TWIT 1013: Calamari in Crisis

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

We are so back!!!

3 Likes

What happens here is QR codes on parking signs get replaced with ones that take you to a copycat web site that takes all your credit or bank card details.

The car manufacturer SEAT is pronounced sey-at BTW :slightly_smiling_face: It’s Spanish.

2 Likes

I’m all for Wikipedia but it apparently has major holocaust denial issues:

https://www.tandfonline.com/doi/full/10.1080/25785648.2023.2168939

Also, Veritasium posted a great video about how QR codes work a couple of months ago:

1 Like

QR Codes were invented in the 1990s by Denso (parts supplier to Toyota). Normal barcodes were too limited for tracking their stock, they needed more information on each part.

QR Codes have nothing to do with the Internet, Stacey was wrong they don’t go to the Internet to be decoded, they are decoded locally on the scanner, or a smartphone, PC etc. 99% of codes around the world probably have no information that lead to a web site, but they are on articles in warehouses, on packaging for food etc. The German Post has been using QR Codes for nearly 2 decades as a replacement for bulk mailing franks (when I was a kid, most companies had a huge, expensive franking machine that put the price of the “stamp” and a serial code on the envelope, nowadays they have software that generates a unique code for each “stamp” that they print).

My bank uses a coloured QR Code to help generate the TAN for each transaction - when you have entered the recipient information, value etc. the web site generates a QR Code encoded with your public key and the information from the transaction and the TAN app on the phone uses your private key to decode the QR Code and process the information to generate the 6 digit TAN code.

There are thousands of uses for QR Codes that don’t generate URLs and the information is all processed locally, to define a product - the product code, serial number, batch code and production date, for example - the information might go to local retail systems, for example, to get the current price for the POS terminal or it might be used for stock taking or order picking in a warehouse.

2 Likes

thank you for saying that. i wanted to make a comment but i’m not informed enough to say “QR codes are literally just coded data” it can be plaintext, a URL, a link to a deeper system, etc. Thanks Big D

1 Like

I used to work for a company that wrote software for manufacturing processes and I did several presentations on the origins of QR Codes and how they are used, so most of the information, for a short summary, is still in my head.

1 Like

I think the point being made was it doesn’t matter what the original QR code is, it can be easily replaced with a sticker to point to a malicious website.

You can’t do this with barcodes. Obviously, this is unlikely to catch you out when you are scanning frozen peas in the supermarket, but it has caught people out here with car parking payment URLs being changed to grab your card details.

https://www.rac.co.uk/drive/news/motoring-news/be-qrareful-rac-warns-drivers-to-watch-out-for-parking-payment-scams/

I don’t remember which Security Now episode it was (because it’d be 10+ years old at this point) but I remember Steve saying exactly this. Hell, even if it wasn’t pasted over, they’re just random bits of text we scan into our phones to interpret. That’s where the trouble starts!

Huge level of trust required for scanning QRs.

It depends, most scanners are not internet connected, so it doesn’t really matter. It is the end users QR Codes that can cause problems, but every phone I’ve had has always shown the destination for the QR Code and waits for me to confirm that I want to go to the destination.

If the address doesn’t look right, I’ll cancel the prompt.

2 Likes

My employer uses QR codes for rapid scanning of information. In and of themselves - they have no requirement for Internet access. They’re just a storage mechanism for data. However, they’ve become ubiquitous for people to use. Scan for a website. Scan for Contact Infortmation. Scan for whatever. So I get the security concerns, but that’s not a flaw in the QR code - that’s a flaw in the use.

2 Likes

We can use our phones at the supermarket and in car parks to scan these QRs. The URLs for the legit payment sites aren’t obvious TBH, so quite easy to scam one.

I’ve stopped using them. Use the dedicated scanners in supermarkets, and find the car park payment app manually on the Google Play Store.

1 Like