What can service providers and identity providers do to control the risks?
Published: 9 December 2019
QR code fraud is a hot issue. The police and Fraud Helpdesk are amongst those warning that QR code login systems are vulnerable to fraud. So, what can service providers and identity providers do to control the risks?
Author: Mert Aybat, Senior Software Developer at Connectis
According to press coverage earlier this year, Fraud Helpdesk and the East Netherlands Police receive dozens of reports a week about frauds perpetrated using QR codes. In many cases, the victims have lost large sums of money. One common scam involves a fraudster offering to buy goods on Marktplaats (a selling platform like eBay).
The fraudster agrees to pay the seller’s asking price, and all the seller has to do is scan a QR code with their mobile banking app. The fraudster tells the seller that scanning the code will ensure that the payment goes to the right account. However, by scanning the code, the seller is actually giving the fraudster access to their mobile payment environment.
The ‘parking scam’ – for which two men from Rotterdam were arrested earlier this year – works in a similar way. Waiting by a parking payment meter, a scammer asks someone who is parking their car for help. The machine doesn’t accept cash, but cash is all I’ve got, the scammer says. If I give you five euros in cash, can you scan this QR code to credit five euros to my account? Again, what the victim is really doing by scanning the code is giving the scammer access to their bank account.
The technical name for the scam is Quick Response Code Login Jacking, or QRLJacking for short. The Open Web Application Security Project (OWASP) has been flagging up the threat for several years. What a QRLJacker does is set up a session with, say, a bank, copy the QR login code, put the code on a scam website and trick victims into visiting.
When a victim scans the copied code with a mobile app, their phone sends sensitive data about the user’s identity to a central server. The server then sends a notification to the browser session, as during a conventional QR code login. In the scam scenario, however, the receiving browser session is the hacker’s. The hacker can then use the stolen data to log in as the victim.
QRLJacking’s success is down to a number of factors. The tools for automating the copy-paste-trick process are widely available, so preparing a scam is easy. Another factor is that the threshold to using a QR code is very low. Most people won’t easily be tricked into entering a user name and password. But scanning a QR code only takes a moment, and many people will do it with barely a second thought for the implications.
Unfortunately, it’s hard to completely exclude the possibility of QRLJacking. There are, however, a number of things that service providers and identity providers can do to reduce the risks when implementing QR code login:
1. Tell users about the risks
Users are increasingly aware of the need to make sure that scammers don’t get hold of their user names and passwords. But many people don’t realise that a QR code can provide access to sensitive data. So it’s important to promote awareness. A warning that appears when a QR login is used can help, for example.
2. Enable location checking
With QRLJacking, the geographical locations of phone and browser session are usually different. The phone user will typically be where you’d expect (the Netherlands in our case), while the browser session will be wherever the scammer is based. That could be as far away as China. Mobile apps can be programmed to detect suspicious geographical separations.
3. Enforce same network login
If the phone and browser session locations are consistent, it doesn’t follow that all must be well, because a scammer can fake their location. So another approach is to require the phone and the device running the browser session to be connected to the same network. Then, if the phone is connected to a 4G mobile network, but the laptop (or other device) is using Wi-Fi, the login will fail.
4. Limit QR code validity periods
Another useful tactic is to limit the validity of QR codes to, say, ten seconds. A copied code then becomes unusable quite quickly. However, like the other precautions, this approach isn’t a sure-fire way of preventing abuse. A scammer can get around it by continuously refreshing the displayed QR code, again using ready-made tooling.
5. Use QR-codes only for multifactor logins
If there’s one conclusion we can draw, it is perhaps that QR code logins can’t be bullet-proofed. We are apparently looking at a login technology that’s broken by design. My main recommendation is therefore that a QR code should never be used as a standalone login. However, it can reasonably serve as a second authentication factor in a set-up where the user has already entered a user name and password. Another sound precaution is to accept QR code logins only from ‘known’ devices, i.e. devices that have previously been linked to the user.
Want to know more about QR code logins and their secure implementation? Fill in your contact details below, and we’ll get back to you as soon as we can.