The most successful digital scam is one that is tied to convenience. QR codes, which are used for everything from sharing contacts to making payments, are an ideal vector. In India, which runs the world’s largest digital payment system, QR code scams have become a regular nuisance.
I regularly hear from retail shop owners and cab drivers about how they were duped using a fake QR code or app, and similar is the tale of online shoppers. Parking lot QR scams are also rampant in the US and UK, but stealing a few dollars is not the only risk.
It’s the theft of sensitive data, including financial details, that has even put banking giants on alert. “If you scanned the QR code and entered your credentials, like your username and password, into a website, change your password right away,” the US Federal Trade Commission said in an alert note barely a couple of weeks ago.
The Swiss national security agency has also issued a warning about bad actors sending physical QR codes via mail to the doorsteps to steal passwords, a heist that is commonly known as quishing, short for QR phishing. Of course, we can’t nuke the QR tech stack over such risks, except for raising awareness, but we finally might have a solution from the experts at the University of Rochester.
What is the solution?
The technology in question is a self-authenticating dual-modulated QR (SDMQR) code. It stops the potential for scams before users are even taken to a fake website or fraudulent web repository, by flagging the risk as soon as the code is scanned. But before we get into the technical details, let me break down the biggest advantages of this secure path to QR code technology:
- It is self-authenticating, which means the QR code already has the verified digital signature of the entity behind it, which is verified every time you scan it on your phone.
- Aside from taking users to websites, they can also be used for payments and encoding secure information, among other related scenarios.
- The QR code verification happens on-device. You don’t need an internet connection to check if it’s legitimate or fraudulent.
- It does not require any specialized app or software update for existing QR code scanning apps.
- The system does not create any unwanted operational delay or latency.
- These secure QR codes can be customized to fit the design requirements, without hampering their safeguards.
- It doesn’t need a high-resolution smartphone camera to work. The one in your pocket will do just fine at scanning SDMQR codes.
- These QR codes can also have colors, so brands can get them customized for better identity recognition.
- Existing machines that read QR codes can also read SDMQR codes, with a warning system in tow.
The best part about this approach is that an average user won’t have to go through any technical hoops to protect their interest. For companies that rely on QR codes and want to protect their business, they simply have to register their official website’s URL and embed their signature in the code.
SDQMR codes look different than traditional QR codes. Instead of the mainstream pixel-style block imprint, they make use of ellipses. The team behind the tech stack has filed a patent and has already secured a National Science Foundation I-Corps grant to explore the replacement of traditional bar codes with SDMQR codes.
Going a step further, the team is also exploring whether using colors can make these codes more versatile. With versatility, they mean using the same QR code to guide users in up to three different directions, or web destinations.
What’s the technology pipeline?
“SDMQR codes offer proactive front-end protection against quishing before the link is even accessed,” says the research paper published in the IEEE Security & Privacy Journal. As mentioned above, we are simply talking about a retrofit, and not a framework that would turn the whole QR ecosystem upside down.
The whole process relies on two components. A primary message (such as the URL of a business) and a corresponding cryptographic signature of that message. This cryptographic signature is generated and owned by a business in possession of a digital private key. A DMQR encoder embeds the primary and secondary messages into the SDMQR code.
If you look at the code, you will notice elliptical patterns in black and white. As per the researchers, the variation patterns hide the primary message, while the orientation data carries the secondary message.
Once the code is scanned on a phone, a DMQR decoder breaks down the primary and secondary messages for verification. At this stage, the public key of the business (which created the code) performs algorithmic verification to check whether the cryptographic secondary message matches the contents of the unencrypted primary message.
Think of it as a two-stage secret handshake between spy agents.
The biggest challenge is not the tech stack, but creating a centralized system where all businesses can come together and perform the necessary registration to create unique SDMQR codes. The idea is to create a public key for these legitimate entities, which is also the only thing an SDMQR code reader requires.
This is where makers of smartphone operating systems — aka Google and Apple — can help create a safer future. Their participation as central signatories would mean a smartphone or tablet would only require their two public keys for quickly authenticating SDMQR codes.
Since they offer built-in QR code scanning frameworks for iOS and Android, using them as central signatories is the best way forward. On a technical level, their participation would dramatically ease the verification process as SDMQR code readers would only need to store just two public keys and get the job done.
There’s definitely some precedent for that. Google lets businesses sign up to get a verified badge and icon in Gmail, so that users don’t fall for spoof emails trying to pass off as a legitimate message.
Why does this approach matter?
A healthy few technical proposals have appeared in the past few years to fix the problem of QR code scams, but they all arrived with their fair share of limitations. The SDMQR system solves a few key fundamental hurdles to ease the adoption without any technical hassles.
It takes a transparent approach to self-authentication and doesn’t require any software update to the QR code reader apps installed on a person’s phone. They will work just fine with regular QR and the more secure SDMQR codes.
Otherwise, tasking developers or OS-makers to deploy an ecosystem-wide synchronized update would not only be a massive challenge, but also take its own sweet time. Further enhancing the convenience for adopters is the single central signatory system, which requires only one key for verification. And the best part is that smartphone users won’t even require an internet connection for the verification protocols to jump into action.
Previous efforts to build secure QR code systems put their faith in cryptographic keys for QR code generators in order to authenticate the identity. A few other ideas involved individual public-private key pairs, which means a user’s mobile device was expected to carry (or have locally saved) the public keys for all the parties that signed up for creating secure codes for authentication and identity verification.
“Using our proposed protocol, mobile devices can determine whether the information is deemed authentic by the signatory, immediately on the mobile device itself,” says the team in the research paper.
Another advantage is that the inherent dual-modulating tech can also be applied to bar codes, which means even codes that are used for airline boarding passes and courier pcackage can take advantage of the framework.
The biggest beneficiary of SDMQR codes would be banking institutions. Researchers argue that their deployment in parking payment systems can reliably protect users from being targeted by QR-based phishing attacks as well as financial losses.
The latter aspect also applies to all scenarios where people often run into QR codes plastered in public places. That includes Wi-Fi access, opening a restaurant’s menu, and relaying a business location, among others. Wi-Fi jacking is a well-known threat that quickly spirals into utter chaos for an average user, so any solution to plug that vulnerability should find mass adoption.
The ball is now in Google and Apple’s backyard. They already provide the OS-level software sauce for decoding QR and bar codes. All they need to do is vet and implement support for the new SDMQR framework, and guard the interests of smartphone users across the world.
