A quarter of US merchants are adding or planning to offer QR payments in the next three years with slightly higher proportion of UK merchants following the same trend. But the spread of QR codes in retail is not only about payments. More than 80% of retailers believe offering QR code scanning for product-level information is key to driving customer loyalty and, as I know nothing about retailing, I assume they are right. But this is maybe the wrong technology for it.
Barcodes to QR Codes
When it comes to providing consumers with more information about products, the major UK supermarkets â including Tesco, Morrisons and Ocado â are already trialling QR codes on items such as milk and water bottles. I understand why they are doing this: consumers increasingly demand more detailed information about the products they buy. Three quarter of UK consumers say that they consider product information important when making purchases and almost two-thirds day they are willing to spend more on products with detailed information. This is why the familiar linear barcode will in time be phased out in favour of QR codes capable of carrying so much more information. It is no surprise to me that a survey of UK retail executives found that 41% believe QR codes will replace barcodes entirely within five years.
Now, however, imagine what might happen when every milk carton has a code and the scammers put their own stickers on them! If that sounds improbable, note that QR codes are a magnet for fraudsters as well as marketeers. QR used this way have no security at all – anyone can generae a QR code and stick it on a carton of milk, a car park sign or a bank advert on the subway. It is no exaggeration to say that every single day I see stories from around the world about the spread of QR-based crime.
(To give just one example, I recently read about Indian fraudsters who snuck out in the night to paste their own QR codes over the QR codes outside shops in order to divert the payments meant for shopkeepers into their own accounts!)
The fact is that there have been concerns about QR code security for years. While they are a common feature in retailing and marketing, changing the way businesses engage with consumers while offering convenience and efficiency, as they have surged so have concerns about their security.
Given these concerns, it seems to me that deploying QR codes into even more places and encouraging the public to scan them â without implementatng any form of digtial signatures or other security infrastructure â will absolutely guarantee and increase in fraud. You donât have to be psychic to predict this, because weâve already seen it happen around the world where criminals are using the codes for both online and offline fraud:
- In China, scammers have been caught placing fake parking tickets â complete with QR codes for easy mobile fine payment â on parked cars;
- In Spain, the Organisation of Consumers and Users (OCU) has just issued a warning about fake QR codes at electric vehicle charging stations;
- In the Netherlands, a QR code scam exploited a legitimate feature within a mobile banking application to swindle the bankâs customers.
- In Germany, phony emails containing QR codes lured eBanking customers to malicious websites under the guise of reviewing privacy policy updates to their accounts. Banks such as Santander and HSBC have joined the UK National Cyber Security Centre and Federal Trade Commission (FTC) in sounding the alarm about this kind of threat, where criminals send a QR code in a PDF attached to an email to avoid corporate cybersecurity defenses.
- In the US (and the UK), criminals have been particularly active around car parks, pasting stickers of malicious QR codes onto car parking machines, fooling drivers into entering bank account or credit card details into a fake phishing site.
Regulators have been warning consumers that QR code phishing scams â also known as âquishingâ â are slipping through corporate cyber defences and increasingly tricking customers into giving up their financial details. These scams are effective because the codes cannot be read by people, meaning the consumers who scan the codes cannot where they are being taken to. Despite the regulators warnings, since QR code scams are now ccounting for more than a fifth of all online scams. The scamming has got so out of control that when I went to park my car a few days ago, I discovered that QR codes are now longer even accepted!
The real issue though is this: why bother with the QR codes at all? QR codes should be phased our, not spread over every concievable surface in every imaginable public place! A decade ago when the inventor of QR codes Mr. Masahiro Hara was awarded a European inventorâs prize, he actually predicted that QR codes would be replaced around now. His reasoning, which was impeccable, was that advances in mobile phone cameras and AI would mean that you no longer needed the codes because smartphones could recognise objects and read the labels for themselves. Spot on.
If you look at the parking example here, it seems to me that my iPhone is more than capable of understanding the parking charges (probably better than I can: this is a Sunday, but it is after 6pm, and I will be leaving before midnight, so do I pay or not?) and paying for the parking itself without either bothering me or needed a QR code. The iPhone knows where it is, it knows what time it is, it can read the parking notice to understand the charges (or go online and get them froms somewhere) and it can see my calendar so that it knows I am going to dinner so it needs to book three hours parking, or whatever. This is a better, more fraud resistant, approach to the problem of getting information in order to make a transaction.
Why Use QR Codes At All?
Look, I know that many people have devised secure QR codes with digital signatures but those are not what is being used in the mass market. The QR codes on milk cartons are there to be read by anyone with a camera phone and as far as I am aware neither Apple nor Android have a mechanism for checking on the security of QR codes before sending consumers to a URL or downloading an app.
Letâs forgot about the codes. A smartphone, or for that matter a supermarket checkout bot, is perfectly capable of recognising a milk carton and reading the label and then going on line to find out whether child labour was used in its production, whether a sanctioned entity contributed to the process and whether the CEO of the company supports terrorists and so on. Far from applauding Britainâs supermarkets for adding to what Davey Winder just called the “attack surface that is presented by malicious QR code usageâ.
Why add an additional fraud vector into our already crumbling cyber infrastructure we should be thinking about getting rid of QR codes altogether!.