QR Codes As Anti-Forgery On Currency Could Infect Banks 289
New submitter planetzuda writes "Invisible nano QR codes have been proposed as a way to stop forgery of U.S. currency by students of the South Dakota School of Mines and Technology. Unfortunately QR codes are easy to forge and can send you to a site that infects your system. Banks would most likely need to scan currency that have QR codes to ensure the authenticity of the bill. If the QR code was forged it could infect the bank with a virus."
Re:Sigh. (Score:5, Interesting)
What I came to say. I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.
Maybe if the QR code was a URL. But you'd have to be stupid to do that too.
A QR code that was a hash of the batch, the release series the serial number and a salt, sure. This could be awesome. Otherwise? Not so much.
Re:Sigh. (Score:5, Interesting)
Would it even be a URL? A QR code is just binary data. I'm sure a bank would interpret them as a binary number, not a download link.
Why not a cryptographic signature in the S/N? (Score:5, Interesting)
Each note seems to have a serial number, meaning it should be unique. Why not have each note's S/N cryptographically signed and the signature stamped onto the note along with the S/N in some kind of machine-readable format?
It should then be possible to scan the barcode and verify the signature to determine whether the note was legitimate. They could create unique keys for each Federal Reserve district, perhaps annually, so that you wouldn't have to worry as much about the key being compromised.
Someone could clone the same S/N and signature, but if they did it would be easy for banks or other large cash processors with scanners to identify duplicates and remove them from circulation. Dupes could be identified as currency scanned at more than one geographic location within a certain time window where the chance of the currency being in two places at once was very slim -- kind of like the antifraud calls I've gotten from a credit card company when I've used a card in two cities in the same day.
Small numbers of duplicates would be hard to track, but the economic risk from counterfeiting isn't from some guy with a scanner and a inkjet printer but from mass counterfeiting of thousands of notes.
Re:Sigh. (Score:3, Interesting)
Re:Sigh. (Score:4, Interesting)
I really wonder how critically faulty the system would have to be to scan in a signature data and execute it. You could just as well create a license plate with SQL injection code to corrupt photoradars.