QR Code Security -- How Secure and Usable Apps Can Protect Users Against Malicious QR Codes

QR codes have emerged as a popular medium to make content instantly accessible. With their high information density and robust error correction, they have found their way to the mobile ecosystem. However, QR codes have also proven to be an efficient attack vector, e.g. To perform phishing attacks. Attackers distribute malicious codes under false pretenses in busy places or paste malicious QR codes over already existing ones on billboards. Ultimately, people depend on reader software to ascertain if a given QR code is benign or malicious. In this paper, we present a comprehensive analysis of QR code security. We determine why users are still susceptible to QR code based attacks and why currently deployed smartphone apps are unable to mitigate these attacks. Based on our findings, we present a set of design recommendations to build usable and secure mobile applications. To evaluate our guidelines, we implemented a prototype and found that secure and usable apps can effectively protect users from malicious QR codes.

[1]  Heejo Lee,et al.  Detecting Malicious Web Links and Identifying Their Attack Types , 2011, WebApps.

[2]  Cheng Zeng,et al.  QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks , 2013, Financial Cryptography Workshops.

[3]  Jan Seeburger,et al.  No cure for curiosity: linking physical and digital urban layers , 2012, NordiCHI.

[4]  Edgar R. Weippl,et al.  QR code security , 2010, MoMM.

[5]  E. Weippl,et al.  Ethics in security research which lines should not be crossed? , 2013, 2013 IEEE Security and Privacy Workshops.

[6]  Randolph G. Bias,et al.  Research Methods for Human-Computer Interaction , 2010, J. Assoc. Inf. Sci. Technol..

[7]  Matthew Smith,et al.  Sorry, I Don't Get It: An Analysis of Warning Message Texts , 2013, Financial Cryptography Workshops.

[8]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[9]  Cormac Herley,et al.  Why do Nigerian Scammers Say They are From Nigeria? , 2012, WEIS.

[10]  Edgar R. Weippl,et al.  QR Code Security: A Survey of Attacks and Challenges for Usable Security , 2014, HCI.

[11]  Dongwan Shin,et al.  Towards preventing QR code based attacks on android phone using security warnings , 2013, ASIA CCS '13.

[12]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[13]  Edgar R. Weippl,et al.  QR Inception: Barcode-in-Barcode Attacks , 2014, SPSM@CCS.

[14]  Justin Tung Ma,et al.  Learning to detect malicious URLs , 2011, TIST.

[15]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.