Schneier on Security
A blog covering security and security technology.
« Detecting Edited Audio |
| The Internet in North Korea »
December 13, 2012
QR Code Scams
There's a rise in QR codes that point to fraudulent sites. One of the warning signs seems to be a sticker with the code, rather than a code embedded in an advertising poster.
This brings up another question: does anyone actually use these things?
Posted on December 13, 2012 at 6:19 AM
• 47 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
i have a QR code Tattoo, but since having it, i have spotted hundreds or QR codes in the WILD.
DVDs with links to movie trailers
CEX with links to the mobile site
Schools on anti bullying posters
Schools on anti bullying posters
My pet hate is QR codes which take yoiu to a web site which is NOT mobile friendly
Terence Eden's blog has answered your question a few times, using data from real-world advertising campaigns. The top post here is relevant, amongst others: http://shkspr.mobi/blog/?s=qr
We have a local music band which used to advertise themselves by putting QR-codes without any further informations at public places like railway stations. If you scanned them you'd get the URL to the Youtube clip. Will be more careful in the future what I scan :-)
IMHO it's safe to say that if people didn't use these codes, the crooks wouldn't spend their crooking time posting or distributing these labels or flyers or whatever.
Anyway, I do tend to scan random QR codes. But my QR reader displays the URL before calling the browser.
Displaying the URL isn't necessarily useful, because it seems that many QR codes are actually pointing to a URL shortening service address (such as goo.gl or bit.ly).
I can probably count on 1 hand the number of QR codes I've scanned. And like @Species5618, I'm frustrated when they point to a non-mobile site. The last one I scanned was at a restaurant for some contest, and the site linked was brutal on my phone.
I was wondering about whether people would follow anonymous QR codes today when I saw a sticker on a traffic light pole.
I figured the fact that I even noticed it and thought about it was a good indicator that others would go further and follow the link.
"...does anyone actually use these things?"
Unfortunately yes, most everyone in my office who is under 30 does. And I work in an IT shop.
Luckily these are very easy to spot and - usually - just as easy to track. See my dissection of one at http://shkspr.mobi/blog/2011/12/...
As for people scanning them, the stats don't lie - they're very popular. You see people sneering at them - but they did the same thing when URLs or email addresses started appearing on posters.
I use QR codes because of the novelty. They're currently my favorite way to Rickroll my friends. (Physically I'm in my 30's, but mentally I'm about 12 years old.)
QR Codes are "so old school" even Granies use them to get discounts.
They basicaly do what they are supposed to do which is provide machine readable data that makes peoples lives (supposadly) easier by having a "point-n-click" interface.
And because they are a blind (to the user) communications channel you could put almost anything you like in them. And that's why fraudsters etc like them, because they take the user out of their fraud loop...
And ass QR Codes are now old school, there must be something more modern and their is...
Yup you can buy Near Field Communications tags which are just like programable RFIDs, you can put various bits of info in them including URL's and your name address, email phone number etc.
So I guess in a year or three we will see "NFC-Tag Scams" as the crooks ride the "New-Tec Wave" that the likes of "Apple Fan Bois" and other self appointed "fashonista's" think is so de jur to their life styles (Oh you are alowed to say "Hip-n-Trendy" again because it's now "So retro"...)
Seeing such persons in various parts of london with their D&C watches glasses etc reminds me ofton of the oold saying,
A Fool and their money are soon parted.
The moral is if you practice any "unsafe activity" it's likely to turn around and bite you at some point and thus effect one or more forms of your Health...
I have one on the back of my business card. It contains my contact details, for those who want an easy way to capture it. Was thinking of creating a separate card with this info, plus a link to my resume, for prospective employers.
I used them extensively in a photo magazine I produced as added value and linked to additional content. Sadly it looks like that day is done. :(
(you can see it on magcloud at http://www.magcloud.com/browse/issue/133423 )
I didn't find any use for QR codes yet, but that is just me. I suppose that if the advertisers are using them on their outdoor ads, they might be used/scanned by some, but I can't imagine why someone would scan and follow the embedded link for a QR placed on some wall or pole...
I put a QR code on the back of my Shire Silver cards that goes to a page on my website that gives the suggested dollar trade value of the card.
I don't recall any poster or advertisement where there wasn't the full URL printed right next to the QR code.. and at least considering my mobile phone, it's easier to tap on the browser icon and enter the URL than it is to flip through several pages of icons to where I have the QR scanner, scan the code, inspect the URL and click to launch it in the browser.
Now if companies would see to get simple and short URLs, QR could go die out.
QR codes are the 8-track tape of this decade.
I've avoided QR codes like the plague for this very reason. I know how to use search engines to find the info I need and I don't ever find myself in the immediate need to know about a product or event to resort to utilizing one.
... but I can't imagine why someone would scan and follow the embedded link for a QR placed on some wall or pole.
Well I can give you one example "illegal" raves/parties.
As others have indicated the URLs they contain don't have to go directly to a website.
If you are running an illegal entertainment some place you have to get the punters you want not the police.
For a while people used the likes of the online private messaging service on RIM phones but the police worked a way around that. And for a while QR codes with links just got put on a wall or pole somewhere telling people where to go next like a "treasure chase" game.
In Japan, yes, because (as I understand it) the phones have been equipment since the early 2000s with a very simple way to scan.
Everywhere else, no, because you have to launch an app to do it.
Imagine if Apple and Google built QR Code recognition as an option into lock-screen picture taking. Codes, like faces, would be recognized and one could tap to see the URL and then agree to open the browser to it.
A recent "fun" example of using qr-codes for abuse:
Turkish football fans send a message to abuse the supporters of their opposing team, reading "sons of bitches" in various languages. Thus they could bypass security and insult opposing fans.
I've been aware of this threat for a while, so have always been cautious whenever I scan a QR code. They are hugely popular in Japan, and museums have started using them here in the US.
A risk is that some scanner apps will automatically open a web address in a QR code. The zebra xing barcode scanner for Android shows you the URL and asks you if you want to connect. The idea is that you can make a decision based on the URL. Unfortunately, url shorteners limit the value here.
The bottom line is that QR codes are a neat concept and have value as a machine readable image, but you should be cautious. This is just another thing to consider part of the growing set of 'street smarts for the 21st century'
I understand it's common to put them on badges at industry conferences.
They are sometimes used for Geocaching, to give informations for the next waypoint. And there is a "point hunting" game based on them: munzee.com
I use them on my card and, as a quick way of sending links to my phone. I don't scan ad codes much, not unless I trust the source. Also like David said, Zebra Xing's scanner shows you the url. Shortened urls are usually easy to spot, they don't look like they are encoding as much data, I scan those very rarely.
I am developing for a QR code app. It is nice for getting subsidies and to sell old technology with a novelty varnish. I wouldn't use the products that are based on it myself.
It would be nice for specific URLs (like feedback for a specific café but mostly it leads to generic URLs where you have to navigate yourself to the specific café (and sometimes even to non-mobile sites - "but it looked nice on my iPhone", original designer quote). Not so nice.
Well, there is one specific case where I used them and where it was handy: Extra historical information for a city tour (same in museums). At the attractions there were QR codes that lead to sites describing the building and history, in different languages. When you do this quite often in a row entering the full URL all the time would get annoying, it definitely lead to using this service. A specific geocoded app or other technology like NFC would work to, obviously, but this is cheaper, more generic, and easier to setup.
▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄
█ ▄▄▄ █ ▄▀▄ █ █ ▄▄▄ █
█ ███ █ █▄▄▀ █ ███ █
█▄▄▄▄▄█ ▄ ▄ ▄ █▄▄▄▄▄█
▄▄▄▄ ▄ ▄▀█ ▄ ▄▄▄ ▄
▄ █ ▄ ▄▀▀▄ █▄▄█▄▀▄▄█
█▀ ▀▄ ▄█▀▄█▄▀█ ▄ ▄██
▄▄▄▄▄▄▄ ▀█▄ █▄▀▄ █ ▀
█ ▄▄▄ █ ▀█▀▀█ █ █
█ ███ █ ██ ▄ █ █▄▄▀
█▄▄▄▄▄█ █▀▄██ ▀▄▀█ ▀
I'm using them as a way to sell ebooks in bookstores and other physical locations. There's a card or even paper copy of the book in the store with a QR code that identifies the item and the store. If someone buys online (the ebooks are downloaded, and there are samples online, too) after scanning the QR code the physical store gets a substantial cut of what the customer paid, and a similar cut from future online sales to that person. It's a way to get visibility through the enormous volume of ebooks published.
Taking the Turkish football fans' QR code banner one step further...
No banner required.
Each person in the crowd has a large plain black or white card. Stand in the correct layout and on the agreed signal, hold up your card. (Not original, it's been done before with images). Maybe just white cards (or sheets) are required?
For Android and iPhone, Symantec has Norton Snap, which shows the URL, the Norton site rating, and a link to the Norton site report before you manually approve opening the link.
@Murray, not even that: home and away shirts.
The police in Geneva, Switzerland has started putting them on their cars as a way to recruit new officers. I wonder whether they're effective.
I never used QR codes -- I like to know where I go.
@D0R: "I never used QR codes -- I like to know where I go."
Do you realy think you can tell if a URL leads to a "good" or "bad" site from merely looking at it?
Plus, many QR apps show the URL before they open it (maybe not on iOS, though).
As to real world usage, I have such a code on my business card. Works much better than attempting to OCR the text on the card.
I've been following QR code as a vector for attack for a while and, while I find these attacks interesting, I am really waiting for a researcher to find an exploit in the decoding engine itself. Could a maliciously formed QR symbol exploit an weakness (bounds checking, invalid field value, etc.) in the decoder to compromise the scanning application?
If you're using a 'clean' code generator to make the symbols you use for testing your decoder, you're missing a large range of test cases. Surely, noise and other distortions in sampled codes will test some of this problem space, but does it go far enough?
Barcode Scanner on Android lets you see what you've scanned before opening a browser. I usually scan QR codes I've generated (with DuckDuckGo's !qr command, for example) to send the link to my phone.
I've considered augmenting PGP key exchange with QR codes. One phone displays the QR of the owner's public key fingerprint, the other scans & looks it up. Compare real-life face against the signed photo in the keyring for verification.
I've used them many times, from both sides (as a business putting the code out there, and as a person out there scanning such codes).
Call me silly, but I think the sheer fact that you are seeing the codes pop up so much, and that business haven't stopped using them, is proof they're being used.
This is a story about a Korean advertisement that won a number of prizes at the Cannes advertising festival: http://www.youtube.com/watch?v=EvIJfUySmY0 The store apparently built a large set of blocks that worked as a scannable QR code - between noon and 1 p.m. when the shadows hit it right. The QR code took the viewer to a site with time-sensitive specials. This attracted more people to the store over lunch, when it had apparently been very slow.
Haha, good one! :)
Pretty innovative scam btw. But since most people don't really scan QR codes, it's not quite effective and defientely not viral.
I can attest that this is a concern at least among the sort of people who attend security conferences. The company I work for released a security testing tool at a security conference this year. Marketing designed a postcard that consisted only of the company's name, the name of the tool, and a QR code. The developers of the tool argued unsuccessfully with marketing that people would find the card suspicious and no one in their right mind would access the website based on it. In the end they compromised: the people staffing the company's booth were allowed to tell visitors the URL of the website, but the URL would not be included on the cards. Not surprisingly, the site analytics showed that not many people visited it until after the conference was over.
On top of everything else, as Species5618 complains, the site was most definitely NOT mobile-friendly.
For those interested I do have an Android QR Code Analyzer available through my blog. It uses VirusTotal's API to analyze the any URL contained within a QR Code to check if it's a malicious site. This is just a test/development app created through MIT App Inventor.
Full writeup here, including download link as well as source code:
Sure, they're being used. If you put up a big red button in any public place and label it "Press this button for a big surprise!", you can bet the ranch that an *endless* number of yokels will walk up and press it, usually while Beavis-laughing with their retarded friends. It's America. What, did you think "Idiocracy" WASN'T a documentary?
@Stainless Stihlradt - This sounds like the beginning of an interesting social experiment. Place two buttons side-by-side...one labeled "Press this button for a big surprise!" and the other labeled "Don't press this button!". I'm curious which button would get pressed more.
I haven't had much luck with them. I have one on a display in every sears store in the US and can count on one (maybe two) hand the number of weekly hits.
For a rarely-used system I manage (only need to use it as a part of emergency response), I have printed out business-card-sized cheat sheets reminding the users how to use the system.
I put a QR code of the URL for the system's launch page on those cards, so folks with a camera can start the process by scanning that code instead of typing in the URL. For this limited purpose, I think it works reasonably well.
(I designed the system after watching how our emergency responders handled communications previously -- long story there. But, there were too many steps, too many things to remember, too many things to get in the way during an incident. So I designed a dramatically simpler system optimized for this one purpose, and even with that simplicity, I distribute cheat sheets that folks can keep in their wallets.)
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.