Why QR Codes, Popular in Mobile Wallets, Are Coming Under Fire

QR codes, which are commonly used in mobile wallets to link to a consumer's payment account, can just as easily link to phishing sites, malware and other nasty surprises.

Last week, the People's Bank of China blocked plans by Tencent Holdings Ltd. and Alibaba Group Holding Ltd. to offer virtual credit cards and suspended the use of QR codes as a measure to regulate financial services and protect consumers.  The move may have been sudden, but it was not arbitrary.

Security holes have already been found in the way a lot of Android phones scan QR codes, says Paul Byrne, a quality engineer at Salesforce and a security expert.

An exploit was found recently that allowed a fraudster to get root access to a user's phone after they scanned a QR code, he says. With root access, a fraudster could install malware that takes over the phone and steals all of its stored data. This same security exploit was also used last year to take control of a Google Glass wearable computer.

"It really comes down to where the QR code is coming from…but as a consumer I cannot tell who the code claims it's from," Byrne says. Most consumers assume QR codes are safe, he says.

During DEF CON hacking conference a couple years ago, Byrne experimented with QR codes himself. He printed a bunch of the 2D barcodes on stickers. The codes weren't linked to any advertisement or website but he gave them out and stuck them on things.

"DEF CON is a place where they tell you it's not a good idea to bring a laptop or connect to rogue Wi-Fi networks," he says. "It's not a place you'd think you'd go and scan a random QR code." But many did, and based on this experience, getting an average consumer to scan an unfamiliar QR code would be effortless, he says.

QR codes indeed have security gaps, but "the risks are not significantly different from the risk associated with more traditional Web addresses today," says Julie Conroy, research director at the Aite Group.

"There have also been incidents where QR codes in public spots (on billboard advertisements, for example) have been overlaid with a sticker that takes the user to a malicious address," says Conroy. "This is not a highly scalable attack, but does highlight the vulnerabilities associated with these codes."

China's ban might have something to do with these vulnerabilities, since QR codes are being used increasingly by malware developers as a medium for attack.

But China has positioned the ban as temporary, so Conroy predicts the ban will be lifted once the central bank in China finishes its study.

"This seems to be a knee-jerk reaction by China's central bank in response to rising payment security concerns worldwide," says Jordan McKee, an analyst with Yankee Group. "I suspect the government will investigate the procedures of Alibaba and Tencent and lift the ban, permitted there are no blatant security flaws."

For payments, most QR-based methods don't transmit raw card data to the point of sale, McKee says. For example, LevelUp partnered with Braintree and instead uses tokens to reach card credentials stored in Braintree's secure servers. In LevelUp's implementation, it's the merchant who scans the QR code from the consumer's phone.

It's also possible for consumers to share their account data by exposing the QR code or bar code used in a mobile payment app. In 2011, a consumer named Jonathan Stark shared the bar code for his Starbucks card to allow anyone to spend from or reload the account. Starbucks was initially tolerant of this, but soon decided to cancel the card.