QR Code Hijacking Attempts Are Pretty Inept
I've been writing about QR codes since 2007 - long before they were fashionable. Because QR Codes are so cheap to produce, there has always been a concern that attackers might print out their own codes and stick them over legitimate ones.
When I first wrote about QR Hijacking in 2011, I said that such attacks were usually easy to spot:
Recently, a new wave of QR Hijacking attacks have been reported in Bournemouth:
A further warning about fake QR codes on parking ticket machines has been issued after new stickers were found in numerous beach resort car parks. When scanned the codes go to a fraudulent website. Further warning over fake parking QR code scam - BBC News
Let's take a look at some photos of the attacks. Then I'll explain how to prevent them.
First up, this photo from Bournemouth, Christchurch and Poole Council's Facebook page:
These are pretty crappy attempts! The original code in the top right corner has been covered, which might fool some people. However, it is pooly aligned and sized. The other code is sloppily placed in the middle of the text. It doesn't look convincing. While the codes may have looked legitimate when first placed on, ten minutes in the English rain makes it apparent that they are paper forgeries.
And then there's this QR code randomly stuck on to a parking machine:
The URl it goes to is superficially convincing - fee-parking-pay.info
- but let's take a closer look:
It has been inexpertly cut out, it is too large for the space provided, and is clearly stuck on. Rubbish!
Finally, there's this sticker found by Bournemouth Police:
This one is much harder to spot! It's about the right size and shape. It looks well aligned and the paper hasn't degraded. But do you notice what's printed above it? The official URl. And that leads me on to…
How to Prevent QR Code Hijacking
Putting QR codes behind a glass screen isn't always practical, and reflections in the glass can make it hard to scan a code. It's difficult to make a code physically inaccessible for a scammer while also making it easy to scan.
The number one thing to do is display the official URl nearby.
Every QR scanner that I know shows you the URl before opening the page. Every web browser shows you the full URl of the site you're on.
If someone scans a code which goes to totally-official-parking.biz
but they can see the parking sign says pay4parking.gov.uk
then they are much less likely to fall for the scam.
You can do fancy things like incorporate a logo into you QR, or print it on a coloured background, or have people regularly check your codes for signs of tampering. Those might keep your users secure, but can be bypassed by a sufficiently determined attacker.
A large printed URl isn't infallible, but it is much harder for an attacker to deface a large area of a poster than it is to cover a small QR square.
As for what to do if you're worried about the legitimacy of these codes:
Anyone worried about paying online for parking can also pay by debit card/contactless or cash at a parking meter. BCP Council
Nicolas Friedli said on nicolasfriedli.ch:
Les personnes qui proposent des QR codes peuvent aider à les rendre sûrs et fiables. Toute la responsabilité ne repose pas seulement sur les utilisateurs et utilisatrices.
Nicolas Friedli says:
I wrote a post in French a while back.
The intro: QR code scams seem to be on the increase. The general media talk about them and give some advice, often to users. However, I believe that the effort to ensure security and reliability must also be made by the people who create the codes.
https://nicolasfriedli.ch/blog/conseils-qr-code/
Joker_vD says:
Of course, it requires the official authorities to be competent enough to not, e.g. move the web domains around for no particular reason and then instead of re-making the billboards opt to put stickers with corrected QR codes on them until the next fiscal year arrives.
Relatedly, anti-reflective glass coatings exist but are almost never used on... whatever those glass-sandwiched ad billboards are called.
More comments on Mastodon.