Secure Use of QR Code
Date : 18-January-2022
Organisation : Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)
Writer : Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)
QR codes have become a part of our daily life. For example, in terms of consumption, three of the four electronic payment platforms that support the Consumption Voucher Scheme of the HKSAR Government offer QR code payment. Also, in terms of epidemic prevention, QR codes are posted in different places for the public to record visits history. Even in restaurants, they are being used to order food. Although QR codes have made our life more convenient, we should always stay alert to the relevant security risks and use them securely.
What is QR code?
Invented by Denso Wave, a Japanese auto parts manufacturer, in 1994, QR Code is the abbreviation of Quick Response Code. Using four standardised encoding modes to store data, it offers faster readability and greater storage capacity than a normal barcode. QR code, which obtained the ISO/IEC 18004 standard of the International Organization for Standardization in June 2000, is now commonly used for reading data in mobile devices.
Applications and Risks
Due to their low production cost and the pre-set scanners in most smart mobile devices, QR codes have been used in various industries. In this blog, we would discuss the applications and risks in four major areas: mobile payment, website redirection, authentication and information storage.
Most major mobile payment service providers support QR code payment or receipt of payment. Generally, it can be divided into two types: consumer scanning merchant QR code, and vice-versa. The first type involves the users scanning merchant QR codes, and then inputting amounts and passwords afterwards to complete the transactions. For the second type, merchants scan the codes of users to receive payments. Both methods require transactions to be done in the payment app.
Consumer scanning merchant QR code also includes two modes: dynamic mode and static mode. In dynamic mode, the QR codes will be automatically refreshed for each transaction, while static mode will not. There have been merchants in the Mainland where their static QR codes were replaced by criminals. If a user unknowingly scanned the fake QR code, money would be transferred to the criminals. Both the merchant and the user would suffer from financial loss.
Merchants can use QR codes to store the URLs of their websites. Once the users scan the codes, their devices will be redirected to the designated sites. Some catering operators have also adopted self-service ordering platforms to enable users to order food by scanning QR codes. The platforms can record the table number and the food ordered. Other examples include the survey agencies using QR codes to store questionnaire URLs and letting users answer the questionnaires with their mobile devices in order to ease the process, or redirect to App store to download the mobile app.
Due to its popularity, hackers will set up a phishing website, use QR codes to store the URL and spread to victims via email or other means. Unsuspecting victims may enter sensitive information on the phishing website, such as bank account passwords or personal information.
Some instant messaging apps will use QR codes in the authentication process. For example, when a user logs in to the web-based platform of the instant messaging app, the platform would request the user to scan a system generated QR code with the mobile phone which has already logged in to the account for authentication. Hackers would clone the authentication QR codes and send them to the users. If the victims scan the codes, the hackers can gain unauthorised access of their accounts and all conversations.
QR codes can be used to store information in text format. Since QR codes on boarding passes and concert tickets may contain personal information, they run the potential risk of information leakage if the information is not encrypted.
Safety Tips of Using QR code
- Verify the information carefully in the mobile app before making any payment in any transaction with QR code. After transaction, verify the transaction details sent by the bank or mobile payment service provider immediately;
- Do not share or disclose the QR codes generated by mobile payment services to others;
- Merchants should use dynamic QR codes, which would be refreshed for each transaction. They provide better security and are harder to be replaced than static QR codes.
- Stay alert before scanning QR codes and do not scan any codes from unknown sources;
- Turn off the QR code scanner's automatic URL redirection function. Once you turn it off, the scanner will show the URL content and request you to confirm if to open the URL or not;
- Use the QR code scanning feature in the anti-virus apps to verify the safety of the URL before opening it;
- Merchants should review the QR codes regularly and users should check if the QR codes have been modified or replaced by a fake one;
- Do not share the QR codes used in restaurants for food ordering to the Internet.
- Only scan account authentication QR codes in the official websites;
- Contact the service providers immediately for any unusual login records.
- Merchants should avoid storing sensitive information in QR codes;
- Otherwise, the information should be encrypted to prevent unauthorised access.