QR Codes - Security Challenges: Did We All Jump The Gun Here?

A random pattern of tiny black squares on a white grid – the QR code is not as simple as it appears. As an upgrade to the one-dimensional bar code, QR codes have a higher storage capacity and can store a variety of character types. These codes are essentially akin to physical hyperlinks as they take the user to an external link or website on scanning. It is also commonly categorized as O2O (offline-to-online) mode of business.

Originally developed in 1994 by Denso Wave (a subsidiary of Toyota) for use in the Japanese automobile manufacturing industry, QR codes are gradually finding their footing in different businesses across the world.

Some of the largest and most lucrative use cases for QR codes are in the payments industry. For long, financial institutions have been looking for measures to enhance the customer experience by increasing the ease of use quotient of their payment processes. The smartphone revolution in the late 2000s gave the impetus to digital and mobile payments. The emergence of QR codes did wonders for the same, as now every smartphone user could make a payment at the snap of their fingers. Now, with a heavy smartphone penetration in the society, QR codes have found a place in the majority of retail shops, e-commerce, bill payments, and all kinds of proximity-based, in-store mobile payments.

China has been the leader in terms of adoption of QR code technology. Alipay introduced QR code-based payments in 2013, and WeChat followed suit in early 2014. According to statistics quoted by Alipay at the Money 20/20 Europe conference in April 2016, the mobile payment service is being used to make over 175 million transactions per day.

India, in the shadows of its cashless transformation post demonetization, has started driving the market towards a QR code standard for digital payments to speed up the migration from cash to electronic payments. Mobile wallet giants Paytm, MobiKwik brought the QR code to the mainstream, whereas UPI-based payment apps, including BHIM, PhonePe, etc., followed suit. The government of India has recently launched a QR code-based payment interface, Bharat QR. It aims at standardizing the QR code payment method throughout the country. For this, payment networks like Mastercard, American Express, National Payment Corporation of India (NPCI) and Visa have collaborated to promote wider acceptance of the Bharat QR payment method.

So far, QR codes paint a very rosy picture as the future of cashless payments.

However, all is not well here.

When you scan a QR code, you have no idea where it’s going to take you. It could take you to a malicious website that might try to install a virus on your phone, said Matthew Green, Assistant Professor of Computer Science at Johns Hopkins University in Baltimore, Maryland.

There have been some recent incidents of fraud in China that raise serious questions about the safety of QR codes as a mode of payment. In Guangzhou (in South China's Guangdong province), about 90 million yuan ($14.5 million) has reportedly been stolen from people through the fraudulent use of QR codes which are often scanned for product identification and mobile platform access.

In other news, some fraudsters have now targeted China’s bike-sharing craze. Mobike is a popular bike sharing player which provides bikes to the users who can scan the QR code imbibed on the bike to pay a deposit, as well as the rent. By placing counterfeit QR codes on the bike, fraudsters can fool bike riders into transferring US $43 – the same amount as Mobike’s required deposit – to their account.

Now, let us analyze the scenario at hand here.

It is not uncommon for a booming technology to be tried and exploited to find loopholes. However, in the case of QR codes, there seem to be some obvious issues from a security perspective.

At the outset, QR codes cannot be differentiated from one another on the surface level, so it’s very difficult to verify them to be genuine by the eye. This is the major reason why QR code users across the world are being tricked into logging onto fraudulent websites, which result in phishing/malware on their smartphones.

Speaking at the National People’s Congress in Beijing in March 2017, Deputy Liu Qingfeng, Chairman of voice recognition cloud service provider iFlytek, said, Currently, over 23% of Trojans and viruses are transmitted via QR codes. The (difficulty) threshold to make QR codes is so low that fraudsters could implant Trojans and viruses into a QR code very easily.

With the ease of generating their own QR codes and unsuspecting users, it is very convenient for fraudsters to target innocent users by passing counterfeit QR codes in high traffic areas. This QR code-based phishing – also termed as QRishing – is one of the major reasons of cyber theft and fraud in countries like China.

In March 2014, the People’s Bank of China temporarily banned payments made by scanning QR codes with mobile devices via third-party providers after Alibaba and Tencent announced plans to launch virtual credit cards – an innovative mobile payment method based on QR codes seen as an alternative to traditional credit cards – citing concerns over their security. However, the ban was subsequently lifted in 2016.

As the two major third-party payment methods in China, Alipay and WeChat Pay have invariably borne the blame whenever a QR code scam has occurred. However, these Chinese payment moguls are working towards solving this problem. Alipay has a website detection function, which can be used to determine whether an embedded QR code being scanned is a malicious link. If it detects a security risk, the system will issue a security prompt, allowing users to determine whether to proceed or not. WeChat Pay has also launched mobile security software to provide users with monitoring and a more secure experience.

With QR codes being accepted as the easy and attractive way of payments in countries like China, regulators and the payment service providers have a huge task cut out for them to prevent fraud. Along with the steps taken to strengthen the security and fraud detection aspects, the bigger challenge will be to make users aware of the fraudulent use of QR codes by the scamsters and how to save themselves from being a victim. Easier said than done, the coming period will test the hypotheses of QR codes truly being a next-generation payment method.