QR Codes As Anti-Forgery On Currency Could Infect Banks 289
New submitter planetzuda writes "Invisible nano QR codes have been proposed as a way to stop forgery of U.S. currency by students of the South Dakota School of Mines and Technology. Unfortunately QR codes are easy to forge and can send you to a site that infects your system. Banks would most likely need to scan currency that have QR codes to ensure the authenticity of the bill. If the QR code was forged it could infect the bank with a virus."
Huh? (Score:5, Informative)
WTF? (Score:5, Informative)
QR Codes don't send you anywhere. They're just data. They can contain web links, just like any written sentence, but a device won't download the content at a linked URL unless it is programmed to.
QR codes are futuristic, 2D versions of bar codes. Nothing more.
Re:Sigh. (Score:5, Informative)
Ummm....do QR codes have to be a URL? Why would a bank want to put URLs on their bank notes then visit the URL when they scan them?
Whoever wrote that is a moron.
Re:WTF? (Score:2, Informative)
Nothing futuristic about QR codes! They're 15 years old already.
Re:Huh? (Score:5, Informative)
Not only that, but the article I read last night on the BBC talked about how these QR codes are done. First of all, they imbed the QR code on the bill using a special ink that is only luminescent with an exact frequency of laser light, which is invisible to the naked eye. Using a process of (I believe they called it) "photon upconversion" the light becomes visible to sensors in another segment of the spectrum. They can alter the ink they use to change the frequencies in question. This means you would have to have special equipment to see the QR code. They also said that they can imbed two QR codes on top of each other, which respond to different frequencies of light. They can use the two QR codes together to help validate the authenticity of the bill.
So certainly someone with the right scientists may be able to reproduce the ink, bleach the bill, and print a new face and QR code on it, but it would be very difficult. And who would hook their bill verifying machine up to the internet? And why would you use a URL? You could embed anything into that code, and you could probably even cryptographically sign the data embedded in the bill.
Re:Sigh. (Score:5, Informative)
A QR code is just a text string. Or binary string, even (I think - haven't tried it yet).
However, the most common use, so far, has been embedding URLs - most phone-app QR code readers automatically interpret the string as a URL and redirect you there, since that's generally what those users want. However, that's a feature of the particular scanner, not of QR codes themselves.
The original author's mistake is thinking that's a fundamental design feature of QR codes - you scan them, it takes you to a website. Which, if it were true, would indeed be a glaring security hole. Which is why nobody would do such a thing.
Re:Sigh. (Score:5, Informative)
Re:Sigh. (Score:5, Informative)
Any data in a QR code that is invalid should only be marked as invalid and the bill sorted aside for later, manual investigation. No "action" with the data itself is required. It shouldn't matter if the data is a URL or an IP address or "echo y|format C:
When a human checks the contents of the flagged bill, the human decides what to do, and more importantly doesn't use a computer on the network with the processing machine. It doesn't then matter if that human is stupid, they don't infect the whole bank if they're so stupid that they load a URL.
What lamers voted for accepting this crap? (Score:4, Informative)