Earlier this year The Federal Trade Commission (FTC) issued a warning about the “growing abuse” of QR codes and it is certainly the case that QR crime is growing. So given that today is the 50th anniversary of the first barcode transaction, perhaps we should start thinking about what will come next.
Golden Anniversary
Yes it was fifty years ago today, on 26th June 1974, that the first swipe of a Universal Product Code (UPC) standard black and white stripes barcode occurred at a Marsh’s Supermarket in Troy, Ohio. (It was for a 67-cent pack of Wrigley’s Juicy Fruit gum, by the way).
Twenty years on from that, in 1994, Mr. Masahiro Hara got tired of having to scan six or seven barcodes on every box of parts that zoomed past him on the assembly line at the Toyota car parts factory where he worked. He couldn’t help but wonder why they were still using those limited capacity 1970s barcodes when there was so more data that needed to be read. After studying a game of Go, he came up with the two-dimensional barcodes that we now know as the QR Code.
Twenty years on and in 2014, QR codes were being used for all sorts of things and Mr. Hara was awarded the Europen Inventor Awards “Popular Prize” at which point he said that that QR codes would likely only last about a decade before they were replaced by something more sophisticated.
Well, they haven’t been, and here we are in 2024, and QR codes are everywhere.
They are cheap, simple and convenient. But they have a big problem. Fraud.
(This is not a new problem, by the way. A decade ago I wrote that one of the issues with QR codes is that they have no security. Some years later I wrote an article pointing out that contactless ought to be safer than QR codes because the relevant standards included the ability to digitally-sign tags — although I did also note that no-one used it — whereas anyone could easily create bogus QR codes.)
The fraud problem surfaced as soon as QR codes entered the consumer mass market all around the world. I can remember reading in the South China Morning Post that in March 2017 some 90m Yuan were stolen via QR code scams in Guangdong alone — a suspect in one case was found to have replaced merchants’ legitimate bar codes with fake ones that embedded a virus to steal personal information — and that across China a quarter of viruses and trojans were coming in via QR so I knew it was only a matter of time before we began to see the same problems everywhere.
The criminals are using QR codes for both online and offline fraud. In China, scammers have been caught placing fake parking tickets — complete with QR codes for easy mobile fine payment — on parked cars. In the Netherlands, a QR code scam exploited a legitimate feature within a mobile banking application to swindle the bank’s customers. In Germany, phony emails containing QR codes lured eBanking customers to malicious websites under the guise of reviewing privacy policy updates to their accounts. In Belgium (see picture above) they are being use to trick people using electric car charging stations. In the US (and the UK), criminals have been particularly active around car parks, pasting stickers of malicious QR codes onto car parking machines, fooling drivers into entering bank account or credit card details into a fake phishing site.
Time for Alternatives
So while QR codes are indeed convenient for making payments and more, they do pose serious security risks such as leading users to malicious websites or triggering unintended actions. What, then, should we use instead?
Contactless is a good choice for some things. Sitting at a restaurant table, tapping rather than scanning. Near-Field Communication (NFC) technology allows for quick and secure close-range communication between devices and unlike QR codes, which can be scanned from a distance, NFC demands proximity, offering an added layer of security. NFC tags can be embedded in various objects and are increasingly used for contactless payments and access control and the chips in these tags can support very sophisticated security measures.
There are other longer range wireless options too, such a Bluetooth Low Energy (BLE) and Ultra Wide Band (UWB) that could also be used to send information to a consumer device and it would be relatively simply to add cryptography and digital signatures so that phones could reject bogus connections.
At longer range, one might imagine digital watermarks embedded in images or videos could be used to transmit information. These are less visible and more difficult to tamper with than QR codes.
A bit further down stream, however, we might find ourselves using smart glasses that can recognise what we are looking and offer up a selection of appropriate options: if I’m looking at a poster advertising a forthcoming Hawkwind concert on the Tube, then there would be no need for me to scan a QR code because my smart glasses should be able to read the poster and go online to the relevant booking site automatically. From there it is a short step to Augmented Reality (AR) where the infrastructure itself adds interactivity and security, users where can interact with dynamic content that is more challenging to replicate or alter maliciously.
Fintech Priority
That is actually where Mr. Hara thought we would be in 2024. As I write I am sitting in a train carriage and there is an advertisement for some form of fast food on the end wall, The advertisement sports a QR code. But surely smart phone (as Mr. Hara reasoned) should be able to read the advertisement and give me the option of seeing where the nearest outlet is or what the special offers are today. My iPhone can already recognise text, it wouldn’t seem that much of stretch to get it to pull out URLs automatically and display them so that you can see where you are going to.
As these technologies mature, they are likely to become more widespread and potentially replace or augment QR codes first in applications where higher security is required, such as payments and other financial services. While QR codes are likely to remain in use for many cases due to their familiarity and ease of implementation, we in the fintech world really should be planning to roll out more secure alternativs as a priority.