QR codes found their way into the payments ecosystem by accident, with the first application intended for manufacturing, followed by Asian innovation that stretched the technology into a low-cost tool to exchange data between merchant and consumer.
The technology works globally: I can verify that it works fine even in sunny Florida, at Walmart. When in the check-out lane, you will find a QR code on the acceptance terminal. Connect to your Walmart Pay app, and you settle without further card interaction. It primarily works the same way in China, India, and Mexico. Similarly, the location does not need to be the world’s largest retailer. It can work on a fishing dock, at a bodega, or small online merchant.
An interesting story appeared in a newsletter published by Sophos, a billion-dollar IT security firm based in the U.K. The firm cites a conversation with Masahiro Hara, the Japanese engineer who created the code. According to the article, Mr. Hara believes the success of the QR code in payments may lead to its demise.
- Hara is a little spooked by all these new uses for a design that originally just helped with production control in manufacturing plants. In a Tokyo interview in early August, he reportedly said:
- Now that it’s used for payments, I feel a sense of responsibility to make it more secure.
- He’s right to be concerned. Attackers could compromise people in various ways using QR codes.
Reports on fraud are anecdotal, but they do exist. One risk has to do with QRJacking, where the application is redirected.
- One example is QRLjacking. Listed as an attack vector by the Open Web Application Security Project (OWASP), this attack is possible when someone uses a QR code as a one-time password, displaying it on a screen. The organization (sic) warns that an attacker could clone the QR code from a legitimate site to a phishing site and then send it to the victim.
- Another worry is counterfeit QR codes. Criminals can place their own QR codes over legitimate ones. Instead of directing the user’s smartphone to the intended marketing or special offer page, the fake code could take users to phishing websites or those that then deliver JavaScript-based malware.
- They could also exploit the growing use of QR codes for payments. A fraudster could replace a QR code taking people to a legitimate payment address with their own fake payment URL.
The suggestion is not to kill QR codes, but to tighten security.
- The QR code contains a URL which logs them into the app. There are also several encrypted QR code login systems now in production.
- Another proposal embeds digital signature information into the code to confirm its authenticity but uses more of the code’s available space for the extra data.
- These are all great ideas, and perhaps Hara has some more. But he’d better move fast. As QR codes catch on, the widely deployed design will become increasingly difficult to change.
A forward-thinking strategy at EMVco, the network owned industry body, put standards into place for payments in 2017. This is was a significant first step and has been endorsed by many regulatory groups, such as China and Industry. It should be considered a step, because there is plenty to learn about as QR codes take a life of their own.
Overview by Brian Riley, Director, Credit Advisory Service at Mercator Advisory Group
