Forgot your password?
typodupeerror
The Almighty Buck Security Technology News

QR Codes As Anti-Forgery On Currency Could Infect Banks 289

Posted by timothy
from the fiat-money's-been-hacked-long-ago dept.
New submitter planetzuda writes "Invisible nano QR codes have been proposed as a way to stop forgery of U.S. currency by students of the South Dakota School of Mines and Technology. Unfortunately QR codes are easy to forge and can send you to a site that infects your system. Banks would most likely need to scan currency that have QR codes to ensure the authenticity of the bill. If the QR code was forged it could infect the bank with a virus."
This discussion has been archived. No new comments can be posted.

QR Codes As Anti-Forgery On Currency Could Infect Banks

Comments Filter:
  • Sigh. (Score:5, Insightful)

    by ledow (319597) on Thursday September 13, 2012 @07:52AM (#41322447) Homepage

    Only if they're stupid enough to execute code formed from non-executable input.

    • Re:Sigh. (Score:5, Interesting)

      by RyuuzakiTetsuya (195424) <{taiki} {at} {cox.net}> on Thursday September 13, 2012 @07:55AM (#41322475)

      What I came to say. I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.

      Maybe if the QR code was a URL. But you'd have to be stupid to do that too.

      A QR code that was a hash of the batch, the release series the serial number and a salt, sure. This could be awesome. Otherwise? Not so much.

      • by jeffmeden (135043)

        What I came to say. I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.

        Maybe if the QR code was a URL. But you'd have to be stupid to do that too.

        A QR code that was a hash of the batch, the release series the serial number and a salt, sure. This could be awesome. Otherwise? Not so much.

        Quite right. I suspect near the beginning of the forgery algorithm there lies something to the effect of "if scanned_code.urlCheck == true { forgeryAlert(scanned_code) }" and certainly not "if scanned_code.urlCheck == true { browser(scanned_code.text) }". Just a five minute observation though, someone might have a better way to do that.

        • Re:Sigh. (Score:5, Interesting)

          by Joce640k (829181) on Thursday September 13, 2012 @08:32AM (#41322859) Homepage

          Would it even be a URL? A QR code is just binary data. I'm sure a bank would interpret them as a binary number, not a download link.

          • by TWX (665546)
            I guess investigators are safe from tubgirl and goatse and lemonparty then...
      • Re:Sigh. (Score:5, Insightful)

        by tragedy (27079) on Thursday September 13, 2012 @09:17AM (#41323339)

        I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.

        That doesn't seem to be what this article is proposing, however. This article seems to be proposing that the scanners at the bank will read the QR codes on the notes, interpret the code into a URL, then direct a web browser to that URL and, if the URL is for a compromised site, the bank's computer will become infected.

        I've been reading Slashdot for 15 years. I'm not going to claim that all the articles in that time have been gems. This kind of thing almost makes me want to cry, however. It just seems to be happening more and more often.

    • Re:Sigh. (Score:5, Informative)

      by Joce640k (829181) on Thursday September 13, 2012 @07:57AM (#41322503) Homepage

      Ummm....do QR codes have to be a URL? Why would a bank want to put URLs on their bank notes then visit the URL when they scan them?

      Whoever wrote that is a moron.

      • Re:Sigh. (Score:5, Insightful)

        by postbigbang (761081) on Thursday September 13, 2012 @08:01AM (#41322531)

        The poster is confused. QR Codes are data, not actionable unless you take action on them. Moronic? That's a little rough. In need of a lot of education? Oh.Yeah.

        • Re: (Score:2, Redundant)

          by Joce640k (829181)

          Moronic? That's a little rough. In need of a lot of education? Oh.Yeah.

          Disagree. The assumptions made by the poster are moronic, i.e. A bank would visit a web page whenever they scan a bank note.

          (then download all the content from that page and try to do something with it...LOL)

          • by Dishevel (1105119)

            He does not have to be a moron.
            He could be one of the many people I have met of around average intelligence with out enough tech knowledge to fill a thimble.
            You know the people.
            He probably got here by typing "slashdot.org" into Google and clicking on the first link.

            • by causality (777677)

              He does not have to be a moron. He could be one of the many people I have met of around average intelligence with out enough tech knowledge to fill a thimble. You know the people. He probably got here by typing "slashdot.org" into Google and clicking on the first link.

              Sure thing - I do know the people. They have one trait that makes no sense whatsoever. If they would question whether it makes sense, I believe they would abandon it, but sadly even a minor amount of introspection is ... unpopular these days. I'll explain it with a counter-example:

              I do not have enough neurosurgery knowledge to fill a thimble. It follows that you won't see me on medical forums, making claims and taking positions and displaying strong opinions about brain surgery. If I went to such fo

        • by jpmorgan (517966)

          The moronic part was so publicly expressing an opinion about something which the poster obviously knows so little.

          Better to keep your mouth closed and be thought a fool, than to open it and remove all doubt.

      • Re:Sigh. (Score:5, Insightful)

        by Anonymous Coward on Thursday September 13, 2012 @08:02AM (#41322543)

        No, they can be plain text. It's always been part of the standard.

        Looks like the summary is just the usual flamebait, containing some stupid statement that commenters will feel compelled to correct.

        • by oneiros27 (46144)

          A couple of years back, one of the Slashdot admin (Scuttlemonkey? Samzenpus?) gave an interview, and they mentioned that they specifically selected articles that they thought would provoke discussion.

          Which I interpreted as 'yes, we troll our users and put up complete flamebait'.

          Not having much luck finding it again, though.

          • by jeffmeden (135043)

            So, you would rather see more submissions like this one [slashdot.org]? (18 comments after 24 hours) Come on, trolls are a part of the internet, so they might as well be a part of slashdot submissions (god knows we see enough of them in the comments section). Be open to a little fun!

      • Re:Sigh. (Score:5, Informative)

        by gman003 (1693318) on Thursday September 13, 2012 @08:29AM (#41322809)

        A QR code is just a text string. Or binary string, even (I think - haven't tried it yet).

        However, the most common use, so far, has been embedding URLs - most phone-app QR code readers automatically interpret the string as a URL and redirect you there, since that's generally what those users want. However, that's a feature of the particular scanner, not of QR codes themselves.

        The original author's mistake is thinking that's a fundamental design feature of QR codes - you scan them, it takes you to a website. Which, if it were true, would indeed be a glaring security hole. Which is why nobody would do such a thing.

    • Re:Sigh. (Score:5, Funny)

      by Hazel Bergeron (2015538) on Thursday September 13, 2012 @08:02AM (#41322541) Journal

      A helpful rewrite for someone from a few years in the past:

      "Sequences of letters and numbers have been proposed as a way to stop forgery of U.S currency by bored students of Michigan University. Unfortunately sequences of letters and numbers are easy to forge and can be typed into an editor, compiled, and run, infecting your system. Banks would most likely need to read currency that have seuqneces of letters and numbers to ensure the authenticity of the bill. If the sequences of letters and numbers were forged, typed into an editor, compiled, and run, it could infect the bank with a virus."

      • by Joce640k (829181)

        What if I get a sharpie and wrote "FE0634E70F327A6B32C" on a bank note? Would they assume it was JVM bytecode and try to execute it for me?

        (If so, I can get the bank computers to generate Bitcoins for me...?)

        • Well, there's one way to guarantee an irrational, over-the-top response: write it clearly on a dollar bill then hand it to a TSA employee at your local friendly airport, grinning wildly.

    • OMG there are some bits - the code might misinterpret them as a URL, load the destination and execute it!
      WTF seriously???

    • by rickb928 (945187)

      Precisely. This is as stupid as it gets. And beneath /.

      1. Any reasonably well sanitized input scheme will refuse to execute the input. I deal with this on a daily basis as we push our dev team into solving input problems where a 'special' character is required. Our users who might try to input executables will be frustrated. Any banking system that is allowing this now has already been pwned.

      2. The QR codes need only be limited to 'data'. With no clear need to use characters below ASCII 48 or above ASC

  • If only... (Score:5, Funny)

    by Anonymous Coward on Thursday September 13, 2012 @07:53AM (#41322451)

    There was a way to scan a QR code without having an unpatched IE6 accessing the url in the code...

  • by RichMan (8097) on Thursday September 13, 2012 @07:53AM (#41322453)

    A bank note QR code would refer to a single site. It would not go to "the world".
    Input hardening in such a case should be reasonably trivial. And if it failed to have the proper form it would be false.

    • Actually a bank note QR code wouldn't hold a URL at all. QR codes encode arbitrary strings. Unless they're incredibly dumb implementing it the worst that would happen is it mistaking a serial number for a phone number and trying to call it. Not much chance of a scanner getting infected trying that!

      • Actually a bank note QR code wouldn't hold a URL at all. QR codes encode arbitrary strings. Unless they're incredibly dumb implementing it the worst that would happen is it mistaking a serial number for a phone number and trying to call it. Not much chance of a scanner getting infected trying that!

        They're incredibly dumb. The QR code would probably become the infection string for a SQL Injection attack on the bank's servers.

  • Er, wrong. (Score:2, Insightful)

    by Anonymous Coward

    I guess that's why all the checkouts at our local grocery stores get viruses when we scan the wrong barcodes.

    Use appropriate software. Fuck.

  • What? (Score:5, Insightful)

    by Anonymous Coward on Thursday September 13, 2012 @07:54AM (#41322465)

    What? QR codes can hold arbitrary strings, they don't have to be just URLs. This summary makes no sense. There isn't even an article here! Who is editing this shit?

    • by oPless (63249)

      Mod parent up.

      I've known QR Codes be used to hold PKI Certificate info. URLs just happen to be a common use.

  • Huh? (Score:5, Informative)

    by ccccc (888353) on Thursday September 13, 2012 @07:55AM (#41322471)
    A QR code is a two-dimensional barcode. A pretty decent way to embed a serial number. What exactly about the idea makes the poster believe the banks' scanning software would jump to some arbitrary website after the scan? Presumably, a much more sane and secure thing to do would be to look up the serial number in a database on a single, secure site.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Muhhahahhahahahaha

      Robert');DROP TABLE CURRENCY;

      will be my QR Code and will bust the world economy! Muhahahahhahahahaha

    • Re:Huh? (Score:5, Informative)

      by jittles (1613415) on Thursday September 13, 2012 @08:27AM (#41322787)

      Not only that, but the article I read last night on the BBC talked about how these QR codes are done. First of all, they imbed the QR code on the bill using a special ink that is only luminescent with an exact frequency of laser light, which is invisible to the naked eye. Using a process of (I believe they called it) "photon upconversion" the light becomes visible to sensors in another segment of the spectrum. They can alter the ink they use to change the frequencies in question. This means you would have to have special equipment to see the QR code. They also said that they can imbed two QR codes on top of each other, which respond to different frequencies of light. They can use the two QR codes together to help validate the authenticity of the bill.

      So certainly someone with the right scientists may be able to reproduce the ink, bleach the bill, and print a new face and QR code on it, but it would be very difficult. And who would hook their bill verifying machine up to the internet? And why would you use a URL? You could embed anything into that code, and you could probably even cryptographically sign the data embedded in the bill.

  • WTF? (Score:5, Informative)

    by iYk6 (1425255) on Thursday September 13, 2012 @07:55AM (#41322477)

    QR Codes don't send you anywhere. They're just data. They can contain web links, just like any written sentence, but a device won't download the content at a linked URL unless it is programmed to.

    QR codes are futuristic, 2D versions of bar codes. Nothing more.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Nothing futuristic about QR codes! They're 15 years old already.

    • You've obviously not read Snow Crash.
  • I can't speak to whether QR codes can stop forgery of the currency, but a QR code, by itself, can't infect anyone with a virus. What kind of bank system would blindly go to whatever website is suggested by an illegitimate QR code?

    • it would work if the QR code held a digital signature for that particular mint and year of the serial, along with the denomination. Each code would fit one bill from one mint from one year with one serial number.
  • Really? (Score:5, Insightful)

    by ajdlinux (913987) on Thursday September 13, 2012 @07:57AM (#41322499) Homepage Journal
    This story displays an incredibly low understanding about what a QR code even is, let alone how you would write a QR code reader for a secure environment. I'm surprised this even got accepted.
  • If you think a massive security flaw will stop some private company from selling them their product suite, you are WRONG. They'll cover it up like their jobs depend on it...because they do.
  • Who wrote this summary? A QR code is just a data.

    Just make your system NOT go to the public internet. The QR code could just be the serial number of the note. Hell you don't even need to use a QR code.

    Example: http://intranet.federalreserve.gov/verify?n=12345 [federalreserve.gov]

    Problem solved. No virus.

  • Seriously? You're telling me that a bank system using a barcode to check a serial number would spawn a web browser because the bill said so? How hard could it possibly be to *not* allow a browser to start while scanning in QR codes, and catching attempts to try as a guaranteed way to prove that the bill is a counterfeit?

    • QR codes can't even launch a browser themselves even if they contain a URL. That action depends on the QR code reader. If a QR code says "http://www.slashdot.com/", then it is up to the QR code reader to say "Hey, this is a URL, I should open a web browser." The QR code reader on my phone presents the URL for me and gives me the option of opening a web browser. I'm sure a hypothetical QR reader for currency wouldn't even do that. It would say "Hey, this QR code reads 'http://www.badsite.com/infect_with

  • by yincrash (854885) on Thursday September 13, 2012 @08:00AM (#41322523)
    This plan in all likelihood would not comprise of URLs encoded as QR codes. It wold be some data that would be matched against some other data, so why would the currency verification involve accessing a URL at all to implant a virus?

    The only way I could remotely see that happening would be if there was a vulnerability in the system that allowed for a buffer overflow attack of some sort. The problem with that is that QR codes only have a limited amount a data, which would make this all but impossible.

  • Isn't it a bit redundant, seeing as how they have serial numbers already?!?!?! A QR code would contain what, a serial number? Obviously this article thinks it's a web link, which is what QR codes were designed for. If it's a web URL, wtf?! If it's a serial number, just real the serial number instead. They have OCR that does that already.
    • Pretty easy to forge serial numbers on a counterfeit note.

      Not so easy to forge serial numbers encoded on nano-dots ...

      So presumably like they do with nano-dots sprayed onto high-end cars as security.

    • by azadrozny (576352)
      As other posters have pointed out, what if the QR code contained a hash of the serial number and a few other identifying marks visible on the bill? Now you can use the infrared QR and OCR to validate a given bill. In general I think the mints have given up on creating a forge-proof bills. They just keep updating the design with forge resistant features to stay one step ahead. The only problem I have with this is that there are so many different designs in circulation that a lay person cannot easily spot
      • As other posters have pointed out, what if the QR code contained a hash of the serial number and a few other identifying marks visible on the bill? Now you can use the infrared QR and OCR to validate a given bill.....

        Sure, mints could hash the serial number, encrypt the hash with their private key, and print the QR. Banks could validate the QR by decrypting the QR with the mint's public key and confirm it matched the hashed serial number.

        But that is a very low level of validation. The forgers would just copy serial numbers and QR codes they see on real currency.

        • by azadrozny (576352)
          You are correct, the QR code can be copied, but this becomes one more thing for the forger to be concerned with. The individual security features on a bill don't make it hard to reproduce. It is the combination of dozens of them that (hopefully) makes it too costly for them to reproduce. Some of the features are there to make it easy for the public to spot a fake, such as the water mark, or color shifting ink. There are other secret features that are put there by the government to help them identify, or
    • by omnichad (1198475)

      And if it's a URL, it's probably a URL that points to a page with a serial number in the URL, which means it does no more good than inputting that serial onto the web site instead.

      And why can't you just copy the QR code just like you can copy the serial number? Just because it's made with invisible ink?

    • by wbr1 (2538558)
      QR was not designed to contain a web link. From http://en.wikipedia.org/wiki/QR_code [wikipedia.org] :

      QR Code (abbreviated from Quick Response Code) is the trademark for a type of matrix barcode (or two-dimensional code) first designed for the automotive industry. More recently, the system has become popular outside the industry due to its fast readability and large storage capacity compared to standard UPC barcodes. The code consists of black modules (square dots) arranged in a square pattern on a white background. The information encoded can be made up of four standardized kinds ("modes") of data (numeric, alphanumeric, byte/binary, Kanji), or through supported extensions, virtually any kind of data.[1]...
      Invented in Japan by the Toyota subsidiary Denso Wave in 1994 to track vehicles during the manufacturing process, the QR Code is one of the most popular types of two-dimensional barcodes.[2] It was designed to allow its contents to be decoded at high speed.[3]

  • I am not expert on this, but i agree that ia bank system woudn't go to some url.
    However if the QR contained a salted hash of bill identifiers, and the reading app verified it, would it be possible to include well formed enough data to cause some sort of buffer overrun and injection attack? the paylload would have to be very small, and it would likely only crasg the target system. Therefore it would not ba a virus persay, just malicious code.
    • by PPH (736903)

      would it be possible to include well formed enough data to cause some sort of buffer overrun and injection attack?

      QR codes contain a known amount of data. Unless the reading program was written by a complete moron, ensuring sufficient buffer space exists to read one is a trivial task.

  • I guess even on /. computers are devices shrouded in mystery. Watch out before the Gibson gets hacked.

  • Bank staff could break their teeth by trying to bite coins. They could also give themselves a sun burn by keeping their hand under the note-testing UV lamp. And now they have the added hazard that they could follow a link on a QR code to an infected site.
  • by Darth_brooks (180756) <clipper377@nOSPAm.gmail.com> on Thursday September 13, 2012 @08:12AM (#41322633) Homepage

    1. It's "The University of Michigan." Not trying to be as pedantic as those who insist on THE Ohio State University (as opposed to that other Ohio State?), but no one uses 'Michigan University.'

    2. At no point, in any of the three cited articles, is U of M mentioned. The QR / Currency article from engadget refers to The South Dakota School of Mines and Technology, which is slightly different from umich.

  • by Barny (103770)

    This is why we can't have nice things.

  • Oh FFS!

    It's unclear how much malware spread by QR codes in late 2011, but AVG reports that it's an ideal distribution method for nefarious software and it expects the practice to grow throughout 2012. Users are unaware of what the code contains until the malware has already gained foothold. The point being, QR codes aren't as safe as you might expect them to be. The security firm likens scanning unknown QR codes to running an unfamiliar executable on your computer.

    Let's repeat this again, people: QR Codes are simply a new version of a barcode. They are not magic pictures that infect computers or phones. There is nothing wrong with taking a picture of a barcode.

    OTOH, if you run an application that which upon reading a code will automatically open a webpage that might run a script without user intervention, you giving people a guest pass.

    when malware spread through QR codes on a Russian website and forums. The code directed victims to a download location for an infected version of the Jimm mobile ICQ client. The malware sent SMS messages to premium numbers.

    They directed their phones to a web address they didn't know and shouldn't have trusted, downloaded an application and then

  • I see no abuses there nor the goverment forcing the banks to submit the depositor name to look up a serial number, nor promising to limit some type of liability as an incentive to look up serial numbers on each transaction. No sirree, won't happen.

    (Btw, I assume they could do all this on current serial numbers but perhaps its easier on the OCR to have as described in the article).

  • The ability to give bank computers AIDS is just the start. What happens when terrorists discover them?

    http://qr.kaywa.com/?s=8&d=Death+to+Obama+and+all+Americans.+Allahu+Akbar [kaywa.com]!

  • What a moronic story. It makes no sense whatsoever to whomever knows anything about data, security or whatever. Dozens of stories get rejected from ./ every day. How the F**K this gets approved speaks very lowly of ./ quality control.
  • by angel'o'sphere (80593) on Thursday September 13, 2012 @08:30AM (#41322833) Homepage Journal

    Reminds me at that movie: "uploading virus ..."

    Funny was they used a Mac for that ...

  • Also, paedophiles use money. Now, I'm not saying that QR codes can turn people into paedophiles, but you can't buy candy without money, sheeple!
  • What about bill validators or TITO slots (Ticket-in, ticket-out)

    That may be the place where you may be able to do some hacking likely useing buffer over flows with some thing like this.

  • QR codes are simply a method of encoding a blob of information. There is no magically connection between a blob of data containing a url and the magically fetching of the URL. You actually have to write more code to make it fetch the url. And fetching the url does not automatically result in infection. You still have to pass that url data through a browser engine to evaluate and act on the data. There are so many steps that would have to be coded that the likely hood of a moron coder making a mistake t

  • by muntis (1503471) on Thursday September 13, 2012 @09:21AM (#41323405)
    Dude probably is watching too much TV where you can burn down computer by scanning bones [videosift.com]
  • by swb (14022) on Thursday September 13, 2012 @09:25AM (#41323459)

    Each note seems to have a serial number, meaning it should be unique. Why not have each note's S/N cryptographically signed and the signature stamped onto the note along with the S/N in some kind of machine-readable format?

    It should then be possible to scan the barcode and verify the signature to determine whether the note was legitimate. They could create unique keys for each Federal Reserve district, perhaps annually, so that you wouldn't have to worry as much about the key being compromised.

    Someone could clone the same S/N and signature, but if they did it would be easy for banks or other large cash processors with scanners to identify duplicates and remove them from circulation. Dupes could be identified as currency scanned at more than one geographic location within a certain time window where the chance of the currency being in two places at once was very slim -- kind of like the antifraud calls I've gotten from a credit card company when I've used a card in two cities in the same day.

    Small numbers of duplicates would be hard to track, but the economic risk from counterfeiting isn't from some guy with a scanner and a inkjet printer but from mass counterfeiting of thousands of notes.

  • There is a very simple solution...

    The QR code should link to specified government Treasury website. If it does not, (and you pre-scan the URL first), then you AUTOMATICALLY KNOW IT'S COUNTERFEIT.

    Simple...

  • Invisible nano QR codes have been proposed as a way to stop forgery of U.S currency by students of Michigan University.

    Okay. The big problem with this is that the technology to scan and write nano QR codes will become common, which then allows them to be reproduced even if (assuming the use is cryptographic and the keys are adequately protected) it isn't practical to generate new, legitimate ones.

    Unfortunately QR codes are easy to forge and can send you to a site that infects your system.

    They can't "send y

  • by LeadSongDog (1120683) on Thursday September 13, 2012 @10:04AM (#41324133)
    It's blatantly just planetzuda.com spamming its own worthless article.

Any sufficiently advanced technology is indistinguishable from a rigged demo.

Working...