The QR code rules supreme in China. You can pay for almost anything with it: street food, toilet paper, a lobster dinner, a foot massage. You can even use it to socialize. At networking sessions, it’s not uncommon to scan someone’s WeChat QR code instead of giving them your business card.
But after an incident last week involving fraudulent QR codes and US$13 million of stolen money, the security of China’s most popular offline-to-online tool is coming under fresh scrutiny.
“Some criminals paste their own QR codes over the original ones to illicitly obtain money, as ordinary consumers simply cannot tell the difference,” wrote China Daily, a state-owned English media site, in an op-ed.
“That is why we are powerless to prevent QR codes from being used for fraudulent activities, and that is precisely why the enterprises using QR codes should assume their share of the responsibility for protection.”
This isn’t the first time that QR codes have been used for malicious purposes in China. Essentially a link, QR codes can be used to infect smartphones with viruses, which then let the fraudster steal money from a victim’s mobile wallet, such as Alipay. Methods are sometimes even more direct — unsuspecting victims, expecting the payment to go to a shopkeeper or a service provider, will be tricked into transferring money via QR code.
Unsuspecting victims will be tricked into transferring money via QR code.
More recently, a spate of scams have been linked to the country’s bike-sharing craze. Users normally can scan a code to unlock rental bikes; by attaching their own QR code to the bike, fraudsters can fool bike riders into transferring US$43 — the same amount as Mobike’s required deposit — to their account.
As tech startups in other markets, such as India, prepare to roll out their own QR code solutions, taking a defensive and proactive approach towards protecting users will be paramount. (Tech in Asia has reached out to Mobike for comment and has not yet heard back.)
“Early on, when QR codes just came out, Alipay had concerns around phishing and viruses,” an Ant Financial spokesperson tells Tech in Asia. In response, the Alibaba spin-off company developed identity verification and encryption software for its mobile wallet, she says, declining to share specific details about how the technology works.
In addition, Ant Financial has had to educate the shopkeepers and businesses that use Alipay. “We’ll tell them that they have to be alert and make sure that other people aren’t changing the QR codes [in their shops],” she says. Likewise, the app has push notifications to alert users of suspicious or risky behavior, like when a screenshot of your payment QR code is taken.
However, there are limits to protective software. If users aren’t educated properly, fraudsters may be able to work around cybersecurity fixes via fake QR codes and phishing schemes. That’s true of URLs too — except, in the case of a QR code, it’s difficult to discern its legitimacy by looking at it.
“From a cybersecurity point of view, the QR code […] does not have inherent security flaws but is subject to malicious abuses,” Charles Zhang, associate professor and director of the Cybersecurity Lab at the Hong Kong University of Science and Technology, tells Tech in Asia.
More education is needed to raise user awareness, much like what we do for cigarette packages.
He compares it to HTTP, a protocol used in many web browsers to communicate data. Though web browsers and web users have evolved to “embrace the concept of cybersecurity,” the protocol itself remains largely unchanged, he says. Thus, the responsibility of QR code security belongs to companies, such as those that generate and read QR codes. These codes should be signed digitally, and scanners should be designed to scrutinize QR codes more carefully.
But users have to become savvier as well.
“Since QR [codes] are cryptic, they give an illusion of being secure to mass users,” says Charles. “More education is, of course, needed to raise the awareness, much like what we do for cigarette packages.”
As a case in point, last September, a man in northeastern China had about US$100 stolen from him at a train station. According to his report, a young man had asked him for cash, promising to immediately transfer the same amount via Alipay. When the transfer failed, the fraudster blamed the internet connection, and said he would complete the payment later. Sometimes, no matter how robust your technology is, you can’t prevent human error.
Currency converted from Chinese yuan. Rate: US$1 = RMB 6.91.
Originally posted on Tech in Asia in March.
Level up your reading game by joining Hacker Noon now!