QR Code Security: A Survey of Attacks and Challenges for Usable Security

QR (Quick Response) codes are two-dimensional barcodes with the ability to encode different types of information. Because of their high information density and robustness, QR codes have gained popularity in various fields of application. Even though they offer a broad range of advantages, QR codes pose significant security risks. Attackers can encode malicious links that lead e.g. to phishing sites. Such malicious QR codes can be printed on small stickers and replace benign ones on billboard advertisements. Although many real world examples of QR code based attacks have been reported in the media, only little research has been conducted in this field and almost no attention has been paid on the interplay of security and human-computer interaction. In this work, we describe the manifold use cases of QR codes. Furthermore, we analyze the most significant attack scenarios with respect to the specific use cases. Additionally, we systemize the research that has already been conducted and identified usable security and security awareness as the main research challenges. Finally we propose design requirements with respect to the QR code itself, the reader application and usability aspects in order to support further research into to making QR code processing both secure and usable.

[1]  Kenneth G. Paterson,et al.  One-Time-Password-Authenticated Key Exchange , 2010, ACISP.

[2]  Marco Weiss,et al.  Open-source Projects , 2007 .

[3]  Hao-Wei Yang,et al.  A Location-based Mobile Advertisement Publishing System for Vendors , 2011, 2011 Eighth International Conference on Information Technology: New Generations.

[4]  Dongwan Shin,et al.  Towards preventing QR code based attacks on android phone using security warnings , 2013, ASIA CCS '13.

[5]  Gerald L. Lohse,et al.  International Differences in Information Privacy Concerns: A Global Survey of Consumers , 2004, Inf. Soc..

[6]  Jan Seeburger,et al.  No cure for curiosity: linking physical and digital urban layers , 2012, NordiCHI.

[7]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[8]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[9]  Robert Biddle,et al.  Browser interfaces and extended validation SSL certificates: an empirical study , 2009, CCSW '09.

[10]  R. B. Bahaweres,et al.  QR Code Augmented Reality tracking with merging on conventional marker based Backpropagation neural network , 2012, 2012 International Conference on Advanced Computer Science and Information Systems (ICACSIS).

[11]  Reihaneh Safavi-Naini,et al.  Information Security and Privacy, 11th Australasian Conference, ACISP 2006, Melbourne, Australia, July 3-5, 2006, Proceedings , 2006, ACISP.

[12]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[13]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[14]  Julien Freudiger,et al.  The Inconvenient Truth about Web Certificates , 2011, WEIS.

[15]  Maria De Marsico,et al.  A museum mobile game for children using QR-codes , 2009, IDC.

[16]  Shyan-Ming Yuan,et al.  Physical Access Control Based on QR Code , 2011, 2011 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery.

[17]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.

[18]  Vijayalakshmi Atluri,et al.  Using QR codes for enhancing the scope of digital government services , 2012, dg.o '12.

[19]  Heejo Lee,et al.  Detecting Malicious Web Links and Identifying Their Attack Types , 2011, WebApps.

[20]  Christian Hanser,et al.  Blank digital signatures , 2013, ASIA CCS '13.

[21]  Matthew Smith,et al.  Towards measuring warning readability , 2012, CCS.

[22]  Cheng Zeng,et al.  QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks , 2013, Financial Cryptography Workshops.

[23]  Hsing Mei,et al.  A 2D Barcode-Based Mobile Payment System , 2009, 2009 Third International Conference on Multimedia and Ubiquitous Engineering.

[24]  Tyler Moore,et al.  Measuring the Perpetrators and Funders of Typosquatting , 2010, Financial Cryptography.

[25]  Edgar R. Weippl,et al.  QR code security , 2010, MoMM.

[26]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[27]  Ben Solly,et al.  Using QR codes , 2012 .

[28]  Maria Ebling,et al.  Bar Codes Everywhere You Look , 2010, IEEE Pervasive Comput..

[29]  Makoto Takizawa,et al.  Platforms for Human-Human Interaction in Large Social Events , 2012, 2012 Seventh International Conference on Broadband, Wireless Computing, Communication and Applications.

[30]  José Rouillard,et al.  PerZoovasive: contextual pervasive QR codes as tool to provide an adaptive learning support , 2008, CSTST.

[31]  Chia-Nian Shyi,et al.  Design and implementation of augmented reality system collaborating with QR code , 2010, 2010 International Computer Symposium (ICS2010).