THE rise of Quick Response (QR) code scams is putting e-payment security in the spotlight.
By replacing legitimate merchants’ codes with malevolent copies, fraudsters can gain access to consumers’ data and even raid their bank accounts. This has sparked calls for authorities to do more to protect consumers.
According to Abang Caspian Abang Thairani, founder and chief executive officer of Caspian Technology, which develops mobile applications, the onus is on vendors and consumers to beat the scammers.
He says on the part of vendors, they need to check their QR codes regularly.
“This is because QR codes are placed in accessible locations for customers to scan.
“This will enable scammers to print out a QR code and replace it without vendors knowing about it.”
He says this is especially true if the QR code is meant for payment.
“Phishers can print and replace QR codes to redirect to their website and demand payment information.”
For anything that requires financial transaction, Abang Caspian says there should be a two-way validation system.
“This will strengthen the security of the payment process, hence making it hard for scammers to steal.”
He says it is vital for consumers to keep their financial and personal information safe.
“The rule of thumb is to never give your financial or personal information to people whom you are not sure of or doubtful email messages.
“Phishers use this information to send emails or SMSes to get more details about you.”
Abang Caspian advises the public to be wary of public QR codes.
It does not take much imagination to see how dangerous a QR code can be when displayed in public places, such as at train stations, airports, malls and shops.
Most people implicitly trust advertisements, and would never imagine a QR code scam happening to them.
“When a user takes a photo of a QR code, the link it stores is first displayed on the device’s screen.
“Cybercriminals use URL shortening services (such as bit.ly) to disguise the ultimate address stored in the QR code that may lead to a page with malware that steals the user’s credentials, or to a phishing site.”
Abang Caspian advises consumers to use reputable QR code scanners.
“You would never know if your QR code is bogus.”
According to Kaspersky Lab Southeast Asia general manager Sylvia Ng, QR code scams occur because not many people will suspect that someone can replace a code on an official advertisement displayed in a bank, on public transport, in a museum or other institution, or to scan for payment.
“Still, there have been many cases of malicious QR codes being neatly placed over legitimate ones. You have to be suspicious when scanning a code.
“What if the legitimate code has been replaced with a malicious one?
“Checking the links you are taken to may not sound fun and probably eliminates the convenience of the QRs to begin with.”
Ng says users can avoid becoming victims to QRishing (QR code-initiated phishing attacks) by following three simple steps:
ALWAYS be careful and attentive. Before scanning a QR code, make sure that it is not covering another code. If in doubt, do not scan the code.
IF after scanning the QR code, it opens up the app store or a website, make sure that the code has taken you to the place you wanted to go.
Check the links, publisher and details. Do not blindly install any application. Check the requested permission details.
If you are about to make a payment, make sure the QR code is generated by the company whose code and info you saw.
Where possible, set a limit per tran-saction.
IF you are using an Android device, install a trusted security solution that check sites for malicious content and downloaded software for malware. Android smart devices are highly targeted by malware writers.
Ng says Kaspersky has developed a QR Scanner app that checks every code it scanned.
“The app gives you quick, easy and safe access to websites, images and text.
“It lets you connect safely to WiFi and saves contact details from business cards in seconds without manual input.”
The app can be downloaded for free from the App Store and Google Play store.
‘No report of QR code scams’
THE Quick Response (QR) codes scam might be on the rise, but Malaysia is still unaffected.
When contacted, Federal Commercial Crimes Investigation Department deputy director (cyber crimes investigation/multimedia) Senior Assistant Commissioner Ahmad Noordin Ismail said there were no reported cases of such scams so far.
The scams came to light following news reports of such incidents in China.
In Guangdong province, about 90 million yuan (about RM56 million) has reportedly been stolen via these QR code scams.
In another incident in Foshan, policemen arrested a man on suspicion of pocketing 900,000 yuan through QR code frauds.
Barcode has data
QR is short for “Quick Response.” A QR code is a barcode that contains data that can be read by a phone’s camera. These codes, once scanned by your phone, can provide you with a URL, contact information, SMS or other links to information on your phone.
Unlike other barcodes that have to be sent to a database to retrieve information, QR codes are self-contained, hence, the “Quick Response”.
Most smartphones have a tool that allows them to download a QR code reader. Once you download a reader, the phone’s camera acts like a scanner, allowing it to “read” the barcode.
What you need
TO scan a Quick Response (QR) code, you need:
A phone or other mobile device with a camera and Internet access.
A QR code reader app installed on your device. Some phones come with one pre-installed. If not:
For smartphones — search for “qr” in your phone’s application store (App Store, Google Play store, Blacberry World app, etc.)
Other phones — text a picture of a QR code to 43588 or email it to email@example.com. You will get a reply with the URL.