QR codes are a highly convenient way to link a physical object to a URL. Point your phone’s camera at the 2D barcode and you’re instantly taken to a website.
That’s something which can have security consequences, as mobile guru Terence Eden explains.
Recently, Islington Council in London has partnered with Verrus to bring mobile phone payments to car parking.
It’s a really simple way to improve paying for parking – but it does leave open some fairly serious security risks.
The QR codes being used by Islington Council are fairly clearly displayed on the side of the parking meters – but there is no printed call to action.
Which raises the question – what does scanning the code do?
From a practical point of view, would anyone scanning the code know that it allowed them to pay with their phone?
From a security point of view, does the QR code belong to the parking company? Could someone malicious have stuck this code onto the machine?
Unfortunately, there is a problem with the QR code that rang instant alarm bells in my mind.
I spotted instantly that it isn’t using an HTTPS URL:
For a site which asks for a password – and later for credit card details – that seems like a worrying oversight, and isn’t going to instill confidence.
In fairness, the site does automatically redirect to the SSL version – but why leave that out of the QR code?
After scanning the code with their mobile phone, this is what the first time user sees:
One thing to note is that most mobile phones won’t display the full URL, unless they are in landscape mode.
The URL on display could easily be:
If you’ve never used the system before, you need to register on this screen:
It is, in my opinion, a very poor idea to require someone to type their credit card number into a phone.
- What if there’s a gang of vicious hoodies waiting to snatch credit cards from unsuspecting users as they get them out on the street?
- Is this really a legitimate site? There is no way of knowing, and the switch in branding between “paybyphone” or “PayByPhone” just makes things more confusing and suspicious.
The main way of attacking a QR code is to change it. In this case, all it would take would be a large sticker placed on the car parking notice to successfully redirect the user.
In the most mundane case, an attacker could ask the user to visit a malicious website which collects their login details – or worse, their credit card number.
However, a QR code can also be used to point to a premium rate phone number or premium rate SMS. Both could look “legitimate” when placed near a parking meter. A simple and effective way to deprive a victim of their money.
QR code hijacking is very rare – but here are a few practical tips for securing a QR code payment service.
- Include signage telling the user what the code does. Otherwise the user has no way of knowing if the code should point to a URL, phone number, or SMS.
- Print the URL near to the code. This way if the code is hijacked and pointed to http://evilsite.xxx/ the user can see they’re not visiting the correct site.
- Include https in the URL. Get users used to checking for https before they interact with you.
- If possible, use a short domain. Not only will it reduce the size of the QR code, it will give your users confidence if they can see the full domain in their phone’s URL bar.
- Don’t ask a user to get their credit card out on a busy street. Use a mobile payment solution which charges to the user’s phone bill or deducts it from their credit.
QR codes provide a brand new way for people to interact with your service. Make sure that what you offer them is simple, satisfying, and secure.