Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
September 10, 2012
The Trouble with QR Codes
You've seen them, those funny-looking little squares. Like tribbles, "quick response" (QR) codes are everywhere—and, like tribbles, they seem to be propagating. You see them on billboards, magazines, real estate sale signs, and product packaging. QR codes are even being used for retail payments, as we discussed in an earlier Portals and Rails post. But like tribbles, the very fact of their ubiquity is creating a big challenge for those agencies and individuals concerned with consumer fraud protection.
Consider the findings from digital media company ComScore, which reports that in June 2011 alone, 14 million U.S. consumers scanned QR codes on their mobile phones. Nearly 50 percent of these were scanned from a printed magazine or newspaper.
The real problem with this large number of QR code scans is that consumers have no way to detect the presence of malware in the code before it is too late.
"Something you should be careful with"
A report by AVG Threat Labs escribes a number of cyber threats and exposure methods, including from QR codes: "Today QR symbols are showing on almost any ad you find on the street, at a conference or even online. Mobile users can simply scan the QR symbol using software on their mobile device and have their device transform it into meaningful information." However, the report also notes that QR codes can hide messages and URLs. They liken the execution of QRs to running unknown executables on a computer. The report continues: "Executing an unknown pattern of symbols on your trusted mobile or computer is something you should be careful with."
To illustrate this point, the report authors included this QR code with a hidden message for the reader to scan and discover what's behind the dots.
Here's a hint. If you can't—or, perhaps wisely, won't—scan this QR code, the message is simply a caveat for scanning QR codes.
So how do businesses and consumers find protection from this new cyber-attack vector? Education and threat awareness by security professionals are key components of risk mitigation, as with all social engineering schemes. Standardization in code development may also provide safeguards against embedded malware, while also providing assurance to the user that the code comes from a trusted source.
Incidentally, the ease of using QR codes is prompting the payment industry to consider them as a way to facilitate electronic bill payment programs, as recently proposed by NACHA'S Council for Electronic Billing and Payment. The group is seeking feedback on proposed guidance for clear industry standards to minimize complexity and ease market adoption.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
September 10, 2012 | Permalink
TrackBack URL for this entry:
Listed below are links to blogs that reference The Trouble with QR Codes:
- Consumer Prepaid Protections May Be Catching Up with Prepaid Use
- Virtual Currency Environment Still Fluid after Latest Rulings
- ISO 20022 in the United States: What, When, Why, and How?
- Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?
- Mobile Biometrics: Ready or Not, Here They Come
- Starting Off on the Right Note with Mobile Enrollment
- Let's Talk Token, Part II: Distinguishing Attributes
- New ACH Return Rate Threshold on the Horizon
- Let’s Talk Token: Authenticating Payments
- Seeking a Successful Biometric Solution
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud