QR codes - security issues: have we not rushed?

QR code - randomly located small black squares on a white background - is not as simple as it seems. QR codes are more advanced than a one-dimensional bar code - they have a higher storage capacity and can store different types of characters. In essence, these codes are similar to physical hyperlinks, because when they are scanned, the user goes to an external link or site. They are also often referred to as the O2O (offline-for-online) business model.

Originally created in 1994 by Denso Wave (a subsidiary of Toyota) for use in the Japanese automotive industry, QR codes are gradually beginning to be used by various companies around the world.

The most popular and most profitable option of using QR codes is in the payment industry. Financial institutions have long been looking for a way to improve the quality of customer service and increase the “ease of use” of their payment processes. The smartphone revolution in the late 2000s stimulated the development of digital and mobile payments. The appearance of QR codes has become a real miracle, since now any smartphone user can make a payment in a wave of a hand. Nowadays, when smartphones are widespread in society, QR codes have found their place in most retail stores, e-commerce, bill payments, and all sorts of embedded mobile payments.

China is a leader in the implementation of QR codes technology. Alipay integrated payments based on QR codes in 2013, and WeChat followed suit in early 2014. According to the statistics provided by Alipay at the Money 20/20 conference in Europe in April 2016, the mobile payment service is used to complete more than 175 million transactions per day.
')
India, in the light of its cashless transformation after demonetization, began to bring the market to the standard of QR codes for digital payments in order to accelerate the transition from cash to electronic payments. Mobile wallets Paytm and MobiKwik popularized QR codes, and UPI-based payment applications, including BHIM, PhonePe, etc., followed suit. The government of India has recently introduced an interface for payments using QR codes - Bharat QR. It aims to standardize payment using QR codes throughout the country. To this end, payment networks, including Mastercard, American Express, National Payment Corporation of India (NPCI) and Visa, are working together to promote greater acceptance of the Bharat QR payment method.

At the moment, QR codes paint a very bright picture of the future of non-cash payments.

However, not everything is so good in this area.

“When you scan a QR code, you have no idea where you will go to it. You can easily go to a malicious website that might try to install a virus on your phone, ” says Matthew Green, an assistant professor of computer science at Johns Hopkins University in Baltimore, Maryland.

In China, there have recently been cases of fraud that have raised serious questions about the safety of using QR codes as a method of payment. It is reported that about 90 million yuan ($ 14.5 million) was stolen from people in Guangzhou (in the Guangdong province of the South China region) through fraudulent use of QR codes, which are often scanned for product identification and access to a mobile platform.

According to other information, some scammers now use the craze for bicycles in China. Mobike is a popular bike sharing service that provides bike enthusiasts with a tool to scan a QR code painted on a bicycle for making a deposit and paying rent. By sticking fake QR codes onto a bike, scammers can deceive cyclists and force them to transfer $ 43 - as much as is required for a Mobike deposit - into their account.

Now let's analyze the following script.

It is not uncommon for a rapidly developing technology to be used to find its vulnerabilities. However, in the case of QR codes, there seems to be some obvious security issues.

First of all, QR codes cannot be distinguished from each other with the naked eye, therefore it is very difficult to verify their authenticity. This is the main reason why users of QR codes around the world cheat, forcing them to register on fraudulent sites, which leads to phishing / malware on their smartphones.

Speaking at the National Congress of Peoples' Representatives in Beijing in March 2017, Deputy Liu Qingfeng, Chairman of the iFlytek voice recognition cloud service provider, said :

“Currently, more than 23% of Trojans and viruses are transmitted via QR codes. The threshold (difficulty) of creating QR codes is so low that fraudsters can easily insert Trojans and viruses into a QR code. ”

Due to the ease of creating your own QR codes and to unsuspecting users, it is very convenient for fraudsters to use innocent users by sending fake QR codes in high traffic areas. This kind of phishing based on QR codes, also called QRishing , is one of the main causes of online theft and online fraud in countries such as China.

In March 2014, the People’s Bank of China temporarily banned payments made by scanning QR codes using mobile devices through third-party providers, after Alibaba and Tencent announced plans to issue “virtual credit cards” - an innovative method of mobile payments based on QR- codes considered as alternatives to traditional credit cards - referring to concerns about their security. However, the ban was lifted in 2016 .

Alipay and WeChat Pay, the two main third-party payment methods in China, were invariably responsible for all cases of QR code fraud. However, these Chinese payment magnates are working to solve this problem. Alipay has a site detection function that can determine if the embedded QR code is a malicious link. If it detects a security risk, the system will issue a security warning, allowing users to decide whether to continue.

WeChatPay also introduced mobile security software to ensure users are monitored and more securely serviced.

Since QR codes are widely recognized as a simple and attractive payment method in countries such as China, regulators and payment service providers face the important task of preventing fraud. Along with the steps taken to strengthen security and detect fraud, an important task will be user awareness of the use of QR codes by fraudsters and how not to fall victim to them. However, this is easier said than done - the future period will show whether QR codes will indeed become the next generation payment instrument.