A decade ago I remember writing that one of the problems with QR codes is that there is no security. Some years later I wrote an article pointing out that NFC ought to be safer than QR codes because NFC included a standard for digitally-signing tags (although I did also note that no-one used it) whereas anyone could easily create bogus QR codes.
Well, I might not go so far as to call [QR codes] evil, but they certainly have the potential to enable person or persons unknown to act with evil intent.
From A quick response to the problem | Consult Hyperion
I suggested, in connection with a couple of projects we were working on at the time, that the mobile operators do something about this by creating a digital signature standard for QR codes so that phones could be set by default to ignore unsigned codes. None of this happened, as I’m sure you are aware and QR codes became popular precisely because any app could read any code anywhere.
xxx
The good news is that we (consumers) end up with something that is simple and quick and secure.
Osama Bedier, VP of Wallet & Payments… believes that [NFC is] a better technical solution than the QR codes that Apple uses on Passbook, calling them one of “many bridge technologies between now and what is a destination solution.” He pointed out that “you still have to futz” with QR codes.
[From
Google still believes in NFC for mobile payments, doesn’t see ‘eye to eye’ with Verizon | The Verge
]
As far as transactional applications go, though, I think it fair to observe that there will be developments beyond the initial conflation of NFC with payments at the EMV nexus.
xxx
xxx
QR codes are everywhere because anyone can read them, anyone can use them, anyone can write them. This is in part because there is no security infrastructure. The result in China, where there was little card infrastructure in place beforehand, was the near-ubiquity of QR in the world’s biggest mobile payments market.
“Ogilvy & Mather and Ipsos concluded in a survey of China’s mobile payment market that ‘[Chinese] mobile payment has permeated all aspects of life and changed basic, everyday habits.’”
From “How Chinese Mobile Payments Are Quietly Conquering the World“.
It seemed to us that fraud would be an inevitable consequence of this QR-centric approach, that is indeed what happened. Last year, for example, the South China Morning Post reported that in March 2017 some 90m Yuan were stolen via QR code scams in Guangdong alone (a suspect in one case was found to have replaced merchants legitimate bar codes with fake ones that embedded a virus to steal personal information) and that in China as a whole, a quarter of viruses and trojans were coming in via QR.Now, while even the man who invented QR codes says that they are an interim technology, there’s no denying that they are here to stay.
xxx
xxx
In China, scammers have been caught placing fake parking tickets — complete with QR codes for easy mobile fine payment — on parked cars. In the Netherlands, a QR code scam exploited a legitimate feature within a mobile banking application to swindle the bank’s customers, while in Germany, phony emails containing QR codes have lured eBanking customers to malicious websites under the guise of reviewing privacy policy updates to their accounts. And in Texas, criminals hit the streets, pasting stickers of malicious QR codes on to city parking meters and tricking residents into entering credit card details into a fake phishing site.
From: Step Away From the QR Code and Read These 7 Safety Tips.
xxx
xxx
The posters and stickers masquerade as ads for genuine parking apps, but anyone who scans the square bar code on their mobile phone or visits the website address is instead directed to an internet site or app run by scammers.
From Fake parking QR codes trick drivers into paying conmen.
xxx
My sister almost got caught by one of these QR code scams recently.
xxx
QR codes come with some security risks as well, according to Allan Liska, a senior threat analyst at cybersecurity firm Recorded Future. Like any other link, the codes can be the first step in a malware or phishing attack.
xxx
Top tip
1. Don’t scan it! If anything feels off, don’t scan the QR code. Just go to the actual website directly. Any legitimate QR code should have an associated URL under it, giving users the option to navigate there directly. If it’s missing, beware.
From: Step Away From the QR Code and Read These 7 Safety Tips.
xxx
Snippings 