QR Codes As Anti-Forgery On Currency Could Infect Banks 289
New submitter planetzuda writes "Invisible nano QR codes have been proposed as a way to stop forgery of U.S. currency by students of the South Dakota School of Mines and Technology. Unfortunately QR codes are easy to forge and can send you to a site that infects your system. Banks would most likely need to scan currency that have QR codes to ensure the authenticity of the bill. If the QR code was forged it could infect the bank with a virus."
Sigh. (Score:5, Insightful)
Only if they're stupid enough to execute code formed from non-executable input.
Re:Sigh. (Score:5, Interesting)
What I came to say. I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.
Maybe if the QR code was a URL. But you'd have to be stupid to do that too.
A QR code that was a hash of the batch, the release series the serial number and a salt, sure. This could be awesome. Otherwise? Not so much.
Re: (Score:2)
What I came to say. I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.
Maybe if the QR code was a URL. But you'd have to be stupid to do that too.
A QR code that was a hash of the batch, the release series the serial number and a salt, sure. This could be awesome. Otherwise? Not so much.
Quite right. I suspect near the beginning of the forgery algorithm there lies something to the effect of "if scanned_code.urlCheck == true { forgeryAlert(scanned_code) }" and certainly not "if scanned_code.urlCheck == true { browser(scanned_code.text) }". Just a five minute observation though, someone might have a better way to do that.
Re:Sigh. (Score:5, Interesting)
Would it even be a URL? A QR code is just binary data. I'm sure a bank would interpret them as a binary number, not a download link.
Re: (Score:2)
Re: (Score:3, Interesting)
Re:Sigh. (Score:5, Insightful)
I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.
That doesn't seem to be what this article is proposing, however. This article seems to be proposing that the scanners at the bank will read the QR codes on the notes, interpret the code into a URL, then direct a web browser to that URL and, if the URL is for a compromised site, the bank's computer will become infected.
I've been reading Slashdot for 15 years. I'm not going to claim that all the articles in that time have been gems. This kind of thing almost makes me want to cry, however. It just seems to be happening more and more often.
Re:Sigh. (Score:5, Informative)
Ummm....do QR codes have to be a URL? Why would a bank want to put URLs on their bank notes then visit the URL when they scan them?
Whoever wrote that is a moron.
Re:Sigh. (Score:5, Insightful)
The poster is confused. QR Codes are data, not actionable unless you take action on them. Moronic? That's a little rough. In need of a lot of education? Oh.Yeah.
Re: (Score:2, Redundant)
Moronic? That's a little rough. In need of a lot of education? Oh.Yeah.
Disagree. The assumptions made by the poster are moronic, i.e. A bank would visit a web page whenever they scan a bank note.
(then download all the content from that page and try to do something with it...LOL)
Re: (Score:2)
He does not have to be a moron.
He could be one of the many people I have met of around average intelligence with out enough tech knowledge to fill a thimble.
You know the people.
He probably got here by typing "slashdot.org" into Google and clicking on the first link.
Re: (Score:2)
He does not have to be a moron. He could be one of the many people I have met of around average intelligence with out enough tech knowledge to fill a thimble. You know the people. He probably got here by typing "slashdot.org" into Google and clicking on the first link.
Sure thing - I do know the people. They have one trait that makes no sense whatsoever. If they would question whether it makes sense, I believe they would abandon it, but sadly even a minor amount of introspection is ... unpopular these days. I'll explain it with a counter-example:
I do not have enough neurosurgery knowledge to fill a thimble. It follows that you won't see me on medical forums, making claims and taking positions and displaying strong opinions about brain surgery. If I went to such fo
Re: (Score:2)
The moronic part was so publicly expressing an opinion about something which the poster obviously knows so little.
Better to keep your mouth closed and be thought a fool, than to open it and remove all doubt.
Re: (Score:2)
This is why you parse data before you accept it as input. A QR code is unlikely to blow a parsing buffer because it contains a known maximum data read from the scanning device. You set the boundaries to a number and that's the bound/domain of the input source. Should it exceed that size, kill your code on the way to making an error message (should the buffer overflow be huge, thus not able to execute the error branch). E.g., standard buffer overflow execution prevention code technique(s).
Nothing is impossib
Re:Sigh. (Score:5, Insightful)
No, they can be plain text. It's always been part of the standard.
Looks like the summary is just the usual flamebait, containing some stupid statement that commenters will feel compelled to correct.
Re: (Score:2)
A couple of years back, one of the Slashdot admin (Scuttlemonkey? Samzenpus?) gave an interview, and they mentioned that they specifically selected articles that they thought would provoke discussion.
Which I interpreted as 'yes, we troll our users and put up complete flamebait'.
Not having much luck finding it again, though.
Re: (Score:3)
So, you would rather see more submissions like this one [slashdot.org]? (18 comments after 24 hours) Come on, trolls are a part of the internet, so they might as well be a part of slashdot submissions (god knows we see enough of them in the comments section). Be open to a little fun!
Re:Sigh. (Score:5, Informative)
A QR code is just a text string. Or binary string, even (I think - haven't tried it yet).
However, the most common use, so far, has been embedding URLs - most phone-app QR code readers automatically interpret the string as a URL and redirect you there, since that's generally what those users want. However, that's a feature of the particular scanner, not of QR codes themselves.
The original author's mistake is thinking that's a fundamental design feature of QR codes - you scan them, it takes you to a website. Which, if it were true, would indeed be a glaring security hole. Which is why nobody would do such a thing.
Re: (Score:2)
Oh, I wish I had your confidence. While it's true that the QR scheme doesn't contain any inherent security holes, a quick glance at security practices in the industry today does not fill me with confidence that someone won't introduce some.
Re:Sigh. (Score:5, Funny)
It's 1s and 0s...I can tell that just by looking at one.
Re:Sigh. (Score:5, Funny)
A helpful rewrite for someone from a few years in the past:
"Sequences of letters and numbers have been proposed as a way to stop forgery of U.S currency by bored students of Michigan University. Unfortunately sequences of letters and numbers are easy to forge and can be typed into an editor, compiled, and run, infecting your system. Banks would most likely need to read currency that have seuqneces of letters and numbers to ensure the authenticity of the bill. If the sequences of letters and numbers were forged, typed into an editor, compiled, and run, it could infect the bank with a virus."
Re: (Score:3)
What if I get a sharpie and wrote "FE0634E70F327A6B32C" on a bank note? Would they assume it was JVM bytecode and try to execute it for me?
(If so, I can get the bank computers to generate Bitcoins for me...?)
Re: (Score:3)
Well, there's one way to guarantee an irrational, over-the-top response: write it clearly on a dollar bill then hand it to a TSA employee at your local friendly airport, grinning wildly.
Re: (Score:2)
OMG there are some bits - the code might misinterpret them as a URL, load the destination and execute it!
WTF seriously???
Re: (Score:2)
Precisely. This is as stupid as it gets. And beneath /.
1. Any reasonably well sanitized input scheme will refuse to execute the input. I deal with this on a daily basis as we push our dev team into solving input problems where a 'special' character is required. Our users who might try to input executables will be frustrated. Any banking system that is allowing this now has already been pwned.
2. The QR codes need only be limited to 'data'. With no clear need to use characters below ASCII 48 or above ASC
Re:Sigh. (Score:5, Insightful)
* FIX
They're stupid enough to execute code formed from non-executable input.
* FIX OVER
Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over... Why, there is no way every single bank, even the podunk credit unions that dot the land near and far, can figure out how to run a completely public banking portal without getting completely pwned on their first day and having their vaults emptied. Wait, no, I have that backwards. Good security IS possible, it's just hard for most slashpundits to imagine since it is completely beyond them.
Re: (Score:2)
Done...
That fix will cost you $5 million dollars + patent fees.
Re:Sigh. (Score:5, Insightful)
Who said that the QR code will encode an URL?
This is not written in the engadget article, and that's the main erroneous assumption of the Slasdot poster (planetzuda).
Re:Sigh. (Score:4, Interesting)
I really wonder how critically faulty the system would have to be to scan in a signature data and execute it. You could just as well create a license plate with SQL injection code to corrupt photoradars.
Re: (Score:3)
That was my first thought. Not sure why types of forgery they are aiming to protect against. Once common attack is bleaching. Basically the counterfeiter tries erase the print on small bill like $5 and replace it with that of $100.
Smart, but still incredibly stupid.
First of all, it will only work if the bills are all the same size. US currency is, but this isn't the case in many other countries.
Second, it will only work if the paper is identical across all denominations. It isn't. Most countries include both distinct watermarks and holographic silver threads that are unique to each denomination, including the US.
Lastly, most countries (including the US) use a closely guarded method of computing serial numbers, which signatures etc. s
Re: (Score:3)
You're all not thinking clearly. The easiest thing for a counterfeiter to do is to simply duplicate the same serial number over and over. The QR code would only stop those that want to randomize their serial numbers. A copied note with a QR code will still validate all the way through the system. The bank would notice in the same way they do today - they check and make sure the serial numbers in the batch match the correct year and print facility (also on the bill), and then verify that there are no dup
Re: (Score:3)
* FIX
They're stupid enough to execute code formed from non-executable input.
* FIX OVER
Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over... Why, there is no way every single bank, even the podunk credit unions that dot the land near and far, can figure out how to run a completely public banking portal without getting completely pwned on their first day and having their vaults emptied. Wait, no, I have that backwards. Good security IS possible, it's just hard for most slashpundits to imagine since it is completely beyond them.
Recent history suggest financial institutions do not have a good deal of competence. Maybe they once did, but not in recent years.
Re:Sigh. (Score:5, Informative)
Any data in a QR code that is invalid should only be marked as invalid and the bill sorted aside for later, manual investigation. No "action" with the data itself is required. It shouldn't matter if the data is a URL or an IP address or "echo y|format C:
When a human checks the contents of the flagged bill, the human decides what to do, and more importantly doesn't use a computer on the network with the processing machine. It doesn't then matter if that human is stupid, they don't infect the whole bank if they're so stupid that they load a URL.
Re: (Score:3)
There's absolutely no reason
Any data in a QR code that is invalid should only be marked as invalid
It shouldn't matter
There should be nothing processed but an ack that the data doesn't correspond to correct ranges.
Ah, "should". The system administrator's favourite word.
Followed closely by:
"it can't"
"did it just"
"there's no way it just"
"they say it's impossible that it could have"
"their lawyers say they could never have foreseen that it would"
"marketing give us every assurance that it absolutely probably maybe won't again"
Re: (Score:3)
Re: (Score:3)
Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over.
Yes, that's pretty much it. We're that stupid.
As evidence for the prosecution, I present: Flash, Java, JPEG, PNG, PDF, Word .DOC, SQL, PHP, ASN.1, and TCP/IP.
All of the above are either sandboxed-by-design programming languages that don't expose binary code, or somple data encapsulation formats that aren't even Turing-complete. They're all in common use in industry. We, our peers, our industry, trumpeted their safety and deployed them. You'd expect that it would be pretty simple for implementation of a pars
Re: (Score:3)
Some institutions are extremely good at keeping their flies zipped up. Others have fallen into the "security has no ROI" trap that seems to be the PHB mating call.
In the past, banks had a reputation to uphold, so a security breach would be extremely damaging with accountholders moving elsewhere. These days, because it is so hard to move to another provider, coupled with the bar lowered so low about perceived security, a security breach may not be something a bank cares about unless it is a regulator they
Re: (Score:3)
The real source of the problem is government. FDIC has taken the reputation out of banking. As a depositor I don't care if the bank gets knocked over because I know its insured at no cost to me anyway. Well it does cost me actually as the insurance fees are passed on in the form of lower rates.
Now if it were not for government intervention banks competing for depositors would be strongly incentive to protect their reputation for not losing customers money, EVER, as it would be the major sell point. This
Re:Sigh. (Score:5, Insightful)
A QR code itself can NOT send you to a site. That is a 'feature' of certain apps running on smartphones etc.
The Michigan University proposal does not suggest that banks should run any such browser-linked software. They essentially propose banks to run software that reads a QR code and validates that code, using algorithms and data that would not require a browser.
This is the lamest conclusion I've seen yet on Slashdot - either flame bait or a submitter and editorial combined IQ of 50.
Come on slashdot editors, keep it mildly informed or have standards fallen so low that it's time to move away from slashdot?
Re:Sigh. (Score:5, Informative)
Re: (Score:2)
Sure, It doesn't have to go to a URL. All is does is read in data and then do something with it. There are people here that would love to feed in the wrong data to see what happens. There are people here that would love to feed in combinations of correct data and see what happens.
When you've broke it, what data of your own can you feed in after? The more complex they make the QR system the better.
My 50IQ isn't the IQ you have to worry about. It's the code monkey with the 50I
Your right, your IQ isn't 50 (Score:3)
Well, your post contains one truth, your IQ isn't 50. It is far far lower.
QR is simply a bar code. You scan it and get a string of data. That is it. It can contain any string valid within its codeset but it is just a string just a barcode is just a number.
Sure, buffer overflows exist but they exist deep within complex code, not on simple basic stuff as reading in a user input especially when there is only one.
And people with IQ of 50 (you call them master or whatever you can manage to utter with your sub-50
Re: (Score:3)
I'm baffled by all the comments about the security concerns on this. Barcode scanners have been reading UPC codes at PC-based cash registers operated by high school dropouts for decades, and nobody has yet been able to craft a magic barcode that can crash the system. The argument is asinine. It is not that hard to establish a standard and write some firmware with strict adherence to that standard that will reject a
If only... (Score:5, Funny)
There was a way to scan a QR code without having an unpatched IE6 accessing the url in the code...
not if programmers are 1/2 way competent (Score:3)
A bank note QR code would refer to a single site. It would not go to "the world".
Input hardening in such a case should be reasonably trivial. And if it failed to have the proper form it would be false.
Re: (Score:2)
Actually a bank note QR code wouldn't hold a URL at all. QR codes encode arbitrary strings. Unless they're incredibly dumb implementing it the worst that would happen is it mistaking a serial number for a phone number and trying to call it. Not much chance of a scanner getting infected trying that!
Re: (Score:2)
Actually a bank note QR code wouldn't hold a URL at all. QR codes encode arbitrary strings. Unless they're incredibly dumb implementing it the worst that would happen is it mistaking a serial number for a phone number and trying to call it. Not much chance of a scanner getting infected trying that!
They're incredibly dumb. The QR code would probably become the infection string for a SQL Injection attack on the bank's servers.
Er, wrong. (Score:2, Insightful)
I guess that's why all the checkouts at our local grocery stores get viruses when we scan the wrong barcodes.
Use appropriate software. Fuck.
Re: (Score:2)
Winnar!
What? (Score:5, Insightful)
What? QR codes can hold arbitrary strings, they don't have to be just URLs. This summary makes no sense. There isn't even an article here! Who is editing this shit?
Re: (Score:2)
Mod parent up.
I've known QR Codes be used to hold PKI Certificate info. URLs just happen to be a common use.
Huh? (Score:5, Informative)
Re: (Score:2, Funny)
Muhhahahhahahahaha
Robert');DROP TABLE CURRENCY;
will be my QR Code and will bust the world economy! Muhahahahhahahahaha
Re:Huh? (Score:5, Informative)
Not only that, but the article I read last night on the BBC talked about how these QR codes are done. First of all, they imbed the QR code on the bill using a special ink that is only luminescent with an exact frequency of laser light, which is invisible to the naked eye. Using a process of (I believe they called it) "photon upconversion" the light becomes visible to sensors in another segment of the spectrum. They can alter the ink they use to change the frequencies in question. This means you would have to have special equipment to see the QR code. They also said that they can imbed two QR codes on top of each other, which respond to different frequencies of light. They can use the two QR codes together to help validate the authenticity of the bill.
So certainly someone with the right scientists may be able to reproduce the ink, bleach the bill, and print a new face and QR code on it, but it would be very difficult. And who would hook their bill verifying machine up to the internet? And why would you use a URL? You could embed anything into that code, and you could probably even cryptographically sign the data embedded in the bill.
WTF? (Score:5, Informative)
QR Codes don't send you anywhere. They're just data. They can contain web links, just like any written sentence, but a device won't download the content at a linked URL unless it is programmed to.
QR codes are futuristic, 2D versions of bar codes. Nothing more.
Re: (Score:2, Informative)
Nothing futuristic about QR codes! They're 15 years old already.
Re: (Score:3)
Re: (Score:2)
The Michigan proposal involved some assorted fancy-materials-science tricks(inks with very atypical optical properties and other stuff that the anti-counterfieting guys have been poking around at to raise the cost and required sophistication of producing a convincing fake) in addition to QR codes. If anything, the QR part seemed like something of a trend-crazed afterthought.
(Incididentally, the one thing that cryptography can do for physical items like currency is make it impossible for forgers to produce n
Re: (Score:2)
Preventing counterfeiting is all about making it HARD to make a passable copy of a bill. This is the function of serial numbers along with a whole host of unusual printing techniques. If QR codes make it harder without making it cost too much more to produce *real* currency, use them.
Unless they use QR codes to actually encode useful information about the bill, it's serial number, value and production information and don't make some kind of cross checking possible, I don't see where they help much more tha
Assuming that banks are complete idiots (Score:2)
I can't speak to whether QR codes can stop forgery of the currency, but a QR code, by itself, can't infect anyone with a virus. What kind of bank system would blindly go to whatever website is suggested by an illegitimate QR code?
Re: (Score:2)
Really? (Score:5, Insightful)
what will really happen (Score:2)
Easy Fix... (Score:2)
Who wrote this summary? A QR code is just a data.
Just make your system NOT go to the public internet. The QR code could just be the serial number of the note. Hell you don't even need to use a QR code.
Example: http://intranet.federalreserve.gov/verify?n=12345 [federalreserve.gov]
Problem solved. No virus.
"can send you to a site that infects your system" (Score:2)
Seriously? You're telling me that a bank system using a barcode to check a serial number would spawn a web browser because the bill said so? How hard could it possibly be to *not* allow a browser to start while scanning in QR codes, and catching attempts to try as a guaranteed way to prove that the bill is a counterfeit?
Re: (Score:2)
QR codes can't even launch a browser themselves even if they contain a URL. That action depends on the QR code reader. If a QR code says "http://www.slashdot.com/", then it is up to the QR code reader to say "Hey, this is a URL, I should open a web browser." The QR code reader on my phone presents the URL for me and gives me the option of opening a web browser. I'm sure a hypothetical QR reader for currency wouldn't even do that. It would say "Hey, this QR code reads 'http://www.badsite.com/infect_with
The submitter doesn't seem to understand QR codes (Score:3)
The only way I could remotely see that happening would be if there was a vulnerability in the system that allowed for a buffer overflow attack of some sort. The problem with that is that QR codes only have a limited amount a data, which would make this all but impossible.
redundant ? redundant? (Score:2)
Re: (Score:2)
Pretty easy to forge serial numbers on a counterfeit note.
Not so easy to forge serial numbers encoded on nano-dots ...
So presumably like they do with nano-dots sprayed onto high-end cars as security.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
And if it's a URL, it's probably a URL that points to a page with a serial number in the URL, which means it does no more good than inputting that serial onto the web site instead.
And why can't you just copy the QR code just like you can copy the serial number? Just because it's made with invisible ink?
Re: (Score:2)
QR Code (abbreviated from Quick Response Code) is the trademark for a type of matrix barcode (or two-dimensional code) first designed for the automotive industry. More recently, the system has become popular outside the industry due to its fast readability and large storage capacity compared to standard UPC barcodes. The code consists of black modules (square dots) arranged in a square pattern on a white background. The information encoded can be made up of four standardized kinds ("modes") of data (numeric, alphanumeric, byte/binary, Kanji), or through supported extensions, virtually any kind of data.[1]...
Invented in Japan by the Toyota subsidiary Denso Wave in 1994 to track vehicles during the manufacturing process, the QR Code is one of the most popular types of two-dimensional barcodes.[2] It was designed to allow its contents to be decoded at high speed.[3]
Maybe... (Score:2)
However if the QR contained a salted hash of bill identifiers, and the reading app verified it, would it be possible to include well formed enough data to cause some sort of buffer overrun and injection attack? the paylload would have to be very small, and it would likely only crasg the target system. Therefore it would not ba a virus persay, just malicious code.
Re: (Score:2)
would it be possible to include well formed enough data to cause some sort of buffer overrun and injection attack?
QR codes contain a known amount of data. Unless the reading program was written by a complete moron, ensuring sufficient buffer space exists to read one is a trivial task.
Re: (Score:2)
A Wizard Did It (Score:2)
I guess even on /. computers are devices shrouded in mystery. Watch out before the Gibson gets hacked.
Also in the news (Score:2)
Michigan Univerity? (Score:3)
1. It's "The University of Michigan." Not trying to be as pedantic as those who insist on THE Ohio State University (as opposed to that other Ohio State?), but no one uses 'Michigan University.'
2. At no point, in any of the three cited articles, is U of M mentioned. The QR / Currency article from engadget refers to The South Dakota School of Mines and Technology, which is slightly different from umich.
See? (Score:2)
This is why we can't have nice things.
QR codes are not magic code! (Score:2)
It's unclear how much malware spread by QR codes in late 2011, but AVG reports that it's an ideal distribution method for nefarious software and it expects the practice to grow throughout 2012. Users are unaware of what the code contains until the malware has already gained foothold. The point being, QR codes aren't as safe as you might expect them to be. The security firm likens scanning unknown QR codes to running an unfamiliar executable on your computer.
Let's repeat this again, people: QR Codes are simply a new version of a barcode. They are not magic pictures that infect computers or phones. There is nothing wrong with taking a picture of a barcode.
OTOH, if you run an application that which upon reading a code will automatically open a webpage that might run a script without user intervention, you giving people a guest pass.
when malware spread through QR codes on a Russian website and forums. The code directed victims to a download location for an infected version of the Jimm mobile ICQ client. The malware sent SMS messages to premium numbers.
They directed their phones to a web address they didn't know and shouldn't have trusted, downloaded an application and then
Great, trackable money (Score:2)
I see no abuses there nor the goverment forcing the banks to submit the depositor name to look up a serial number, nor promising to limit some type of liability as an incentive to look up serial numbers on each transaction. No sirree, won't happen.
(Btw, I assume they could do all this on current serial numbers but perhaps its easier on the OCR to have as described in the article).
The tip of the iceberg (Score:2)
The ability to give bank computers AIDS is just the start. What happens when terrorists discover them?
http://qr.kaywa.com/?s=8&d=Death+to+Obama+and+all+Americans.+Allahu+Akbar [kaywa.com]!
/., WTF? (Score:2)
Independence Day? (Score:3)
Reminds me at that movie: "uploading virus ..."
Funny was they used a Mac for that ...
In other news (Score:2)
What about bill validators or TITO slots (Score:2)
What about bill validators or TITO slots (Ticket-in, ticket-out)
That may be the place where you may be able to do some hacking likely useing buffer over flows with some thing like this.
This article is nonsense. (Score:2)
QR codes are simply a method of encoding a blob of information. There is no magically connection between a blob of data containing a url and the magically fetching of the URL. You actually have to write more code to make it fetch the url. And fetching the url does not automatically result in infection. You still have to pass that url data through a browser engine to evaluate and act on the data. There are so many steps that would have to be coded that the likely hood of a moron coder making a mistake t
Got idea from TV? (Score:4, Funny)
Why not a cryptographic signature in the S/N? (Score:5, Interesting)
Each note seems to have a serial number, meaning it should be unique. Why not have each note's S/N cryptographically signed and the signature stamped onto the note along with the S/N in some kind of machine-readable format?
It should then be possible to scan the barcode and verify the signature to determine whether the note was legitimate. They could create unique keys for each Federal Reserve district, perhaps annually, so that you wouldn't have to worry as much about the key being compromised.
Someone could clone the same S/N and signature, but if they did it would be easy for banks or other large cash processors with scanners to identify duplicates and remove them from circulation. Dupes could be identified as currency scanned at more than one geographic location within a certain time window where the chance of the currency being in two places at once was very slim -- kind of like the antifraud calls I've gotten from a credit card company when I've used a card in two cities in the same day.
Small numbers of duplicates would be hard to track, but the economic risk from counterfeiting isn't from some guy with a scanner and a inkjet printer but from mass counterfeiting of thousands of notes.
DUMB PEOPLE CAN'T THINK (Score:2)
There is a very simple solution...
The QR code should link to specified government Treasury website. If it does not, (and you pre-scan the URL first), then you AUTOMATICALLY KNOW IT'S COUNTERFEIT.
Simple...
Scan != Follow (Score:2)
Okay. The big problem with this is that the technology to scan and write nano QR codes will become common, which then allows them to be reproduced even if (assuming the use is cryptographic and the keys are adequately protected) it isn't practical to generate new, legitimate ones.
They can't "send y
What lamers voted for accepting this crap? (Score:4, Informative)
Re: (Score:2, Insightful)
Next problem: idiotic user submissions combined with lazy "editors" could infect Slashdot with terrible articles on the front page.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You beat me to posting it, darn it!
Re: (Score:2)
I had to read that sentence twice. Very awkwardly written. This submission fails on so many levels.
Re: (Score:2)
I love the "easy to forge" bit. It's easy to forge printed text, too. It's because we use these things called fonts, which ensures that all computers can reproduce character bitmaps identically from a reduced dataset.
Isn't forging a QR code just making a QR code?