If there's any silver lining to COVID, it's QR codes being normalized.
I remember trying to use a QR code in 2015 at a crypto meetup so I could buy a beer with Bitcoin (they organized with the bar that they'd get cash at the end if they played ball). After downloading a QR reader app, taking a picture with my phone, uploading the picture to the app, then realizing there was too much glare and trying again, they eventually just gave me a beer and put a tally mark on a notepad.
Just a few weeks ago I used a QR code to join a WiFi network and it took like 2 seconds (it found the network and entered the password for me). We've come a long way.
I also became aware of the possibility of people putting their own QR code sticker over another. Quite easy to send people to a phishing site... enter your credit card to "buy" that beer...
This has been a problem with NYC's bike share program, CitiBike. The solution was to add an alert when your phone's location is far from the location of the bicycle you are trying to unlock.
> Citi Bike says it is aware of a scam in New York City in which thieves are switching the QR code stickers on rental bicycles in order to steal bikes unwittingly unlocked by customers. The scammers wait for a renter to unlock a bicycle using the QR code, then ride away on the bike to which the code actually belongs, officials said.
Easy (conceptually) solution: a button on the dock that you need to press to complete the unlock. When you scan the QR code, CitiBike looks up which dock it thinks the bike is in, then waits for you to press that dock's button before releasing the bike.
Assuming that there is no feedback during this process coming from the bike, what is the thief going to do? Sit there for an hour constantly pressing the button?
The thief would just observe, from a distance, and wait for someone trying to scan the fake qr code. When he sees the victim, he pushes the button and steals the bike.
This is why Toronto's bike share requires Bluetooth to be turned on. At worst, you might end up unlocking another bike at the same station. (And you'll hear it!)
A possible solution could be to use small e-ink displays showing single-use QR codes that change every 2 minutes or so. I don't know if it would be feasible though or it would drain the battery of the bike too quickly.
Can you explain more what you're thinking here? I don't see how that would solve anything.
QR codes generally are just a bit of data, like a link to a website. If I cover up an existing QR code with my own link to my own website... what would a signature do to help here?
Even if the original QR code had the link printed on it, do you think someone reaching for their 3rd beer would even notice it?
Humans are not conditioned (yet) to validate QR codes. We scan them without thinking twice. Phishing is pretty sophisticated and it is easy to duplicate a website.
This is an authorization issue. You need a signing authority of some kind to verify the QR code.
A literal JWT (JSON Web Token) could be used, but a binary format could save TONS of space (30-50% smaller) which matters for a QR code.
QR would contain: binary data, datetime it was issued, QR creator ID, URL of signing authority (or a code from an approved list of authorities representing a know URL), a code for the algorithm used, and a signature that signs everything else.
When a user scans the QR, the software recognizes that it uses authorization mode.
It looks up the signing authority based on the ISO code for that authority and sends an API request for the public key sending the datetime and creator ID.
The signing authority returns the public key based on company and time (or a message if the private key has been revoked. If the key checks out, the user visits the URL.
All of this would take a fraction of a second and be entirely transparent to the user (barring revoked permissions or the signature being incorrect).
What prevents me from just signing my own QR code though? I could register a very similar domain, sign it, make it look all official and then siphon funds.
A third party could revoke my signature, but then we are dependent on that third party for everything, which isn't ideal either.
This is the difference between a self-signed SSL cert and one that is issued by a trusted company.
An argument in trusting trust is meaningless. The whole point is that they can be trusted. If you don't believe you can trust them, then nothing is going to change that.
The goal isn't to make such scams impossible, but instead to make them too risky and expensive.
If you're going to do a scam like that on a business level, there's a lot of logistics involved. A mom and pop shop isn't going to be a suitable target, so you're going to be targeting a franchise where you can easily move operations to reduce costs. You have to spend a bunch of time building out a fake website. You have to put multiple boots on the ground to go around changing hundreds of QR codes to improve hit rates.
QR certification means you have to create a new business to apply that makes a paper trail. Creating something very close to an actual franchise is also going to run the risk of setting off alarm bells and getting busted by the FBI. It doesn't make this scam impossible, but adds a big enough hurdle to reduce profitability and increase risk to the point where there are easier scams to pull off.
The other kind of attack is one-off scammers hoping to trap people. In this "QRL" certification scheme (sorry for the bad pun), their scam would never get off the ground because it wasn't certified.
> If you're going to do a scam like that on a business level, there's a lot of logistics involved. A mom and pop shop isn't going to be a suitable target, so you're going to be targeting a franchise where you can easily move operations to reduce costs. You have to spend a bunch of time building out a fake website. You have to put multiple boots on the ground to go around changing hundreds of QR codes to improve hit rates.
Yea, this happens already. For example, the finance department at my company was recently phished for a significant amount of funds. How? Someone broke into the payment company that issues the invoices for a company that we use and got their customer list and then started phishing all their clients.
They emailed my finance department, said the account number had changed, even used the same bank, and got us to send a payment for an invoice to that new account. Bank happily paid them out. Nuts. Now we have to try to claw the money back, but I don't think we can get it without long legal proceedings against the bank. Imagine though, having the balls to open a bank account after having broken into a company.
The people in the finance department felt awful and surprised that this could even happen to them. Since then, they've now increased the security 1000x and require voice verification and what not...
My point is, just like you say, you can't trust the trust. The only way this would have worked is if QR codes could only be generated by a trusted third party for all QR codes. Even still, it wouldn't work because I could fake the trusted third party.
You have a nice dream, and it gets me thinking that a "LetsEncrypt for QR codes" might be an interesting business service, but it would require a huge amount of convincing people to use you as well as marketing dollars to get the word out. I still don't think it'll stop everything.
> If there's any silver lining to COVID, it's QR codes being normalized
I'm not sure if I would call this a "silver lining". In parts of Europe (I noticed it especially in Germany and Austria) they were normalized to a point were a lot of non-techsavvy people now think "QR codes" are kind of synonym to successful "digitalisation".
It's now even more painful to watch misguided attempts to digitalize shitty (business/administrative...) processes. QR codes just feel like the poor man's blockchain.
My child's daycare uses a cell phone app for checking in and out the children. It requires one to scan a QR code, then enter a PIN, and scribble a signature.
I am not able to get over this seeming like security theater, not to mention being somewhat indignant to the presumptive ownership of a smart phone to go through this song and dance when a piece of paper would suffice as a record.
I've captured the qr code and found that it's not geo-fenced or time-locked so I can check the child in and out in the comfort of my home, but haven't probed the application further.
Yes, this is very true, _in the US_. In other parts of the world, QR Codes have been ubiquitous for many years. In China, Alipay, WechatPay, UnionPay, etc have made QR codes for payment expected and common, to the point that many places don't take cash or credit cards, but you can pay with the right phone app and account.
Which is also annoying, since it’s pretty hard for a foreigner to set up WeChat and AliPay in China. Before covid, I had to repeatedly ask friends to pay for me, and give them cash in return.
I didn't say that the emulating China is what should be done in this case. I much prefer the UX of Apple Pay with my watch - it still feels magical.
It is interesting how much cheaper the QR based payment schemes are in China. Payment processors in the west charge 2-3% typically for tap/dip/swipe. In China, the QR transaction fee is a fraction of that. Also, a bunch of the infrastructure for printing, displaying, and reading the QR codes is pretty cheap.
To my memory: the timing was off. QR codes (in the consumer-facing context) kind of peaked and died out before the iPhone camera app would scan them in large part because non-techies would not download an app just to scan a code. Apple added support, but there didn't seem to be enough emphasis to revisit them until COVID.
Yes they were out there and readable by lots of phones in 2010, and very few people used them. They weren't convenient to use and didn't tend to direct you anywhere useful to begin with.
The running joke for a decade (here in the US anyway) was that nobody had ever actually used one.
I've looked into this a couple of years ago and the problem was that you just couldn't assume people would be able to scan a qr code without downloading an extra app.
iPhones could scan them with the default camera app, but on Android it really depended on the manufacturer.
So you couldn't just say: "point your camera app at the code and open the url that appears.", which made using QR codes pretty much useless unless you had an app where you could build in an scanner for these codes.
I attach QR codes to all my invoices and I encourage every business entity I interact with to start doing the same. I had a few successes actually, though the big businesses are more reluctant.
An old investor once told me: "Make it really easy for your customers to pay you, and you won't regret it." QR codes make it really easy to do a wire transfer and they prevent random errors from being introduced.
People have been claiming society is degenerating for as long as there's been society. It may not be proceeding in a direction you like, but that doesn't mean it's degenerating.
Society objectively degenerated since the start of the covid scam. To pretend otherwise in being willfully blind to the changes we saw.
Unchecked authoritarianism in democratic countries. House arrest of healthy people. Telling people that they do not have the right to run a legal business. Heavy censorship and lack of debate. Treating others as vectors of disease instead of fellow humans is not in any way positive for society. Coercion of a rushed, not fully tested "vaccine" onto a general public, the vast majority of whom did not need it. We have demonized having a common cold, while at the same time normalized young people having heart attacks and stokes. Since the vaccine rollout excess deaths are not notably down, so it's very debatable that they have "saved lives".
All for what objectively amounts to a bad flu - age adjusted 2020 showed the same number of deaths as 2008 in the UK. 2003 in terms of non adjusted numbers.
I remember trying to use a QR code in 2015 at a crypto meetup so I could buy a beer with Bitcoin (they organized with the bar that they'd get cash at the end if they played ball). After downloading a QR reader app, taking a picture with my phone, uploading the picture to the app, then realizing there was too much glare and trying again, they eventually just gave me a beer and put a tally mark on a notepad.
Just a few weeks ago I used a QR code to join a WiFi network and it took like 2 seconds (it found the network and entered the password for me). We've come a long way.