FBI Sounds Alarm as QR Code Usage Soars (axios.com) 71
The pandemic has accelerated the usage of QR codes, taking them from niche status to an essential tool for businesses and marketers. From a report: Look no further than Sunday's Super Bowl commercial of nothing but a floating QR code sending users to the website of Coinbase. [...] Law enforcement officials are sounding the alarm about the risks. The FBI issued an alert in January warning Americans that cybercriminals "are tampering with QR codes to redirect victims to malicious sites that steal login and financial information." If you're scanning a physical code, make sure it hasn't been tampered with. For example, watch out for "a sticker placed on top of the original code," the FBI advises.
Prank QR Codes (Score:1)
Re: (Score:1)
Probably foot fetish enthusiasts, am I right?
Re: Prank QR Codes (Score:3)
I'm not a football fan, but anybody could get scammed by a QR code because it does not reveal what it actually is until you scan it.
It looked and seemed like a good idea, but the security is really lacking on how it was done.
Re:Prank QR Codes (Score:4, Insightful)
The entire problem here is actually QR code apps that automatically act on QR code content without further user input - sadly this is the most common way that these apps work. They should show the content to the user and require the user to confirm any further actions, similar to browser app launch/xdg-open activity on desktop OSes.
Re: (Score:2)
Re: (Score:1)
I use the default camera app, and it'll show me the beginning of the URL.
Definitely something to consider with QR code menus becoming popular.
URL in Unicode (Score:2)
So how do you differentiate l from I, let alone A from Alpha. I'll be dammed.
And no user can do that.
Just mindlessly execute anything that the camera sees. What could possibly go wrong!
All QR URLs should start with qr. (or similar).
Re: (Score:3)
I think it was a good FP, but I'm still unclear on what your point was... The QR code design isn't intrinsically bad, just another morally neutral tool, but it puts the onus on the decoder to avoid doing anything stupid, and you can be sure that there are plenty of stupid QR decoders out there. Some of the pranks are quite annoying and even dangerous.
Re: (Score:2)
Actually I should have responded with a solution approach. Here's mine.
I use an app with a built-in QR decoder. If the app recognizes the QR code as part of the app, then it might execute, but it can only execute functions within the scope of the app. That's still a bit dangerous, since the app is fairly popular and too powerful for its britches, too, which makes it a kind of security through obscurity.
However the protection is that any QR code which is not part of the app is only displayed as text and it a
Re: Prank QR Codes (Score:2)
A blacklist/whitelist solution would be good here too.
Maybe a huge warning banner that the code may be malicious with details of why, with multiple "are you sure?" prompts in order to execute it. If the user goes ahead and does it, well the responsibility falls on the user.
Re: (Score:2)
If you do not know what you are scanning, you should beware of any QR code.
Especially ones you might find in YouTube videos. [youtube.com]
Re: (Score:2)
Use just a scanner/decoder. (Score:2)
Use a scanner/decoder that'll just show you the contents, not try to follow any URL it finds. Always know where you're going before you go there.
Re:Use just a scanner/decoder. (Score:5, Interesting)
Yeah, only that's not gonna work for most people. Ever seen a typical Google link? it run several hundred characters long and it's unreadable. Fill your QR code with an unreadable Google-style URL, and by the 3rd such URL, people just tap "Yes, take me there" and don't bother to check anymore. Which is also partly why Google does it incidentally.
Re: (Score:2)
Bitly links are cool (Score:2)
Everyone uses them ...
Re: (Score:2)
better yet just carry a black marker and block out a pixel or three from any QR codes in train stations, election signs, etc. Just as safety measure, it might be a bad one.
Re: (Score:2)
That won't work as QR codes have multiple levels of error correction [wikipedia.org] available. Even at Level L (Low), 7% of data bytes can be restored. So if your plan of attack is to disable one to three dots of a QR code, that won't be enough.
Re: (Score:1)
seriously, takes much less than that if you whack a single corner position block.
Re: (Score:2)
I have never tried to disable a QR code. Would simply filling out the white inside outline of a corner position block be enough to prevent scanning?
Re: (Score:1)
haven't seen that one in tests, loss of the black block inside just one prevented scan.
I was only joking about marker though, now we're talking of carrying white-out? I've never done any kind of graffiti in my life 8D
Re: (Score:2)
Not white-out, a black marker as you suggested. I'm talking about "deleting" the inside white outline of a position block by using the marker to fill it out, making the position block a full black square instead of a tiny black square with white padding and a black outline around it.
Re: (Score:2)
Kaspersky QR Scanner for Android can't.
I used https://leanpub.com/golang-tdd... [leanpub.com] QR code at put in GIMP, first made upper right box into a white left bracket by blacking out, that worked though. Fully black box wouldn't scan.
Re: Use just a scanner/decoder. (Score:2)
There is also the very off chance of turning the code into one that is malicious. It's remote but not impossible.
Re: (Score:2)
That's exactly how the URL to the furry porn site got into my search history. I swear it, babe, I'd never *want* to go there! Malicious QR code, definitely!
Re: (Score:2)
Re: (Score:3)
People want small QR codes, so they typically use URL shortening services that make the URL effectively opaque. Then one has to trust the URL abbreviation service as well as the software that opens the URL.
Re: (Score:2)
I just use a tool that tells me where the shortener is redirecting me to. Give it a URL and it prints a list of URLs it was redirected to until it hits a non-redirect, then it tells me what kind of data the final destination claims it was trying to send me.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It's actually 2953 bytes. I once made a such QRCode as a gift for a musician friend. I composed a MOD file with a single, extremely basic instrument (a square wave! haha), trimming as much as I could, removed the unnecessary tracks, using good ol' Impulse Tracker, and got it to fit in under 2800 bytes. At first he was puzzled by the odd data in the QRCode, but after some tinkering he figured out that it was a MOD file and managed to play it. I was happy :-).
I don't think a phone would be able to play the da
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
I have met people. That's why I far too often repeat "Vacation resorts on Venus. Kornbluth was right, someone really needs to start marketing those.".
The stupids get it (Score:2)
If you scan QR codes attached to commercials or Superball articles, you deserve everything you get.
Re: (Score:3)
It costs us all when we let criminals prey on the handicapped. We should be stopping criminals, not punishing the inept.
Re: (Score:2)
I'm for getting rid of the criminals so they can't criminal again, but some people have a problem with that idea.
not punishing the inept.
Considering how much they punish the rest of us with their ineptness, punishment is necessary.
Re: (Score:1)
Hard agree, though I would say it's more than just "the handicapped". Lots of people who are smart in other aspects of their lives can be fooled by a well crafted fake. But any time our response is "you shouldn't have been fooled", we're giving permission for criminals to steal.
Re: (Score:1)
Yup. Sometimes it's even cognitive dissonance, holding two or more opposing beliefs at the same time. As in "they wouldn't put this on the air if it wasn't safe", or "they couldn't sell it if it was't safe", followed by "we should get rid of all this regulation", followed shortly by "you can't believe anything on the news".
Re: (Score:2)
my conscience is clear
obvious attack vectors are obvious - bad software is bad - criminals should be punished - fuck the inept
Re: (Score:2)
It costs us all when we let criminals prey on the handicapped.
So if we just eliminate the handicapped, no more crime? And that will save the rest of us money in the long run? I think I like your idea here.
Re: The stupids get it (Score:5, Insightful)
If someone sees a QR code on a commercial that cost millions of dollars to air, they are going to assume that it's one they can trust.
Really, all of this superiority, holier than thou thinking solves nothing and causes problems.
Government COVID Check In app (Score:2)
Every time you enter a place in Australia you need to scan a QR code so that they know you are there, and can contact trace any infections. It is a system that worked pretty well.
But it means that you had to scan whatever every establishment put up. 99.9% were legitimate.
Re: Government COVID Check In app (Score:2)
I've seen QR codes being used to ensure a security guard does his/her rounds. Like punching in on a clock. The QRs would be placed throughout the property that the guard is supposed to be patroling.
Re: (Score:2)
And the guards just make copies of them.
Those RSA time based tokens were not originally made for login security, but rather for security guard monitoring. They could be places at various places and the changing number could confirm when the guard visited.
Re: Government COVID Check In app (Score:2)
Never said the person who put that together was smart.
I didn't see any cheat sheets of copied codes, but I'm sure some of them had 'em)
Re: Government COVID Check In app (Score:2)
It was on the honor system, but the place also had a CCTV system and their supervisor routinely reviewed the footage.
Huh. Just don't do it. (Score:2)
So I saw that Super Bowl commercial with the floating QR code. My immediate reaction was "No Way! There is no way i am scanning a code without knowing something about it"
Now, even if presented with the trappings of legitimacy the obvious answer is to never put any info into any site you reach through a QR code unless you don't care about the details. Like dinner reservations or something like that.
Re: Huh. Just don't do it. (Score:2)
I didn't see the commercial, but I am imagining a huge QR code with a generic background, and instrumental music.
This kind of thing was popular back in the 90s and 2000s, when we had that stupid "IDIYIG" (or whatever) commercial that did not tell you what they were actualy advertising. An appeal to curiosity in an attempt to drive up sales.
Those kinds of ads died out for a reason.
surprised (Score:2)
I'm surprised I haven't heard of people posting qr codes around public places that lead to goatse or similar
Re: (Score:2)
That's because the victims of such attacks usually end up in a mental institute.
Browsers that execute arbitrary code (Score:2)
Are you telling me that this JavaScript thing was a big mistake? That simply clicking a link or inputting a URL electronically can instantly execute an arbitrary application on your personal device? OOPS!
Work-around for QR codes:
* HTTPS only. No visiting sites that are lacking certificates, at least through a QR.
* On top of that, a QR system shouldn't visit directly load site, instead the software should consult a central white list. Not on the list, then the user gets a warning dialog. Black listed sites g
Re: (Score:2)
Re: (Score:2)
Sounds like a lot of work. How about just "don't follow QR codes"?
Re: (Score:2)
Right. Which is why I think phones should only accept HTTPS URLs, not arbitrary unsigned crap.
R2! (Score:2)
This will be interesting... (Score:5, Insightful)
With QR codes not human readable, there isn't any real way to tell if a sticker on a band's sign on a nightclub is theirs, or someone else's. Especially if the band is accepting cryptocurrency. With the fact that URLs tend to be long and obfuscated, there is no way to know if the band will be getting the donation, or some random joker who slapped a sticker on the wall.
To boot, there is a good chance of this taking someone to a 0 day site. A ransomware group with a 0 day exploit that is about to go away on smartphones can make a mint by having some guy slap stickers everywhere with a cool, astroturfing slogan, and many people would check it out.
McAfee's next product QR Code AntiMalware (Score:3)
Only $99 a year and no way to cancel without calling and waiting on hold for 4 hours.
If opening an unknown web page scares you, (Score:2)
why are you still online? And why are you using a QR code scanner that doesn't show you the contents of the code before it does anything with it? Why do people not understand anything if a computer is involved? Everything you can do with a QR code you could just as well do with a short URL that you type in. Are you scared of short URLs too? Don't type Google into Google!
Re: (Score:2)
why are you still online? And why are you using a QR code scanner that doesn't show you the contents of the code before it does anything with it? Why do people not understand anything if a computer is involved? Everything you can do with a QR code you could just as well do with a short URL that you type in. Are you scared of short URLs too? Don't type Google into Google!
Not sure of what your point is. I click on plenty of unknown web pages, and gotta say, there is a reason to be concerned. That's why I wrap my computers in several layers of ad blockers and script blockers. Multiples of each, because not all are caught by any single one. Install at least a script blocker, then look up who is behind the scripts it tells you about.
Problem is, that level of safe computing isn't available on phones. And most people don't want to have to go through enabling scripts so that a
Re: (Score:2)
The point is that none of it is particular to QR codes. A QR code is a small machine readable blob of data, nothing more, nothing less. Any link on a web site poses at least the same risk. A sticker with a short URL poses the same risk. It has absolutely nothing to do with QR codes or them not being human readable. If you're afraid of QR codes, you're afraid of being online.
Re: (Score:2)
For example, a QR code on a parking kiosk for making payment to the city. While a url can also be used, the fact that the QR code is scannable makes it more appealing to average joe.
Re: (Score:2)
So remove the QR code then. What do you put instead? An NFC tag? Same problem. A short URL? Same problem. It's a silly warning. Don't scan the code on the parking meter? Then what?
QRcode - like clicking every random link in email. (Score:2)
It's neat on face value, until abused.
They Are Not An Essential Tool (Score:2)
They are a convenience; for both legit and hackers. Better to make it harder on the illegitimate folks, especially as text links or even just text information is not that inconvenient for the user. Businesses trying to be too clever are, as always, fucking over Darwinian levels for their own end; turning to sociopathy when their 'essential practices' end up at the fucking part.
Told you so. (Score:1)
I predicted this as well. Never was there a more destructive or ill-conceived plan than to add yet another layer of impossibly obscure misdirection to the already risk-laden workflow of fetching a document remotely by URL.
Reminds me a little of Snow Crash (Score:2)