Quick response code secure: a cryptographically secure anti-phishing tool for QR code attacks.
Mavroeidis, Vasileios; Nicho, Mathew
The two-dimensional quick response (QR) codes can be misleading due to the difficulty in differentiating a genuine QR code from a malicious one. Since, the vulnerability is practically part of their design, scanning a malicious QR code can direct the user to cloned malicious sites resulting in revealing sensitive information. In order, to evaluate the vulnerabilities and propose subsequent countermeasures, we demonstrate this type of attack through a simulated experiment, where a malicious QR code directs a user to a phishing site. For our experiment, we cloned Google's web page providing access to their email service (Gmail). Since, the URL is masqueraded into the QR code the unsuspecting user who opens the URL is directed to the malicious site. Our results proved that hackers could easily leverage QR codes into phishing attack vectors targeted at smartphone users, even bypassing web browsers safe browsing feature. In addition, the second part of our paper presents adequate countermeasures and introduces QRCS (Quick Response Code Secure). QRCS is a universal efficient and effective solution focusing exclusively on the authenticity of the originator and consequently, the integrity of QR code by using digital signatures.
|Start Date||Aug 28, 2017|
|Publication Date||Sep 13, 2017|
|Publisher||Springer (part of Springer Nature)|
|Series Title||Lecture notes in computer science|
|Institution Citation||MAVROEIDIS, V. and NICHO, M. 2017. Quick response code secure: a cryptographically secure anti-phishing tool for QR code attacks. In Rak, J., Bay, J., Kotenko, I., Popyack, L., Skormin, V. and Szczypiorski, K. (eds.) Computer network security: Proceedings of the 7th International Mathematical methods, models and architectures for computer network security conference (MMM-ACNS 2017), 28-30 August 2017, Warsaw, Poland. Lecture notes in computer science, 10466. Cham: Springer [online], pages 313-324. Available from: https://doi.org/10.1007/978-3-319-65127-9_25|
|Keywords||Quick response (QR)codes; 2D codes; Smartphone security; Mobile phishing attacks; Cryptography; Digital signatures|
MAVROEIDIS 2017 Quick Response Code Secure