QR Codes—being sort of a two-dimensional or matrix barcode, and sometimes referred to as ‘tags’—are used intensively these days because they typically can carry more information if compared to traditional barcodes. QR Codes allow, in particular, mobile users to use a smartphone camera to read and interpret a QR code. A QR code may contain text and/or a URL (universal resource locator for, e.g., the Internet).
QR Codes are quickly diffusing and turning up everywhere: on advertising boards, TV, Web sites one can visit, post or travel signs, clothes, tickets, coupons, number plates and so on.
Being said that it may be possible that a person could stick a malicious QR code label over an existing QR code label.
QR Codes labels represent a very simple machine readable coding technique, unfortunately, also allowing to effectively performing phishing on QR codes, so that a user is hi-jacked to a phishing Web site if the information codes on the QR Code represent an Internet address, i.e., a URL. Web sites may opportunely be mirrored, by the malicious person, exactly to look similar or identical to the expected original Web site. As a next malicious step, a user may be asked to register or log-in to the fake Web site so that an attacker may steal secret data of a person.
The cost of implementing this fraud technique is ridiculously low for a person of bad faith. In fact, it only takes to: identify a physical QR Code label pointing to a certain “clean” Web site, and generate a mirrored phishing Web site of the “clean” one, with the purpose of stealing personal data of users. Additionally, a phishing URL needs to be codified pointing to the phishing, mirrored Web site into a QR Code. Also, this is pretty cheap because QR Code encoders are freely available in the Internet. A sticky version of the malicious QR Code label needs to be printed and the malicious QR Code label needs to be pasted over the original QR code label. A person with bad faith would do that unobserved.
As it can be seen, it is very simple to practice phishing via QR Codes.
Currently, there is no remediation to this serious exploit of QR Codes. What can be found on the Internet are only sites talking about this security problem with QR Codes, warning users always to check the URL of the QR Code mobile phone applications passing to a browser once the QR Code has been captured by a camera of the mobile phone.
A related problem is addressed by the document U.S. Pat. No. 7,273,175 B2 addressing hidden QR Codes in a QR Code tag using a slightly different chrominance for different squares of the QR code, thus hiding a QR Code in a given QR Code label.
Hence, there is a need to identify QR Code labels pasted over another one and replacing the original QR Code labels.