage people to download malware. They paste bogus QR codes over real ones in cities around the world and trick people into going to scam websites. People including, as it happens, my sister.
Code Red
There’s been a rash of scams in the UK where the criminals target car parks and put up posters with their own QR codes on them or put their own QR codes on stickers that they put on top of the genuine codes. People think they are scanning genuine parking app codes, but they are instead directed to an internet site or app run by scammers.
This is the scam that almost caught my sister, who was visiting some friends and parked her car in a public car park. She went to look at the schedule of charges and there was a handy sign advising drivers with smartphones to pay via a QR code. She scanned the code and was directed to a superficially plausible website. After giving her debit card details to what she thought was a legitimate car parking company, my sister fortunately spotted that the website was wholly fraudulent and was able to alert her bank in time to block transactions. But plenty of other people are getting caught in these scams as QR codes are quickly becoming a favourite tool in the criminal fraternity, with one cybersecurity vendor saying that QR featured in a fifth of phishing campaigns it detected in the first weeks of the final quarter of last year.
A few years ago, in connection with a couple of projects I was working on at the time, I looked at the idea that mobile operators do something about the potential for scams by creating a digital signature standard for QR codes so that phones could be set by default to ignore unsigned codes. This never happened, as I’m sure you are aware, and QR codes became popular precisely because anyone could read them, anyone could use them, anyone could write them.
The result in China, for example, where there was little card infrastructure in place beforehand, was the rapid near-ubiquity of QR in the world’s biggest mobile payments market. And not only China, of course. Many years ago, I wrote a blog post about Kazakhstan because it had the the highest penetration of EMV terminals in the former Soviet Union and I couldn’t resist making fun by posting a picture of a chip and PIN terminal for the well-known fictional character “Borat” to take with him on his next visit to America. Anyway, some 16 years after I wrote that blog post, I finally got to make a chip and PIN transaction in Kazakhstan for myself. I stopped in for a coffee whilst having a wander around the leafy streets near my hotel. I was the only person who did this, by the way, because everyone else who bought coffee used QR. QR was everywhere, from the main streets to the tourist attractions to the mountain tops.
It goes without saying that being early into QR payments, China was also early into QR fraud. A good example was scammers placing fake parking tickets — complete with QR codes for easy mobile fine payment — on parked cars. And first to discover some other fun side effects too. A woman in China who wanted to post photos of the dishes from a hotpot restaurant she visited with her friend accidentally included a QR code that was stuck to the table for ordering and paying for meals… and subsequently received an approximately $60,000 bill at a restaurant after other people who saw the code scanned it and placed orders!
with kind permission of Helen Holmes (CC-BY-ND 4.0)
But the problem is global, of course. In the Netherlands, a QR code scam exploited a legitimate feature within a mobile banking application to swindle the bank’s customers, while in Germany, phoney emails containing QR codes lured online banking customers to malicious websites under the guise of reviewing privacy policy updates to their accounts. And in Texas, criminals hit the streets, pasting stickers of malicious QR codes on to city parking meters and tricking residents into entering credit card details into a fake phishing site.
Security Please
Some years ago I wrote an article pointing out that NFC ought to be safer than QR codes because NFC included a standard for digitally-signing tags, although I did also note that no-one used it, whereas anyone could easily create bogus QR codes. Osama Bedier, at the time VP of Wallet & Payments at Google, said that NFC was a better technical solution than the QR codes, calling them one of “many bridge technologies between now and what is a destination solution”, which I thought was a good way to describe the situation.
Even the man who invented QR codes said that they were an interim technology that would be gone by now! In fact he predicted that the QR code would be replaced by something more sophisticated, suggesting that in the future smart software would simply recognise things in the real world and would not need codes at all. In fact he said that a secure QR code capable of distinguishing between “what you want to share and what you don’t” was being explored in Japan.
Defence
So how can you protect yourself today? Well, here’s what the Federal Trade Commission says: If you see a QR code in an unexpected place, inspect the URL before you open it. If it looks like a URL you recognise, make sure it’s not spoofed — look for misspellings or a switched letter. Don’t scan a QR code in an email or text message you weren’t expecting — especially if it urges you to act immediately. If you think the message is legitimate, use a phone number or website you know is real to contact the company.
Wise words, but an actually secure infrastructure based on digital identities would be better.
Are you looking for:
A speaker/moderator for your online or in person event?
Written content or contribution for your publication?
A trusted advisor for your company’s board?
Some comment on the latest digital financial services news/media?