QR Codes Compromised By Stickers

QR CodeCriminals have realized that QR codes are not human readable and are taking advantage. Shocking isn’t it? From The Register:

Cybercrooks are putting up stickers featuring URLs embedded in Quick Response codes (QR codes) as a trick designed to drive traffic to dodgy sites.

It’s extremely simple to print out a sticker pointing to a bogus URL and put it on an existing billboard in a public place. A casual user simply uses the QR code and instead of going to the intended location they go to a malicious website. Of course we could require SSL for QR codes so there’s some overhead in creating them (you need an SSL cert), but that still wouldn’t fix the problem correctly.

Humans need to be able to understand their own decision making process. A human pointing at a QR code is a human making a decision to do the unknown. That’s the problem. You can’t combine “decision” and “unknown” and reliably have a good outcome.

QR Codes Suck

WTF QR Codes might be my new favorite blog, at least for the past 2 days it has been.

Anyone who thought QR codes had a chance in hell of catching on meet the following two criteria:

  • Doesn’t understand the very basics on how humans prefer to interact with technology.
  • Is too much of a computer n00b to remember the CueCat.

Oh look, and a cryptic spot of contrasting pigment! Let me take out my phone, browse to an app I’ve pre-downloaded in case I ever ran across such a marking and is specifically for this purpose. Now I’ll point and focus at this spot, universally found in an awkward position and try and take a picture. I’ll likely need to try more than once due to lighting, focus, obstructions (common for billboards, moving trains, cars) and it not being a large enough portion of the picture for my phone to figure it out. Once I succeed at this magic act, I’ll be taken to a mystery site that could just be malware (it does exist for phones), or perhaps a legit site.

Amazingly someone went through this use case, and thought it was a brilliant idea.

Bonus: They did this years ago when cell phone cameras were much worse than they are today.

But seriously, it was a bad idea (or a really good prank). Lets just laugh about it, and move on.

Google Open Sesame

Google quietly put up a new login method via QR code. Essentially the way it works is you view the QR code viewed on a computer or tablet. Then use your smartphone to open the QR code and login via your browser. That process remotely validates the session and that computer can then access your account until you logout. Essentially eliminating the need to enter a password on that computer.

Presumably the idea is to work around keyloggers that may record passwords. However, if you don’t trust a computer enough to use a password, do you really trust that it’s not watching everything you are doing? If the computer hardware or software is compromised not even SSL will save you. This might be better, but I’d think it’s only marginally so. I personally just make a rule of not using computers I don’t trust. Given I have a smartphone in my pocket, this is pretty easy to live by these days. Given computers are getting smaller and cheaper, I question if encouraging the use of shady terminals is worthwhile.

Regardless, pretty innovative and clever.