SINGAPORE: A series of black-and-white squares has been popping up everywhere in Singapore - on advertising materials, rental bikes and even at hawker centres. These are quick response (QR) codes that users scan with their smartphones to get information, track an item or make payment.

QR codes, however, have posed problems in China. Criminals have been sticking their own code over a merchant's original one to steal money and according to Chinese news reports, about US$13 million was lost via QR code scams in Guangdong.

In response to queries, the Cyber Security Agency of Singapore (CSA) said SingCERT has not received reports of malicious QR codes in Singapore. But the agency is aware of cases that have happened overseas and emphasised that those hold “important lessons” for Singapore.

WILL QR CODE SCAMS BECOME A PROBLEM IN SINGAPORE?

Cybersecurity experts Channel NewsAsia spoke to said a key security weakness of QR codes is that it is impossible to visually tell a safe one from a malicious one because they all look similar.

CSA said that currently, the only known mechanism of a QR code scam involves pasting a sticker over an authentic QR code. It urged merchants to exercise caution by checking their QR codes and corresponding websites regularly. Experts agree that vigilance and awareness is important as Singapore moves towards a cashless society.

Advertisement

Advertisement

E-payment solution providers like Liquid Group and FOMO Pay are aware of the scams that have happened in China, and have put in measures to combat potential fraudsters. To prevent scammers from directing money into unauthorised accounts via QR codes, merchants with both companies get real-time alerts upon successful transactions.

“The consumer can also see the e-receipt in their e-wallet. (They can) immediately (see) the amount being paid and the merchant being paid to,” said chief operating officer of FOMO Pay Zack Yang. The company has more than 1,500 merchants across Singapore. Its QR codes accept payments by mobile wallets like WeChat Pay and Baidu Wallet, allowing local companies to cash in on demand by Chinese tourists.

Liquid Group, which has QR codes deployed in 1,200 merchants across 100 hawker centres, said diners usually flash their payment screen to hawkers once a transaction is made.

“Because we built our app a certain way, it’s very difficult to fake (a transaction). We train the merchants to look for certain cues and signals (on the payment screen),” said chief technology officer Matthew Quinlan.

The hawkers also have an application running on their own devices which alerts them to approved payments, and they can compare the two screens as well, added Mr Quinlan.

But sometimes, it is not just money that’s lost. Certis Cisco’s chief information security officer John Yong said there's a more sophisticated, man-in-the-middle attack that can be mounted via malicious QR codes.

“(In this attack,) payment is being routed via the fraudster, so (he can) actually hijack your credentials … This could be your bank account number, your credit card code and your password ID … (Hackers) could actually use this information for subsequent purchases without you knowing and this could drain your bank account.”

Mr Quinlan said such attacks happened overseas during the early days of QR code adoption. “Then, you could put out a QR code that (linked to a public URL), which could easily be spoofed. There was nothing to stop you intercepting that message and sending it off to a different website which was malicious. There wasn't that front-end security piece built in.”

Mr Quilan added that Liquid Group’s QR codes are encrypted to guard against such scenarios and to protect consumers' information. Consumers have to scan the QR code with the company’s app in order for the barcode to work. “If you can use a generic scanner to scan our QR code, it won't do any good … (All you see is) a random set of characters that are meaningless outside of our application and our back-end.”

Cybercriminals will not be able to extract any data from from their QR code scans as sensitive information is held in a secured vaulted system on their back-end, he added.

MOBILE MALWARE IMPACT CAN BE DEVASTATING: EXPERT

While providers in the e-payments space have thought through their security measures, malicious QR codes could be anywhere. In earlier reports, Liu Qingfeng, chairman of voice recognition cloud service provider iFlytek said that during the National People’s Congress in Beijing, more than 23 per cent of Trojans and viruses are transmitted via QR codes.

Experts said that among other things, the malicious QR code can eventually direct to a link that installs malware into your phone quietly.

“(The mobile malware) may scan for any kind of text messages that contain 16 digits and capture it as credit card information. It can also look into all your contacts and maybe even send them an email ... thus spreading the malware even further. (It may) even perform ransomware to lock your phone,” said Mr Vincent Goh, vice president of sales in Asia-Pacific and Japan for cybersecurity firm CyberArk.

Mr Yong agreed: “Some of the impact of (mobile malware) can be quite devastating. It can remotely control (your phone’s) microphone and cameras. It's like having a spy phone in a meeting room.”

They said the best defence is for users to think carefully before they scan, especially if they are not sure who has put out the QR code and where it will lead them.

“(Users should be taught) not to scan anything immediate," said Mr Goh. "For example, if you scan a card and the next thing you know it's pointing you to a website to try to ask you for some personal data, then you should be aware that there's something that feels wrong and stop (executing) the next step.”

CSA also recommended using a secure QR code reader that allows URL previews so users can assess whether that is a trusted site. Some QR code readers also have built-in security readers that check a website’s safety rating and block malicious ones.