QR Codes As Anti-Forgery On Currency Could Infect Banks

New submitter planetzuda writes "Invisible nano QR codes have been proposed as a way to stop forgery of U.S. currency by students of the South Dakota School of Mines and Technology. Unfortunately QR codes are easy to forge and can send you to a site that infects your system. Banks would most likely need to scan currency that have QR codes to ensure the authenticity of the bill. If the QR code was forged it could infect the bank with a virus."

Sigh.

[ledow]

Only if they're stupid enough to execute code formed from non-executable input.

Re:Sigh.

[ciderbrew]

* FIX
They're stupid enough to execute code formed from non-executable input.
* FIX OVER

Re:Sigh.

[RyuuzakiTetsuya]

What I came to say. I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.

Maybe if the QR code was a URL. But you'd have to be stupid to do that too.

A QR code that was a hash of the batch, the release series the serial number and a salt, sure. This could be awesome. Otherwise? Not so much.

Re:Sigh.

[Joce640k]

Ummm....do QR codes have to be a URL? Why would a bank want to put URLs on their bank notes then visit the URL when they scan them?

Whoever wrote that is a moron.

Re:Sigh.

[postbigbang]

The poster is confused. QR Codes are data, not actionable unless you take action on them. Moronic? That's a little rough. In need of a lot of education? Oh.Yeah.

Re:Sigh.

[Hazel+Bergeron]

A helpful rewrite for someone from a few years in the past:

"Sequences of letters and numbers have been proposed as a way to stop forgery of U.S currency by bored students of Michigan University. Unfortunately sequences of letters and numbers are easy to forge and can be typed into an editor, compiled, and run, infecting your system. Banks would most likely need to read currency that have seuqneces of letters and numbers to ensure the authenticity of the bill. If the sequences of letters and numbers were forged, typed into an editor, compiled, and run, it could infect the bank with a virus."

Re:Sigh.

No, they can be plain text. It's always been part of the standard.

Looks like the summary is just the usual flamebait, containing some stupid statement that commenters will feel compelled to correct.

Re:Sigh.

[jeffmeden]

* FIX

They're stupid enough to execute code formed from non-executable input.

* FIX OVER

Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over... Why, there is no way every single bank, even the podunk credit unions that dot the land near and far, can figure out how to run a completely public banking portal without getting completely pwned on their first day and having their vaults emptied. Wait, no, I have that backwards. Good security IS possible, it's just hard for most slashpundits to imagine since it is completely beyond them.

Re:Sigh.

[jeffmeden]

What I came to say. I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.

Maybe if the QR code was a URL. But you'd have to be stupid to do that too.

A QR code that was a hash of the batch, the release series the serial number and a salt, sure. This could be awesome. Otherwise? Not so much.

Quite right. I suspect near the beginning of the forgery algorithm there lies something to the effect of "if scanned_code.urlCheck == true { forgeryAlert(scanned_code) }" and certainly not "if scanned_code.urlCheck == true { browser(scanned_code.text) }". Just a five minute observation though, someone might have a better way to do that.

Re:Sigh.

[oneiros27]

A couple of years back, one of the Slashdot admin (Scuttlemonkey? Samzenpus?) gave an interview, and they mentioned that they specifically selected articles that they thought would provoke discussion.

Which I interpreted as 'yes, we troll our users and put up complete flamebait'.

Not having much luck finding it again, though.

Re:Sigh.

As someone who has written a QR code encoder and created his fair share of malformed QR codes, I can attest that some very popular QR code readers are not at all robust. The only thing keeping them from doing something bad is that they're mobile phone software written in managed languages where the typical bugs just throw an exception and end the process.

Re:Sigh.

[gman003]

A QR code is just a text string. Or binary string, even (I think - haven't tried it yet).

However, the most common use, so far, has been embedding URLs - most phone-app QR code readers automatically interpret the string as a URL and redirect you there, since that's generally what those users want. However, that's a feature of the particular scanner, not of QR codes themselves.

The original author's mistake is thinking that's a fundamental design feature of QR codes - you scan them, it takes you to a website. Which, if it were true, would indeed be a glaring security hole. Which is why nobody would do such a thing.

Re:Sigh.

All computer programs are data, and only do stuff when executed. It is unlikely there is any QR code reader that deliberately executes the data it decodes - but a reader that contains a bug potentially writing data to the wrong place in memory? Not implausible.

Re:Sigh.

[Joce640k]

Would it even be a URL? A QR code is just binary data. I'm sure a bank would interpret them as a binary number, not a download link.

Re:Sigh.

[jhoegl]

Agreed, if it attempts to go anywhere else, it just says "invalid".

Done...
That fix will cost you $5 million dollars + patent fees.

Re:Sigh.

[Chris+Mattern]

Which is why nobody would do such a thing.

Oh, I wish I had your confidence. While it's true that the QR scheme doesn't contain any inherent security holes, a quick glance at security practices in the industry today does not fill me with confidence that someone won't introduce some.

Re:Sigh.

[Joce640k]

Moronic? That's a little rough. In need of a lot of education? Oh.Yeah.

Disagree. The assumptions made by the poster are moronic, i.e. A bank would visit a web page whenever they scan a bank note.

(then download all the content from that page and try to do something with it...LOL)

Re:Sigh.

[Joce640k]

It's 1s and 0s...I can tell that just by looking at one.

Re:Sigh.

[postbigbang]

This is why you parse data before you accept it as input. A QR code is unlikely to blow a parsing buffer because it contains a known maximum data read from the scanning device. You set the boundaries to a number and that's the bound/domain of the input source. Should it exceed that size, kill your code on the way to making an error message (should the buffer overflow be huge, thus not able to execute the error branch). E.g., standard buffer overflow execution prevention code technique(s).

Nothing is impossible. Should you set your buffer length large enough for the input to be parsed/type-checked, it won't happen. Therefore, it's implausible in a bank reader that's going to scan thousands of bills in a minute as a duty cycle. Yes, there are stupid coders. Yes, there are smart forgers-- but you're not going to print a bill like that easily, either.

Re:Sigh.

[Joce640k]

What if I get a sharpie and wrote "FE0634E70F327A6B32C" on a bank note? Would they assume it was JVM bytecode and try to execute it for me?

(If so, I can get the bank computers to generate Bitcoins for me...?)

Re:Sigh.

[tolkienfan]

OMG there are some bits - the code might misinterpret them as a URL, load the destination and execute it!
WTF seriously???

Re:Sigh.

[kelemvor4]

* FIX

They're stupid enough to execute code formed from non-executable input.

* FIX OVER

Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over... Why, there is no way every single bank, even the podunk credit unions that dot the land near and far, can figure out how to run a completely public banking portal without getting completely pwned on their first day and having their vaults emptied. Wait, no, I have that backwards. Good security IS possible, it's just hard for most slashpundits to imagine since it is completely beyond them.

Recent history suggest financial institutions do not have a good deal of competence. Maybe they once did, but not in recent years.

Re:Sigh.

[ciderbrew]

Can you post that chip and pin is safe next? How about cards can't be cloned?

Re:Sigh.

[Hazel+Bergeron]

Well, there's one way to guarantee an irrational, over-the-top response: write it clearly on a dollar bill then hand it to a TSA employee at your local friendly airport, grinning wildly.

Re:Sigh.

It happened on the TeeVee so it must be true.

The bad guy in a Bones episode infected the FBI computer computer with virus sent through the book's bar codes. So it must be possible.

Re:Sigh.

[Dishevel]

He does not have to be a moron.
He could be one of the many people I have met of around average intelligence with out enough tech knowledge to fill a thimble.
You know the people.
He probably got here by typing "slashdot.org" into Google and clicking on the first link.

Re:Sigh.

A QR code itself can NOT send you to a site. That is a 'feature' of certain apps running on smartphones etc.

The Michigan University proposal does not suggest that banks should run any such browser-linked software. They essentially propose banks to run software that reads a QR code and validates that code, using algorithms and data that would not require a browser.

This is the lamest conclusion I've seen yet on Slashdot - either flame bait or a submitter and editorial combined IQ of 50.

Come on slashdot editors, keep it mildly informed or have standards fallen so low that it's time to move away from slashdot?

Re:Sigh.

Spoken like someone who has never done security work for a bank. Banks are often extremely stupid about this sort of thing until they get slapped by someone for it. If they are lucky its a regulator.

Re:Sigh.

Can you point us at a QR reader that is robust?

Re:Sigh.

[jeffmeden]

So, you would rather see more submissions like this one? (18 comments after 24 hours) Come on, trolls are a part of the internet, so they might as well be a part of slashdot submissions (god knows we see enough of them in the comments section). Be open to a little fun!

Re:Sigh.

More accurately they're *always* plain text (or more accurately plain data).

There's nothing special about a URL stored in a QR code to show it's a URL - it just starts http:// and the reader interprets it as such. What it does with the URL is also up to the reader - it could open a browser, or it could just show it as an raw address, hyperlink, whatever.

Re:Sigh.

[msauve]

Not to worry. The summary is trash, and you're correct about the submitter's IQ. Of course, if you've been here over a week, this sort of thing is simply expected from timothy. Anyone who can change "South Dakota School of Mines and Technology" to the non-existent "Michigan University" has serious comprehension problems.

Re:Sigh.

[tragedy]

I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.

That doesn't seem to be what this article is proposing, however. This article seems to be proposing that the scanners at the bank will read the QR codes on the notes, interpret the code into a URL, then direct a web browser to that URL and, if the URL is for a compromised site, the bank's computer will become infected.

I've been reading Slashdot for 15 years. I'm not going to claim that all the articles in that time have been gems. This kind of thing almost makes me want to cry, however. It just seems to be happening more and more often.

Re:Sigh.

You'll have to do your own code review. I wouldn't trust a decoder in a security sensitive environment without a thorough review.

Re:Sigh.

[jpmorgan]

The moronic part was so publicly expressing an opinion about something which the poster obviously knows so little.

Better to keep your mouth closed and be thought a fool, than to open it and remove all doubt.

Re:Sigh.

[TwentyCharsIsNotEnou]

But only if they're intelligent enough that they can somehow check all these URLs at the speed they can flick through notes.

Hmm... sounds like a great way of performing the most expensive DDoS attack ever!

Re:Sigh.

[ciderbrew]

Little Bobby Tables has money.
Sure, It doesn't have to go to a URL. All is does is read in data and then do something with it. There are people here that would love to feed in the wrong data to see what happens. There are people here that would love to feed in combinations of correct data and see what happens.
When you've broke it, what data of your own can you feed in after? The more complex they make the QR system the better.
My 50IQ isn't the IQ you have to worry about. It's the code monkey with the 50IQ doing a job he hates, plus the guy with 50IQ and an Idea about how to break something and too dumb not to try. The guy with a 50IQ that got a promotion to the top. You read about that dick all the time. The error doesn't need to be interesting, just doable is a reason for some.

Re:Sigh.

* FIX

They're stupid enough to execute code formed from non-executable input.

* FIX OVER

Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over... Why, there is no way every single bank, even the podunk credit unions that dot the land near and far, can figure out how to run a completely public banking portal without getting completely pwned on their first day and having their vaults emptied. Wait, no, I have that backwards. Good security IS possible, it's just hard for most slashpundits to imagine since it is completely beyond them.

You're right, banks never fuck up. Let's put blind faith in them to do it right! Oh, wait... http://news.slashdot.org/story/12/09/13/0110201/chip-and-pin-weakness-exposed-by-cambridge-researchers

Bummer.

Re:Sigh.

[causality]

He does not have to be a moron. He could be one of the many people I have met of around average intelligence with out enough tech knowledge to fill a thimble. You know the people. He probably got here by typing "slashdot.org" into Google and clicking on the first link.

Sure thing - I do know the people. They have one trait that makes no sense whatsoever. If they would question whether it makes sense, I believe they would abandon it, but sadly even a minor amount of introspection is ... unpopular these days. I'll explain it with a counter-example:

I do not have enough neurosurgery knowledge to fill a thimble. It follows that you won't see me on medical forums, making claims and taking positions and displaying strong opinions about brain surgery. If I went to such forums at all, I might ask questions in the humble manner of one seeking to learn from those possessing knowledge I know I don't have, but that would be the limit. After all, I wouldn't have the background, the experience, or the education (self- or institutional) to do much else.

Likewise, while I do drive a car, I am not a mechanic. You won't see me on auto enthusiast forums arguing with experienced mechanics about how to build an engine. You won't see me making dubious claims about the performance or disadvantages of an engine I know nothing about. I'm simply not qualified to have a valid opinion.

What's magical about information technology? What is it about this particular branch of knowledge that makes people think this does not apply?

Re:Sigh.

[rickb928]

Precisely. This is as stupid as it gets. And beneath /.

1. Any reasonably well sanitized input scheme will refuse to execute the input. I deal with this on a daily basis as we push our dev team into solving input problems where a 'special' character is required. Our users who might try to input executables will be frustrated. Any banking system that is allowing this now has already been pwned.

2. The QR codes need only be limited to 'data'. With no clear need to use characters below ASCII 48 or above ASCII 132, the risk is minimal.

3. Keep it simple, sort of. Hash the nanocode and serial. Numbers. Not so bad. Add in the Federal Reserve Indicator (hell use THAT as nanocode), and we have factors.

This is just not a problem. Banks that can't handle that can't handle anything. Let them die. It won't be a loss.

Re:Sigh.

[TWX]

There's absolutely no reason for a currency validity checker to use a URL. There's no reason for it to use anything other than a defined standard created by the central banking authority that prints legitimate bills.

Any data in a QR code that is invalid should only be marked as invalid and the bill sorted aside for later, manual investigation. No "action" with the data itself is required. It shouldn't matter if the data is a URL or an IP address or "echo y|format C: /q". There should be nothing processed but an ack that the data doesn't correspond to correct ranges.

When a human checks the contents of the flagged bill, the human decides what to do, and more importantly doesn't use a computer on the network with the processing machine. It doesn't then matter if that human is stupid, they don't infect the whole bank if they're so stupid that they load a URL.

Re:Sigh.

[TWX]

I guess investigators are safe from tubgirl and goatse and lemonparty then...

Re:Sigh.

[Dr.Dubious+DDQ]

It kind of drives me nuts the way everyone assumes a QR code means "a website address", when you can use it for all kinds of arbitrary text...

Re:Sigh.

[HappyHead]

You know Diebold (of the easily hacked voting machines scandal) still makes ABM banking machines, right? I mean, yeah, they changed the name of their voting machine division to try and get around the shame, but they're still the same people. (Seriously, in my old city, I found their logo on almost a quarter of the bank machines, and that's in Canada - they're more popular in the US.) They handle a lot of your money going in and out of those machines, including the scanners that recognize what currency is being fed into the slot.

Are you really sure they're smart enough to avoid executing any of the recognition data? _Really_ sure? Are you sure the same laziness that caused issues with their voting machines will never ever happen again, from them, or from any of the other (several) private companies that make those machines? It doesn't even have to be the whole company - all it takes is one lazy programmer setting up the recognition software not bothering to prevent a buffer overflow or something else dumb like that, and suddenly a stolen bank card and a plain white slip of paper with a fancy QR code will pwn your local "QR enabled" bank machine.

The problem is, people look at QR codes, and they think "Woo! That's like, SUPER ENCRYPTED!", when really, it's no more encrypted than the plain text serial numbers already printed on every bit of paper currency already, and a whole lot less practical, since the people looking at it won't be able to easily recognize if there's a duplicate, or fake. The only advantage QR codes have is that they can be easily machine-interpreted and can contain things like URLs so small devices like cell phones don't need the user to manually type in the whole URL to visit a website. The only useful bit involved in putting a QR code on a bill would be if they were used to hold a digital copy of the serial numbers, but there are other ways of making a simple, predictable thing like serial numbers on a bill computer recognizable. They're always the same colors, on the same background, using the same font. The software that recognizes and interprets QR codes is actually _more_ complex than the software needed to recognize printed serial numbers under those circumstances.

Re:Sigh.

[aicrules]

Yes, but the fervor of QR Codes that has unfortunately gripped the mobile engagement world assumes a LOT about what QR Codes will do. So yes, if someone knew that a bank had a currency QR Code scanner with an exploitable flaw, they could cause some amount of trouble. But this article is so riddled with a complete misunderstanding of all technologies that would be involved that I barely have the will to finish posting this response.

Re:Sigh.

That's not always possible. What if the QR code, being so short, contains compressed data? If you "parse" it, there could be a bug in your parser that causes it to get stuck in an infinite loop when reading certain patterns (causing a DoS) or it loops too many times and writes some state data just past the end of an array (a buffer overflow.)

I think the real ignorance here is people assuming a QR code, or any data for that matter, is safe simply because you're not "executing" it. This is the same thinking that made people once laugh about the idea of getting a virus just by viewing an image. Until it happened, of course. You may not be intending to execute the data, but all it takes is just one bug to do exactly that.

Re:Sigh.

[mlts]

Maybe add a cryptographic signing mechanism combined with a sanity check limiting the URL to a certain domain and tree structure?

That way, even if someone did manage to get the private key, the damage done would be limited.

Re:Sigh.

[Bill_the_Engineer]

Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over...

Let me paraphrase a famous disclaimer given by the banks themselves, "Past performance is not an indicator of future results". These are the same institutions that played hard and fast with complicated financial instruments that ultimately blew up and dragged most of the world economies into a deep recession and needed government intervention to prevent full collapse.

On a topic actually related to IT, there are news reports of banks sending out letters to customers about possible breaches of security and the customer's personal information may have been collected for the purpose of identity theft (My bank sent me a notice several years ago).

Pardon me for being skeptical...

Re:Sigh.

[Jellodyne]

I think I saw a 2!

Re:Sigh.

[Yvan256]

Did you see the blonde, the brunette and the redhead over there?

Re:Sigh.

[mlts]

Some institutions are extremely good at keeping their flies zipped up. Others have fallen into the "security has no ROI" trap that seems to be the PHB mating call.

In the past, banks had a reputation to uphold, so a security breach would be extremely damaging with accountholders moving elsewhere. These days, because it is so hard to move to another provider, coupled with the bar lowered so low about perceived security, a security breach may not be something a bank cares about unless it is a regulator they would find hard-pressed to fight in court due to bad PR.

Re:Sigh.

[Dishevel]

Because they have a computer and can make use Google to go the the interwebs.
They are fully capable of watching cat videos on The Youtube and are fully versed on the pros and cons of PC vs iPhone.
Also, they have a brother who is a hacker on counter strike.

Re:Sigh.

He does not have to be a moron. He could be one of the many people I have met of around average intelligence with out enough tech knowledge to fill a thimble. You know the people. He probably got here by typing "slashdot.org" into Google and clicking on the first link.

How else would one get to slashdot?

Re:Sigh.

He does not have to be a moron.
He could be one of the many people I have met of around average intelligence with out enough tech knowledge to fill a thimble.

I have enough car knowledge to fill a thimble. That alone does not make me a moron.

If I started writing articles about cars using my limited knowledge, that would make me a moron.

Re:Sigh.

[j00r0m4nc3r]

This is the lamest conclusion I've seen yet on Slashdot - either flame bait or a submitter and editorial combined IQ of 50.

Who has the lower IQ, the submitter, or the person who doesn't understand that encoded QR-code data could easily exploit a bug in the QR-code decoder library to execute arbitrary code? Not saying it's likely, but definitely within the realm of possibility. Remember the JPEG decoder exploit?

Re:Sigh.

[postbigbang]

Hee hee. You're stretching. Your arms will get tired if you do it too long.

We're pros, or at least try to be. You can execute on lots of bad input and strange stuff will happen. It's the context of the process that defines checking the inputs and moving on appropriately. Bugs? Yeah, there are lots. Wise decisions? It's a fucking bank.

Oh, wait....

Re:Sigh.

Only if they're stupid enough to execute code formed from non-executable input.

Absolutely.. the idea of being "infected via Q.R." code is ridiculous.

Re:Sigh.

[Bill_the_Engineer]

I agree with your comments concerning URL encoding. The only risk I can think of with QR codes is the possibility of a buffer overflow that allows executable code embedded in the QR code to execute. You'd think we now reached the age of thoroughly testing our code and managing our buffers well enough to keep the possibility of such attack in the realm of fantasy.

Of course there is always a software company out there that proves us wrong.

Re:Sigh.

[dolmen.fr]

Who said that the QR code will encode an URL?
This is not written in the engadget article, and that's the main erroneous assumption of the Slasdot poster (planetzuda).

Re:Sigh.

[Joce640k]

What if the QR code, being so short, contains compressed data?

It won't.

a) The info on a bank note will be fixed size.
b) You can't *garantee* that data can be compressed so you have to allow for it to not shrink.
c) If you're allowing for fixed-size data to not be compressible you simply don't compress it.

QED.

PS: It wouldn't happen anyway. QR codes can be any size - you just make them bigger as needed.

Re:Sigh.

[firewrought]

I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.

Sure about that? 40-L gives you almost 3000 bytes.

I agree with ledow that it's a bogus concern, but only if the banks (or the banks' equipment makers) hire competent programmers. (Which is not the case too often, sadly.)

Re:Sigh.

[causality]

Because they have a computer and can make use Google to go the the interwebs. They are fully capable of watching cat videos on The Youtube and are fully versed on the pros and cons of PC vs iPhone. Also, they have a brother who is a hacker on counter strike.

Yes, arrogance/pridefulness is just about the only explanation. They scratch the surface and think they've conquered the world. It's the only way people think their ignorance is just as good as someone else's knowledge, to borrow a phrase from Asimov.

Re:Sigh.

http://i.imgur.com/haspR.jpg

I should hope banks sanitize their input a little better.

Re:Sigh.

[14erCleaner]

Anyone who's read "Snow Crash" knows what is possible.

Re:Sigh.

[kenh]

"containing some stupid statement that commenters will feel compelled to correct."

Better to let stupid statements stand than challenge them? That would be illogical.

Re:Sigh.

[MarkGriz]

Moronic? That's a little rough. In need of a lot of education? Oh.Yeah.

Correct.

Timothy is the moron here for allowing someone to submit his own story and draw his own conclusion based on 3 different QR code related articles.

Re:Sigh.

[MysteriousPreacher]

That kind of exploit is theoretically possible in any pretty much any computer program that accepts input and where the necessary bug exists.

QR codes are nowhere near being novel enough to warrant the conclusion reached by the submitter. The story is baloney. Val Kilmer's new girlfriend could give him AIDS. Not saying it's likely she is infected with HIV, but definitely within the realm of possibility. Remember how Magic Johnson contracted HIV from one of his many sexual partners?

Re:Sigh.

There's a few reasons why their complaints about this idea are stupid.

1. Why in gods name would you program it to just... run any code it finds by default. Would it not make more sense to just output the decoded QR code directly to text and see what it says?
2. Why in gods name would the scanner be connected to the internet?!? Or any network of any sort. Is the text from the decoded QR code a valid output for legal currency? If yes - good. If not - counterfeit.

Or you know, instead of half-baked ideas for what to print on currency, you could just switch to the currency australia uses, and what Canada is halfway to switching to. Been around for years and years (in Australia and other places), has never been successfully, convincably counterfeitted yet.

I guess you could cram the stupid QR code on there if you wanted.

Actually, that'd just make bills trackable. Have the QR code go to a 'where's washington' type site, where it tracks where the bill has been scanned. Of course, all retailers will be mandated to use new machines that scan the QR code.

Shit, I've said too much.

Well, you read it here first... an approximate idea as to how they will make bills trackable. Perhaps coins too, if they get ambitious.

Re:Sigh.

[c]

Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over...

Are we talking about the same institutions who operate ATM's built by the same companies who make those insecure bug-riddled voting machines?

Because if we are then yes, it's actually not a bad assumption.

Re:Sigh.

[DeadboltX]

I'm a bit confused about how a hash would help. I assume that all information except for the salt would be plainly visible on the bill, or else there would be no way to confirm the contents of the hash are correct. If you had a reasonable collection of bills with all of this visible information then you should be able to derive the salt eventually. At that point there is nothing stopping a counterfeiter from producing passable qr codes on their bills. I have my doubts about the salt remaining secret for even that long, as any device made to verify the qr codes would have to have the salt embedded in it somewhere, waiting for hacker eyes to reveal it.

Re:Sigh.

[DarkOx]

That was my first thought. Not sure why types of forgery they are aiming to protect against. Once common attack is bleaching. Basically the counterfeiter tries erase the print on small bill like $5 and replace it with that of $100.

If say the Treasury signs the bills serial number with their private key, banks would be able to make sure the value encoded in the QR matches the serial number on the bill and has a valid signature using the Treasury's public key. The could than check a database to make sure that serial number is valid for the denomination and the year.

Now an attacker can't pwn the bank using the QR unless the bank is aggressively stupid. After tall the scanner is not taking any action based on the content of the QR it does the same looks no matter what bytes come out of decoding the QR and always treats them as data never code. They match the database or not, the signature is valid or its not. The same fixed number of bytes are read every time, extra data is ignored, so not over flows should happen. Its SAFE.

Attackers could clone a valid bill. This would be detected by the fact that if the Bank has seen the same bill checked in twice, their is problem, and again they could test to see if the bill has shown up at other branches to recently as well.

Re:Sigh.

[DarkOx]

The real source of the problem is government. FDIC has taken the reputation out of banking. As a depositor I don't care if the bank gets knocked over because I know its insured at no cost to me anyway. Well it does cost me actually as the insurance fees are passed on in the form of lower rates.

Now if it were not for government intervention banks competing for depositors would be strongly incentive to protect their reputation for not losing customers money, EVER, as it would be the major sell point. This is why banks chose names like Bank of Granite, in the first place. The wanted to sound and look like immoveable impermeable objects.

If you want more smaller banks, people would want to spread their money around more places rather than risk it for the convenience of on big nation wide chain, and one provider.

And Or if you want banks to be more conservative and take security (of all kinds) seriously, you get rid of government backed deposit insurance.

Re:Sigh.

[Transkaren]

* FIX

They're stupid enough to execute code formed from non-executable input.

* FIX OVER

Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over... Why, there is no way every single bank, even the podunk credit unions that dot the land near and far, can figure out how to run a completely public banking portal without getting completely pwned on their first day and having their vaults emptied. Wait, no, I have that backwards. Good security IS possible, it's just hard for most slashpundits to imagine since it is completely beyond them.

My spouse used to do IT at a financial institution. Some of her tales scared the hell out of me - I don't keep any money at that bank anymore. Not that I ever had much to keep there in the first place, mind.

Re:Sigh.

[Belial6]

My number one use for them is to use them as a shared clipboard from my PC to my phone. Sure, there are dozens of ways to get text transferred over, but I have found the easiest way for me is to copy the text, past it into the QRCode website I have pinned to my taskbar, and scan it with QR Droid. No, I don't do that with data that I would be worried about the site stealing. It is mostly package tracking numbers.

Re:Sigh.

[fatphil]

Don't blame (just) the submitter of the article - you've forgotten that on /. there are editors whose job it is to vet the contents of the artic... ... oh, scratch that.

Re:Sigh.

The could than check a database to make sure that serial number is valid for the denomination and the year.

No database lookup needed...just include both the serial number and denomination in the signed data. You might also want to include the series and the mint where it was printed, though that's not necessary. Alternately, the treasury could generate separate keys for each denomination and banks could store all 7 (or the ones they care about...banks usually don't worry about people counterfeiting bills below $20s) public keys and verify with the appropriate key for the denomination of the bill.

Re:Sigh.

[srmalloy]

The original author's mistake is thinking that's a fundamental design feature of QR codes - you scan them, it takes you to a website. Which, if it were true, would indeed be a glaring security hole. Which is why nobody would do such a thing.

Reading the original article about using QR codes on bills, my first thought was that a validation device could read the serial number off the bill, the denomination of the bill, and put them through a hash function, then compare the hashed value against the value encoded in the QR tag. The validator would be entirely standalone -- it could, for example, be embedded in a new model of the machine banks use now for counting stacks of bills, kicking bills that failed validation into a second bin for a manual check.

Re:Sigh.

http://www.bbc.com/news/technology-19559124

Re:Sigh.

[Nikker]

A QR code is not much more than a 2D barcode. A 2D barcode is a 2D array of pits/lands, black/white that translates to a binary equivalent. What you do with it from there is up to the hardware and software. The scanner might be looking for lets say 256bits, you pop in a bill with 254 and it might hang, the next bill gets put in and could take it a step further. Maybe one bill gets put through with a valid code but only partially there or the EOL(or equiv) gets left out or put in early. Maybe one gets scanned with nothing but garbage or EOLs all the way through.

All of these are just possibilities, I bet there are many more.

If there really are any developers commenting on this thread and you still say "But why would they do X, that wouldn't make any sense!", then you need ask mom for an outdoor pass and work with any company for at least a month then come back and share.

Re:Sigh.

[skelly33]

That doesn't make sense. You don't want a piece of paper with a serial number plus a certificate that validates itself, "trust me, I'm so legit!" You encode minimal information onto the paper and validate externally just as the GP suggested. It can be compared to SSL certificates - unless it has that externally verifiable data source (the CA) then the validation is not accepted.

Re:Sigh.

[toriver]

Um, if a programmer writes a single piece of code that _presumes_ anything about input, you fire his sorry ass: The QR code has a number of bits that you know when you start scanning, and in the worst case you use a dynamic buffer since a QR code is finite.

Re:Sigh.

[skelly33]

Cute trick, I like it :^)

Re:Sigh.

[toriver]

Does not start with 0xCAFEBABE, would thus be rejected by the JVM as a bytecode format error.

Re:Sigh.

[skelly33]

What article are you referring to exactly? The Engadget summary says nothing about reading the codes and sending them to URLS. The press release linked to it also says nothing of the kind. It wouldn't even make any sense to do this unless,for example, you expect every vending machine on the planet to be internet connected. If a bill-handling machine can read in a bill, optically/magnetically/otherwise read the plain text face serial number or the metal strip inserted, and micro-optically read and decipher this QR code and get a match, it can be used to accept or reject the bill that was inserted. Think ATM, change machine, parking pay stations, toll booths, etc. None of those things need the internet, or a URL, to get a useful function out of such a system, so it doesn't make sense to include a URL. I see nothing of what you suggest the article is proposing in either location. (Have they since been edited out of shame?)

Re:Sigh.

[skelly33]

And what if the salt was more than two characters whose bits were distributed throughout the hash, and changed with every one? It would be pretty tough to spot, I think. Ultimately you're right - any crypto is subject to eventual cracking, but what's critical is the ability to add a microscopic fingerprint on the bill that counterfeiters cannot do at this point in combination with it. I think over the long term, the U.S. Treasury is simply going to have to set up a moving target, continually changing the face of the dollar with one trick after the next to keep counterfeiters on a rotating obsolescence plan. The more elusive the trick, the longer it will take them to replicate the capability. In this case, the micro printing with specialized ink AND and a cryptographic model would all need to be figured out - that will take time.

Re:Sigh.

I agree, it's pretty obvious that the machine to check the bills would be locked to a single reference point... Or that seems obvious to me.

Re:Sigh.

I don't believe that a banks propriety software is going to read a QR code and blindly launch it with Internet Explorer.

Re:Sigh.

[Archangel+Michael]

Information IS Magic .. to many people who do not possess it. THAT is the key.

"Any sufficient level of technology is indistinguishable from magic!"

Re:Sigh.

[plover]

Who said that the QR code will encode an URL?
This is not written in the engadget article, and that's the main erroneous assumption of the Slasdot poster (planetzuda).

It's not an erroneous assumption at all. The banks wouldn't print a URL in their QR code, but we're talking about an attacker modifying a bill, not the bank.

QR codes encode data, and that data can include ways to automate the processing of it. Smartphone QR reader applications know how to parse many recognized QR keywords, which include sms:, smsto:, mms:, mailto:, tel:, geo:, market:, youtube:, and of course http: and https:. While it's highly unlikely, it's not impossible that the bank's software reading the QR codes might interpret one of the known keywords and take an action.

An attacker would encode a malicious URL and print it on the bill, with the expectation that the bank would scan the code while in the normal course of verifying the currency. They'd be betting on the off-chance that there's something wrong with the security of the QR reader software in the bank's system, in hopes that their bill verifier would become corrupted in some way.

Think about it: for an attacker, having a zombie machine inside a bank's firewall would be like downloading a gold bar. And the risk? Virtually zero. Print up a bunch of nano-sized QR dots, stick them on your banknotes, and go spend them. Nobody will be able to trace that cash back to you. At some point in its future, that note will flow through a bank's verifier, and then you might get lucky.

It's no different than someone printing a QR code containing a URL that points to some malware site and sticking it on a movie poster, hoping that some idiot with their phone will read it and get infected.

Of course, a good tactic for the bank would be to have the U.S. Secret Service follow up on any illicit URLs they found embedded in the cash. They'd be able to proactively ID the malware server before even connecting to it, catching the bad guys unawares.

Re:Sigh.

[LWATCDR]

Kind of what I thought. If the QR code has a URL then it is not valid currency, end of statement. I find they very idea that anyone would just execute whatever was in the QR code as kind of dumb IMHO. What I do not get understand is how exactly are QR codes going to make counterfeiting harder since they are easy to reproduce.

Re:Sigh.

You're describing a basilisk hack.

The problem is:
basilisk hacks require a mechanism to get the target system to execute their content as code. Since executing a blob of image data as code is the computational equivalent of eating food you found in the sewer, you're probably going to have to use something more circuitous. inserting a url that leads to a drve-by JavaScript attack or an old fashioned buffer overflow sound plausible in the general case. However we're talking about a bill verification scheme which would work something like this:

the QR code is a randomly generated guid which identifies that bill. the bank scanner has access to a database of hashes of salted valid guids. The scanner reads the QR code, getting a string containing the guid, which it hashes and then looks up the hash in the database.

There's no opertunity for a url injection since the system never parses the data as a url. You could get a buffer overflow if the system were poorly coded, but that would require poor craftsmanship on the part of the programmers and it would only compromise the scanning machine. You couldn't even get a list of valid guids since all the database contains are the hashes. Furthermore this would provide now new vulnerabilities over what's possible with existing OCR units (like the one my bank already uses to process deposit and withdraw slips)

As a final point, I'm not even a security expert and I'd be harder pressed to figure out how to make something vulnerable to a basilisk like that than to avoid the vulnerability. If you're bank's security experts are worse at their job than i would be you should probably get a different bank anyway.

Re:Sigh.

[plover]

Any data in a QR code that is invalid should only be marked as invalid and the bill sorted aside for later, manual investigation. No "action" with the data itself is required. It shouldn't matter if the data is a URL or an IP address or "echo y|format C: /q". There should be nothing processed but an ack that the data doesn't correspond to correct ranges.

Nobody here is arguing that they should do anything else. But people are instead arguing that the reality is different, and that stupider things have happened to many institutions that should have known better.

Consider this scenario: John's First National Bank and Laundromat decides they need verifier software. They outsource the writing to a cheap software contractor shop who doesn't care much other than they deliver on time. Developer at the shop says "I would be done faster if I download a QR reader library from the intarwebs." Developer downloads a copy of zxing and wires it into the app. Unbeknownst to everyone involved, he included the portion of the library that has keyword recognition built in, and will auto-launch a URL. Nobody thinks to test it with a URL, because their specs don't say anything about dollar bill QR codes with URLs encoded in them.

It's not like every bank needs to have this happen. If even one bill verifier package in one bank contains this flaw, a tampered QR bill will flow through it at some point.

Implausible? Spend enough time in Corporate America and you'll find it's not even improbable.

Re:Sigh.

[SharpFang]

I really wonder how critically faulty the system would have to be to scan in a signature data and execute it. You could just as well create a license plate with SQL injection code to corrupt photoradars.

Re:Sigh.

[achbed]

You're all not thinking clearly. The easiest thing for a counterfeiter to do is to simply duplicate the same serial number over and over. The QR code would only stop those that want to randomize their serial numbers. A copied note with a QR code will still validate all the way through the system. The bank would notice in the same way they do today - they check and make sure the serial numbers in the batch match the correct year and print facility (also on the bill), and then verify that there are no duplicate serial numbers with in the deposit.

What this would help stop (at least until the central private key is compromised) is "randomizing" of the serial numbers by counterfeiters. By using the serial number and signing it with a private key, it would at least increase the level of difficulty beyond that available to most counterfeiters. The resulting "pros" would need to get a copy of the private key in order to continue, which would involve conspiracy, hacking, bribery, or other methods to get it. Of course, those methods are just as effective now as they always have been.

Encryption is only as strong as the weakest link. In this case, the weakest link is probably the underpaid, stepped on, underappreciated staff of the central bank.

Re:Sigh.

[IAmGarethAdams]

> You know Diebold (of the easily hacked voting machines scandal) still makes ABM banking machines, right?

They make Automatic Banking Machine Banking Machines? They're even more redundant than I thought!

Re:Sigh.

I think the problem is the naive understanding of what a QR code is.

If you scan a QR code with a cell phone, it assumes it's a URL if it contains a HTTP:// in it. So while a bank scanning it is unlikely to visit an arbitrary URL, a cell phone certainly would, and digital cameras on cell phones can see into the IR spectrum.

Re:Sigh.

[scdeimos]

I agree with most of what you're saying, except for this:

The same fixed number of bytes are read every time, extra data is ignored, so not over flows should happen. Its SAFE.

You can't guarantee that as QR codes can contain a variable amount of data. By increasing the row and column counts you can include more data which leads to the possibility of a buffer overrun in the reader library, depending on how badly it's written. The whole point of buffer overrun attacks is that they're exploiting known bugs in software. As with all user input, QR codes should be treated as tainted.

Re:Sigh.

[n7ytd]

Only if they're stupid enough to execute code formed from non-executable input.

Hey, it could happen. The most likely place in a bank to validate a bill is the ATM when a deposit is made, and who makes the ATM? Diebold. I see the headline 4 years from now: "ATMs declare George W. Bush winner of the popular vote."

Re:Sigh.

[Threni]

No, but its non propriety software might.

Re:Sigh.

[shutdown+-p+now]

This article is actually worse than your average type. The usual ones that posters lament about are those that don't seem to have any relevance to the primary topics here (i.e. politics and such). This one is actually a technical article, so it's quite on-topic; the problem is that it proposes and invites us to discuss a scenario that sounds like something from the plot of the "Hackers" movie. A person with even a basic understanding of tech involved here would immediately realize just how obviously bullshit-y the premise is. Nevertheless, some Slashdotter saw it fit to submit it, and some editor saw it fit to approve it. Truly a new low.

Re:Sigh.

[shutdown+-p+now]

Why is he submitting an article to Slashdot, then?

More importantly, why did the editors approve it? Or are you saying that they also get here in the same manner?

Re:Sigh.

[shutdown+-p+now]

There are good trolls and bad trolls. Good trolls is when you can engage in a flamewar that, aside from the usual slew of "you're an idiot" comments, also has some insightful discussion over comparative technical merits of various options or some such. Good, kosher examples: iOS vs Android, Windows vs Linux, vi vs emacs, C vs C++. That's how you get those 600+ comment stories.

Bad trolls is when you post something that is inequitably stupid. There's no discussion to be had here, the only thing you can do is post a "you're an idiot" comment and move on, it doesn't even warrant citing any references.

Re:Sigh.

[DMUTPeregrine]

So you're proposing that no one making bank QR reader software anywhere, ever, will modify an existing QR reading program to add the ability to scan bank codes and forget to remove the ability to scan URLs and launch a browser.
You have great confidence in the competence of outsourced programmers!

Re:Sigh.

Lame. I can tell just by looking at zero!

Re:Sigh.

[Brillegeit]

If you're using KDE, "Klipper", the clipboard manager can do this for you automatically.

Re:Sigh.

Or the other assumption that fetching a url with http has the same security repercussions as opening it in a browser.
If it expects to fetch 512 bytes from a url, then all it does is try that, and hangup if there is more than 512 bytes. It's a very different security profile to downloading the page, cascade-downloading all the referenced objects, then applying complex document transforms and executing scripts.

Http is a shit protocol, but that is distinct from the megashit that is web browsers today.

Re:Sigh.

[b4dc0d3r]

The "article" is most likely the summary, which is deduced from the given articles out of pure idiocy.

If you read the summary, and not the articles, then tragedy (27079) makes perfect sense. If, on the other hand, you bypass normal slashdot protocol and read something longer than a paragraph (unless you vehemently disagree and wish to personally insult the poster), none of the articles could possibly have been edited to read as they do given the context in which they were presented.

"First time accepted submitter planetzuda writes..." pure unadulterated nonsense. For Google rankings.

First post if you click on the user's name, which I expected to be the slashdot profile:

http://planetzuda.com/news/2012/09/12/anti-forgery-qr-money/

DO NOT CLICK ON THAT!

It starts thusly:

Update: this article has been updated since people donâ(TM)t understand that the use of a URL was the only hack I proposed, but that doesnâ(TM)t mean it is the only type of hack possible. I could propose a ton of different hacks, but I am to busy. Any good security system should deny any URL or binary code that is invalid, but there are very few security systems that are good.

In other words, physical materials are easily modified, therefore INSTANT HAXX0R ON ANYTHING.

hosts file: add localhost redirect to:
rcm.amazon.com
www.tqlkg.com

and more importantly anything this user ever does.

Re:Sigh.

[tragedy]

I'm referring to the Slashdot article. Should have said summary I suppose:

Unfortunately QR codes are easy to forge and can send you to a site that infects your system. Banks would most likely need to scan currency that have QR codes to ensure the authenticity of the bill. If the QR code was forged it could infect the bank with a virus.

While infecting the computer with a virus isn't explicitly stated to be related to "send[ing] you to a site that infects your system", it's pretty implicit. Otherwise, the last sentence doesn't make any sense. It doesn't make any sense anyway. Might as well say: "if the serial number was forged it could infect the bank with a virus". The statement about QR codes directing to sites that infect computers at least provides some indication of where this drivel is coming from.

There are three other articles linked to from the slashdot summary. The first is about putting infra-red visible QR codes in currency. Not really much different from bar-codes or just printed numbers. The second is about creating transparent overlays to hijack QR codes, which makes little sense since you could just overlay the entire thing rather than just part of it. The third is about how visiting URLs you don't know anything about can infect your computer, with the twist that the URLs are delivered by QR code.

None of those articles are particularly new or interesting and none of them suggests any link between QR codes in money and banks being attacked by viruses as the summary implies. The whole thing is just depressing drivel.

Re:Sigh.

[tragedy]

It's conceivable that someone somewhere might be that incompetent. Since bills with QR codes forged to point to malicious URLs are going to be obvious forgeries to any bill reader that isn't made incompetently. So, it would be pretty amazing for a bill to stay in circulation long enough to actually reach such an incompetently designed device.

Trust me, I have very little faith in the security-awareness of modern banks. They think that adding three extra numbers to your card number but printing them only on the back of the card (but still providing them to every merchant you do business with) is an ingenious security innovation, after all. Even so, the kind of incompetence required to mess up so badly for this to be any sort of issue whatsoever would be truly epic. Ig Nobel prize epic.

Re:Sigh.

[Mr0bvious]

the underpaid, stepped on, underappreciated staff of the central bank.

Never in my life did I think I'd ever see that string of words put together....

So... things are looking up, sounds great!

Re:Sigh.

[chrismcb]

Probably what is much more likely, is someone is sick will sneeze into their hand. Then grab the bill and hand it to the teller. The teller will grab the bill and hand it to the investigator. The investigator will run it through a machine, to verify the QR code or whatever is on the bill. Meanwhile the teller will talk to other tellers, and before you know it the whole bank is infected with the latest strain of the flu. Meanwhile the computers will still be humming along wondering why easily counterfeited QR codes are being used to prevent counterfeiting,

Re:Sigh.

[LordLimecat]

Unless you mean to suggest that the entire financial meltdown was due to a security breach caused by poor security practices, I fail to see the relevance of your comment.

Which would be an interesting theory, incidentally.

Re:Sigh.

[kaiser423]

Chrome to phone man. It works beautifully.

Re:Sigh.

[mrmeval]

Go grab the old png library and then process a malicious QR code image with that library. It may or may not have enough payload though QR codes can 7,089 bytes which may be enough to infect a system though it may only be enough to do a denial of scan attack. It is possible it could carry enough code to rewrite the in memory software of the scanner to approve everything from that point on.

Re:Sigh.

[mrmeval]

Holy Timex Datalink retrofuturo Batman!

Upon closer inspection however a small lens at the position of 12 o' clock on the watch face indicated the mode of the wireless data transmission.[2] Data was transmitted from the CRT of the computer through a series of pulsating horizontal bars,[5] that were then focused by the tiny lens and inputted into the watch EEPROM memory through an optoelectronic transducer operating in the visible light spectrum. The CRT synchronization was possible only for systems operating on Windows 95 and Windows 98.

http://en.wikipedia.org/wiki/Timex_Datalink

Oh, someone pen test google goggles with malicious QR Codes for fun and...giggles.

Re:Sigh.

[lennier]

Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over.

Yes, that's pretty much it. We're that stupid.

As evidence for the prosecution, I present: Flash, Java, JPEG, PNG, PDF, Word .DOC, SQL, PHP, ASN.1, and TCP/IP.

All of the above are either sandboxed-by-design programming languages that don't expose binary code, or somple data encapsulation formats that aren't even Turing-complete. They're all in common use in industry. We, our peers, our industry, trumpeted their safety and deployed them. You'd expect that it would be pretty simple for implementation of a parser for any of these formats to at least not fail in catostraphically hilarious ways, eg, randomly snarfing a bunch of raw untrusted bytes into its runtime code page and then attempting to execute it. In much the same way that you might expect that the bricks a skyscraper is made from will not unexpectedly one day turn into penguins and fly away.

You'd expect that, and you'd be dead wrong.

Re:Sigh.

[lennier]

There's absolutely no reason

Any data in a QR code that is invalid should only be marked as invalid

It shouldn't matter

There should be nothing processed but an ack that the data doesn't correspond to correct ranges.

Ah, "should". The system administrator's favourite word.

Followed closely by:
"it can't"
"did it just"
"there's no way it just"
"they say it's impossible that it could have"
"their lawyers say they could never have foreseen that it would"
"marketing give us every assurance that it absolutely probably maybe won't again"

Re:Sigh.

[lennier]

Um, if a programmer writes a single piece of code that _presumes_ anything about input, you fire his sorry ass

Oh, if only that were true. But on the other hand, it would make my life as a sysadmin so much simpler I'd be out of a job.

Re:Sigh.

[lennier]

This is why you theoretically parse data before you accept it as input.

But we all know that in the real world, parsing is for sissies, mathematical proofs of correctness are for NASA and ivory tower perfectionists, and languages with automatic array bounds validation is something no self-respecting genius C++ programmer needs. You just keep hammering on the keys until it compiles, test it once on perfectly-formed input until it stops crashing long enough to ship it, and then it's Operations' problem to work out how to patch it, and Marketing's to change the product name to something hipper-sounding once the users have put out the fires.

Re:Sigh.

[Kj0n]

This is not different than a money transfer, where people can enter a custom message. You get data into your system from an untrusted source and you have to be smart enough to sanitize it.

In fact, I once checked if it was possible to inject javascript in a web banking application using a money transfer (while being paid to do so).

Re:Sigh.

[kelemvor4]

Unless you mean to suggest that the entire financial meltdown was due to a security breach caused by poor security practices, I fail to see the relevance of your comment.

Which would be an interesting theory, incidentally.

I meant to say the financial meltdown was because of poor business practices (in part, at least). I see no reason why they would have poor practices in one area of their business and not others.

Re:Sigh.

If the note verification algorithm sees "http://" as anything other than seven bytes, it's not "something wrong with the security of the software", it's something wrong with the moron who came up with the idea that a note verification algorithm should be able to do anything special with a URL.

Designing software does not consist of taking an enormously complex blob of every single possible idea, and subtracting the ones that have security problems. You start with nothing, and only add the things you need. If the software is able to recognize a URL, the manager who came up with that idea should be taken out behind the barn and shot.

Re:Sigh.

[xenobyte]

That was my first thought. Not sure why types of forgery they are aiming to protect against. Once common attack is bleaching. Basically the counterfeiter tries erase the print on small bill like $5 and replace it with that of $100.

Smart, but still incredibly stupid.

First of all, it will only work if the bills are all the same size. US currency is, but this isn't the case in many other countries.

Second, it will only work if the paper is identical across all denominations. It isn't. Most countries include both distinct watermarks and holographic silver threads that are unique to each denomination, including the US.

Lastly, most countries (including the US) use a closely guarded method of computing serial numbers, which signatures etc. so ether your copies will have invalid combinations or be exactly identical using a known good combination.

Re:Sigh.

[postbigbang]

I see that you're classically trained..... in both worlds.

Re:Sigh.

[AdamWill]

"It's not an erroneous assumption at all. The banks wouldn't print a URL in their QR code, but we're talking about an attacker modifying a bill, not the bank."

But if the system simply involves a QR code which encodes content that's essentially plain text to be evaluated, then the system which reads the QR code does not need to be capable of executing anything or following symlinks. You only need your QR reading code to follow symlinks out to the public internet if that's what the 'genuine' QR codes you're trying to read contain. No-one would psychopathically stupid enough to invent a currency-verification system based on QR codes that were hyperlinks to the public internet, I'd hope.

If the software used to verify the QR codes weren't capable of following hyperlinks it doesn't matter how many evil hyperlinks you put into 'malicous' QR codes, the reader won't follow them and you'll have achieved precisely nothing.

Re:Sigh.

[AdamWill]

"Consider this scenario: John's First National Bank and Laundromat decides they need verifier software. They outsource the writing to a cheap software contractor shop who doesn't care much other than they deliver on time."

Why would they do that when, by the nature of currency, there will be exactly one system which everything from the National Bank to joe's laundromat would be following if they wanted to check the currency?

You wouldn't go and hire a software contract shop to write your own verification system. You'd use the exact same verification system that every other small business in the country was using. It's not like you could get some kind of competitive benefit by having your own verifier. Does every laundromat in the country hire a Chinese OEM to build its own little machine to check for counterfeit bills currently? Of course not. They all just buy a counterfeit checker from the same giant company that sells the same counterfeit checkers to everybody.

Re:Sigh.

How would you tell if the QR code was all zeros? There wouldn't be a one to look at...

Re:Sigh.

Clearly a misunderstanding of how the QR code would be read. Still weak though in the "Thinking it through" category.

If only...

There was a way to scan a QR code without having an unpatched IE6 accessing the url in the code...

not if programmers are 1/2 way competent

[RichMan]

A bank note QR code would refer to a single site. It would not go to "the world".
Input hardening in such a case should be reasonably trivial. And if it failed to have the proper form it would be false.

Re:not if programmers are 1/2 way competent

[Jerry+Atrick]

Actually a bank note QR code wouldn't hold a URL at all. QR codes encode arbitrary strings. Unless they're incredibly dumb implementing it the worst that would happen is it mistaking a serial number for a phone number and trying to call it. Not much chance of a scanner getting infected trying that!

Re:not if programmers are 1/2 way competent

[RabidReindeer]

Actually a bank note QR code wouldn't hold a URL at all. QR codes encode arbitrary strings. Unless they're incredibly dumb implementing it the worst that would happen is it mistaking a serial number for a phone number and trying to call it. Not much chance of a scanner getting infected trying that!

They're incredibly dumb. The QR code would probably become the infection string for a SQL Injection attack on the bank's servers.

Re:not if programmers are 1/2 way competent

[Zeromous]

Oh no an injection *string* in memory! Swab the decks, pull down the mast. REVERSE COURSE!

It seems the concern in this thread regarding this issue is proportional to the size of your /. UID.

Re:not if programmers are 1/2 way competent

No the real QR codes would be a guid. The system will then use it's own secure channels to contact the bank database and look up that guid in the database. This is basically the same thing as having the teller call the number they have on file for the owner of an account to verify a transaction rather than calling the phone number written on the potentially forged check.

Er, wrong.

I guess that's why all the checkouts at our local grocery stores get viruses when we scan the wrong barcodes.

Use appropriate software. Fuck.

Re:Er, wrong.

[cloudmaster]

Winnar!

Re:Er, wrong.

[toriver]

What it says!

Super high tech solution

Don't allow the machines that scan the bills to open urls.

Next problem, please.

Re:Super high tech solution

Next problem: idiotic user submissions combined with lazy "editors" could infect Slashdot with terrible articles on the front page.

What?

What? QR codes can hold arbitrary strings, they don't have to be just URLs. This summary makes no sense. There isn't even an article here! Who is editing this shit?

Re:What?

[oPless]

Mod parent up.

I've known QR Codes be used to hold PKI Certificate info. URLs just happen to be a common use.

Re:What?

[udoschuermann]

Yes indeed, retarded snot suckers are editing this shit: Why are Michigan University students forging U.S. currency? Who is proposing the use of invisible nano QR codes? No answer is even hinted at in the summary:

Invisible nano QR codes have been proposed as a way to stop forgery of U.S currency by students of Michigan University.

Nothing to see here, move along!

Huh?

[ccccc]

A QR code is a two-dimensional barcode. A pretty decent way to embed a serial number. What exactly about the idea makes the poster believe the banks' scanning software would jump to some arbitrary website after the scan? Presumably, a much more sane and secure thing to do would be to look up the serial number in a database on a single, secure site.

Re:Huh?

Muhhahahhahahahaha

Robert');DROP TABLE CURRENCY;

will be my QR Code and will bust the world economy! Muhahahahhahahahaha

Re:Huh?

[jittles]

Not only that, but the article I read last night on the BBC talked about how these QR codes are done. First of all, they imbed the QR code on the bill using a special ink that is only luminescent with an exact frequency of laser light, which is invisible to the naked eye. Using a process of (I believe they called it) "photon upconversion" the light becomes visible to sensors in another segment of the spectrum. They can alter the ink they use to change the frequencies in question. This means you would have to have special equipment to see the QR code. They also said that they can imbed two QR codes on top of each other, which respond to different frequencies of light. They can use the two QR codes together to help validate the authenticity of the bill.

So certainly someone with the right scientists may be able to reproduce the ink, bleach the bill, and print a new face and QR code on it, but it would be very difficult. And who would hook their bill verifying machine up to the internet? And why would you use a URL? You could embed anything into that code, and you could probably even cryptographically sign the data embedded in the bill.

Re:Huh?

Have you read the QR code specification? There's a lot in there where a programmer can create an exploitable bug. If the bank decides to use an existing library for reading the codes and only scans the output for malformed content, there's a good chance that the library contains buffer overflows which can be exploited before the payload scanner even sees any output. Malformed QR-codes look just like normal QR codes. I have some that kill popular QR code reader apps: you scan the code and the app is terminated on the spot.

Re:Huh?

Muhhahahhahahahaha

Robert');DROP TABLE CURRENCY;

will be my QR Code and will bust the world economy! Muhahahahhahahahaha

It's Mrs. Tables - how is Bobby?

Re:Huh?

[mk1004]

Yes, I wish we could just nuke the entire stupid Embedded-URL QR code thread here. OTOH, exactly what good is this QR code anyway? If it's a serial number, what's to keep counterfeiters from copying an existing QR code onto their bills? If there are 1K $100 bills out there with the same QR code "serial number," how do you prove which one is real? How do you even know that there's more than one, albeit one that's moving around the country really fast? Would it really take that long for counterfeiters to develop the technology to print those codes? Or am I missing something?

Re:Huh?

So certainly someone with the right scientists may be able to reproduce the ink, bleach the bill, and print a new face and QR code on it, but it would be very difficult. And who would hook their bill verifying machine up to the internet? And why would you use a URL? You could embed anything into that code, and you could probably even cryptographically sign the data embedded in the bill.

OK, here's what you've missed:
You wouldn't use a url (that's just retarded) what you might do is put an sql injection attack or a buffer overflow into the qr code. The main point of either of those would be to get some payload to execute on either the bill reader or the verification server. A couple example payloads would be a key-logger or a routine that will send the list of valid bill IDs to somewhere you can retrieve them. However those vectors should be secured in a well written system.

As to why would the bill scanner be internet connected, obviously that so it can (metaphoricly) call up the FED and ask "hey did you guys really issue a bill called 'goat.cx'? yeah, I didn't think so, kthxbi". It is also as previously alluded, likely that the system will be interfaced with the same general purpose computer the teller uses to enter transactions (because why make special purpose hardware when you already have general purpose hardware that can do the job), and that computer is certainly online so it can log transactions.

Re:Huh?

OK, here's what you've missed:
You wouldn't use a url (that's just retarded) what you might do is put an sql injection attack or a buffer overflow into the qr code. The main point of either of those would be to get some payload to execute on either the bill reader or the verification server. A couple example payloads would be a key-logger or a routine that will send the list of valid bill IDs to somewhere you can retrieve them.

Here's what you've missed: you have no idea what you're talking about.

A SQL injection attack? A buffer overflow? A KEY LOGGER ? Really?

First, let's talk buffer overflows. QR codes are just a method of encoding a string of arbitrary data in a grid of on/off pixels with some features which make the image easy to OCR. The max string length for a QR code of given pixel dimensions is fixed, because a grid of NxN on/off pixels gives you a theoretical maximum of N^2 bits of data. (Actual length is less than N^2 bits since there's overhead such as OCR alignment dots, error correcting codes, etc.) Buffer overflows are not going to be a serious problem, not when the OCR software won't even be trying to recover more than a fixed amount of data from a QR code of any given pixel dimensions. This isn't a web form where you can just keep submitting more bytes.

As for SQL injections and key loggers, such things are only possible when some component of the system can be fooled into processing recovered data as code. We're talking about software which is going to try to read a serial number from currency. It will never try to interpret a bill's serial number as SQL.

However those vectors should be secured in a well written system.

You mean attack surfaces, not vectors. And these attack surfaces you are talking about won't even exist in the proposed systems. The mere fact that a QR code is used to encode some data does not imply that the system reading the data is akin to a web form.

WTF?

[iYk6]

QR Codes don't send you anywhere. They're just data. They can contain web links, just like any written sentence, but a device won't download the content at a linked URL unless it is programmed to.

QR codes are futuristic, 2D versions of bar codes. Nothing more.

Re:WTF?

Nothing futuristic about QR codes! They're 15 years old already.

Re:WTF?

QR codes are futuristic, 2D versions of bar codes. Nothing more

Ok I wasnt the only one thinking that...

How is this *any* better than the serial number already on every bill out there? Which are well sized and positioned. Other than the extra bits to reconstitute the data?

This is a horrible example of cryptography using open keys. If I can perfectly copy the key it does not matter how good your lock is.

Even if you embed 'code' in them what stops the counterfeiter from copying the code? It just means he needs to have a larger sample set. Not terribly hard to do with a bit of regular deposits and withdrawals.

We are using physical items to do monetary transactions. There is 0 cryptography you can do on them that someone else could not copy. If you can make it so can someone else.

Re:WTF?

[L4t3r4lu5]

You've obviously not read Snow Crash.

Re:WTF?

[fuzzyfuzzyfungus]

The Michigan proposal involved some assorted fancy-materials-science tricks(inks with very atypical optical properties and other stuff that the anti-counterfieting guys have been poking around at to raise the cost and required sophistication of producing a convincing fake) in addition to QR codes. If anything, the QR part seemed like something of a trend-crazed afterthought.

(Incididentally, the one thing that cryptography can do for physical items like currency is make it impossible for forgers to produce novel forgeries: If, for instance, the bill has a data field that is its serial number/place/time of manufacturer/etc. signed with a treasury private key, that doesn't stop me from just photocopying it; but it does prevent me from producing any bills that aren't direct copies of official bills. If combined with a reasonably effecient automated scanning system, to identify duplicates, this makes it more difficult to pass large numbers of copies of a single legitimate bill, and makes it impossible to produce anything other than copies of bills that were actually produced by the private key holder. Whether this is actually useful depends on what your mechanisms are for weeding out duplicates and tracing them back to their originators; but it can be done.)

Re:WTF?

[bobbied]

Preventing counterfeiting is all about making it HARD to make a passable copy of a bill. This is the function of serial numbers along with a whole host of unusual printing techniques. If QR codes make it harder without making it cost too much more to produce *real* currency, use them.

Unless they use QR codes to actually encode useful information about the bill, it's serial number, value and production information and don't make some kind of cross checking possible, I don't see where they help much more than existing techniques. Making them invisible sounds great, but doesn't help the average consumer any. If they where visible, then it might be possible for consumers to do validation of the bill using a cell phone app or something, but that just makes the counterfeiter's job easier..

Dreaming about that app idea.... If you could then track the history of a bill by making the app report the phone's position when validating bills on some server, you might be able to quickly find counterfeiting operations by detecting unissued serial numbers or bills that move to fast.

Ever seen www.wheresgorge.com ??

Re:WTF?

[canadiannomad]

I like this idea way more then hiding the QR code with fancy optics. Make it so that anyone with a smartphone app can check the bill via a QR code that can be duplicated but not forged(some hash would probably do). Link check locations with failed verifications and find distribution points of forged bills. At least that way they can crowd source enforcement, and drive up cost of distribution of the fake bills.

Re:WTF?

[Richy_T]

And there goes the anonymity of cash. Time to load up on gold and bitcoins ;)

Re:WTF?

If, for instance, the bill has a data field that is its serial number/place/time of manufacturer/etc. signed with a treasury private key, that doesn't stop me from just photocopying it; but it does prevent me from producing any bills that aren't direct copies of official bills

Most of those fields are already on every single bill. The rest can be looked up thru the serial number that is on every single one.

I agree make it harder. But to expect these measures to last long is not realistic. Special inks that light up under a special laser is just a mater of chemistry and getting someone to make it.

Like I said getting a number of bills to duplicate is not hard. Open a convenience store and you would have a steady stream of 10/20/100's you could copy. Deposit them in the bank every night. Withdraw from a different bank every day for your 'rolling cash stock'. You would literally have thousands of copies within a month you could make. You are just the front for the real guys who are paying you to make these copies... Then you also have a way to distribute the extra money back out thru your front...

All of what you say can already be done with just the serial number on the bills already today with a simple database lookup. It does however rely on the fact banks will talk to each other. That will never happen without laws being involved. As this very information could be used to find out what your competitor is doing...

Like I said 'This is a horrible example of cryptography using open keys. If I can perfectly copy the key it does not matter how good your lock is.'

Counterfeiting is just a matter of time and money. You are by definition printing money so it is just a mater of time.

This is a very difficult problem to crack. All we can do really at this point is just make it harder. But eventually 'hard' becomes 'easy'....

only stupid apps send you directly to a site

qr code is a method to encode strings or binary data into a pixelized black/white bitmap. it is as good as the serial number printed on the bill. only it can incorporate full range of characters, printable or non-printable. i don't think op understands what qr code is.

What?

QR Codes are just binary representation of data. The US Treasury could use QR Code as barcodes and require banks to use software certified by the treasury herself. The treasury could also require the software to run on a read-only system, or on TCPA protected hardware with secure boot on a system with a software that runs on user-mode, with kernel-mode (or root-access) software checking for tampering.

singles will have a QR code for wheresgeorge.com

doesn't really seem like a good idea.

Couldn't they just arrest the students?

"...as a way to stop forgery of U.S currency by students of Michigan University"

English is hard.

Re:Couldn't they just arrest the students?

[MrLizard]

You beat me to posting it, darn it!

Re:Couldn't they just arrest the students?

[linuxgeek64]

Relevant xkcd, as always

Re:Couldn't they just arrest the students?

[BoberFett]

I had to read that sentence twice. Very awkwardly written. This submission fails on so many levels.

Assuming that banks are complete idiots

[CheeseTroll]

I can't speak to whether QR codes can stop forgery of the currency, but a QR code, by itself, can't infect anyone with a virus. What kind of bank system would blindly go to whatever website is suggested by an illegitimate QR code?

Re:Assuming that banks are complete idiots

[bluefoxlucid]

it would work if the QR code held a digital signature for that particular mint and year of the serial, along with the denomination. Each code would fit one bill from one mint from one year with one serial number.

Really?

[ajdlinux]

This story displays an incredibly low understanding about what a QR code even is, let alone how you would write a QR code reader for a secure environment. I'm surprised this even got accepted.

Re:Really?

But its a qr CODE and we all know hackers write CODE to HACK.

Re:Really?

[dontbemad]

I'm surprised this even got accepted.

Have you seen the quality of posts on slashdot recently?

Re:Really?

[Excelcia]

It doesn't matter if it shows incredibly low understanding of what a QR code is. Slashdot doesn't care about accuracy as much as it cares about what will stir up comments. Put in a story that has, like this one does, an error in understanding of the technology or risk of a virus, is poking a stick into a nerd's nest. They'll all come out buzzing angrily posting about it, and Slashdot is all happy because they get comments and clicks and interest.

There are a lot of this type of story with the kind of tauntingly inaccuracies that this one has posted to Slashdot recently. So many, I suspect their editors are making a conscious effort to do so.

Re:Really?

at what point does the last couple of years cease to be recently?

Re:Really?

[mounthood]

This story displays an incredibly low understanding about what a QR code even is, let alone how you would write a QR code reader for a secure environment. I'm surprised this even got accepted.

My reaction is just the opposite; slashdot is full of idiots. The submitter points out a simple fact, that consuming arbitrary input leads to vulnerabilities, and gave an example, QR codes misleading apps to a website. The vector would be different with currency, but Diebold can make a secure environment, right? Banks are important, the risks should be minimized, and a new technical attack vector should be of interest to geek website.

Almost every comment at 5 is mocking the idea of a QR code on money redirecting to a website, showing a lack of (basic) understanding or imagination. I guess slashdot needs every little thing spelled out for them.
 

Re:Really?

[Verdatum]

I understand your point, but still...this is IMHO the most inane summary I have read in quite awhile. The entire thing is synthesis of data by the submitter; the articles are completely unrelated beyond the term "QR Code", and as EVERYONE points out, the logic-fail is pretty easy to spot. Would it have been so hard to just rewrite the summary to discuss the first part, and leave out the conjecture bullshit?

what will really happen

[slashmydots]

If you think a massive security flaw will stop some private company from selling them their product suite, you are WRONG. They'll cover it up like their jobs depend on it...because they do.

Easy Fix...

[Mattwolf7]

Who wrote this summary? A QR code is just a data.

Just make your system NOT go to the public internet. The QR code could just be the serial number of the note. Hell you don't even need to use a QR code.

Example: http://intranet.federalreserve.gov/verify?n=12345

Problem solved. No virus.

"can send you to a site that infects your system"

[Voyager529]

Seriously? You're telling me that a bank system using a barcode to check a serial number would spawn a web browser because the bill said so? How hard could it possibly be to *not* allow a browser to start while scanning in QR codes, and catching attempts to try as a guaranteed way to prove that the bill is a counterfeit?

The submitter doesn't seem to understand QR codes

[yincrash]

This plan in all likelihood would not comprise of URLs encoded as QR codes. It wold be some data that would be matched against some other data, so why would the currency verification involve accessing a URL at all to implant a virus?

The only way I could remotely see that happening would be if there was a vulnerability in the system that allowed for a buffer overflow attack of some sort. The problem with that is that QR codes only have a limited amount a data, which would make this all but impossible.

Not the Banks Really

[dahl_ag]

I would think that the banks would have dedicated systems that would not even know how to go to such an infected site. Just because a device has an operating system and programs running on it, doesn't mean it has the ability to interpret a url and use it to retrieve content from the internet. (For example, my 2003 Taurus is not at risk of getting an infection from a malicious web site, but yes it has a computer that processes input from the outside world.)

On the other hand, I could see small businesses using said QR codes to authenticate larger bills. But they would probably do so with some software running on a PC, iPad, etc....

Re:Not the Banks Really

[bluefoxlucid]

So, Linux? Without a Web browser, since you can't do that in uh. Windows.

Re:Not the Banks Really

>

On the other hand, I could see small businesses using said QR codes to authenticate larger bills. But they would probably do so with some software running on a PC, iPad, etc....

Really? I'm not aware of any PCs or iAnythings that have near-infrared lasers. Yet another reason this is not just a stupid post, but a stupid idea.

redundant ? redundant?

[slashmydots]

Isn't it a bit redundant, seeing as how they have serial numbers already?!?!?! A QR code would contain what, a serial number? Obviously this article thinks it's a web link, which is what QR codes were designed for. If it's a web URL, wtf?! If it's a serial number, just real the serial number instead. They have OCR that does that already.

Re:redundant ? redundant?

[mister2au]

Pretty easy to forge serial numbers on a counterfeit note.

Not so easy to forge serial numbers encoded on nano-dots ...

So presumably like they do with nano-dots sprayed onto high-end cars as security.

Re:redundant ? redundant?

But the point is they're invisible and so only the bank knows where they are.. they coud be just a check sum for the actual serial number so a potential forger has to know,
(i) where to place his invisible QR code - okay this might be easy if shops want to instal anti-forgery scanners...
(ii) find out the algorithm used to calculate the check-sum

they're there to act as a deterent, by increasing the cost of producing a forgery to the point where it becomes too expensive to make forgeries

Re:redundant ? redundant?

[azadrozny]

As other posters have pointed out, what if the QR code contained a hash of the serial number and a few other identifying marks visible on the bill? Now you can use the infrared QR and OCR to validate a given bill. In general I think the mints have given up on creating a forge-proof bills. They just keep updating the design with forge resistant features to stay one step ahead. The only problem I have with this is that there are so many different designs in circulation that a lay person cannot easily spot a fake, and may be more likely to accept one.

Re:redundant ? redundant?

Isn't it a bit redundant, seeing as how they have serial numbers already?!?!?!

Only if it is implemented stupidly. Under no circumstances do you have a web page address there. With the US government demanding the ability to "turn off" the public internet during times of civil unrest, I certainly would not want some merchant refusing my $20 bill because the "government currency validation" web site was down.

Ideally it would have the serial number and denomination of the bill in plain text which would be signed by a government cryptographic signature. And even this implementation doubtless has flaws it would take a crypto mathematician to find. But it's a moot point anyway, so far the US government has been refusing to put machine readable information on US Currency because it would make things too easy for the blind.

Re:redundant ? redundant?

[omnichad]

And if it's a URL, it's probably a URL that points to a page with a serial number in the URL, which means it does no more good than inputting that serial onto the web site instead.

And why can't you just copy the QR code just like you can copy the serial number? Just because it's made with invisible ink?

Re:redundant ? redundant?

[wbr1]

QR was not designed to contain a web link. From http://en.wikipedia.org/wiki/QR_code :

QR Code (abbreviated from Quick Response Code) is the trademark for a type of matrix barcode (or two-dimensional code) first designed for the automotive industry. More recently, the system has become popular outside the industry due to its fast readability and large storage capacity compared to standard UPC barcodes. The code consists of black modules (square dots) arranged in a square pattern on a white background. The information encoded can be made up of four standardized kinds ("modes") of data (numeric, alphanumeric, byte/binary, Kanji), or through supported extensions, virtually any kind of data.[1]...
Invented in Japan by the Toyota subsidiary Denso Wave in 1994 to track vehicles during the manufacturing process, the QR Code is one of the most popular types of two-dimensional barcodes.[2] It was designed to allow its contents to be decoded at high speed.[3]

Re:redundant ? redundant?

[azadrozny]

You are correct, the QR code can be copied, but this becomes one more thing for the forger to be concerned with. The individual security features on a bill don't make it hard to reproduce. It is the combination of dozens of them that (hopefully) makes it too costly for them to reproduce. Some of the features are there to make it easy for the public to spot a fake, such as the water mark, or color shifting ink. There are other secret features that are put there by the government to help them identify, or fingerprint a specific forger. I suspect that the QR code would be more useful to law enforcement that the public.

Bank employees are not...

[slashdyke]

Bank employees are not stupid enough to have their software blindly follow/execute QR codes, so I do not think there is a serious concern of bank systems being infected with virii from forged QR codes. But if there was, I would hope the virus programmers would make include code to allow banks to help those that need help, not just the ones that have lots already.

Re:Bank employees are not...

VIRUSES. This awful disease of calling viruses "virii" must end!

Wow

1 article about using QR codes in money
1 article about how easy it is to forge QR codes
1 article about how automatically opening a url found in a QR code could infect your computer.

How did this summary possibly make it past filters. Not one article talks about how banks might be incompetent enough to auto execute code without first sanitizing their input, let alone whether the QR codes would link to a URL in the first place. I've been reading this website for a while and haven't been wanting to leave it, but this just pushed me over the edge. I'm not sure how this got past editor filters, but it's definitely not worth my time. I'm sorry slashdot, you were the first content aggregation site that I actually enjoyed reading.

Re:Wow

I've been reading this website for a while and haven't been wanting to leave it, but this just pushed me over the edge.

This is the conclusion I came to as well. This site has been getting progressively worse over time, but slowly enough that it was hard to tell how bad things had really gotten until now. In retrospect, I guess I should have taken the hint when CmdrTaco left.

QR codes can hold data other than URLs

The author of the post says: "QR codes are easy to forge and can send you to a site", which is very naive.

QR codes are not required to store only URLs; they can store arbitrary text. The banks would likely not store URLs, and whatever reader code they have could just ignore or not follow URLs. Even if they wanted to use URLs, they could validate them and only follow ones to a particular trusted domain or set of domains, and ignore all others.

Re:QR codes can hold data other than URLs

[omnichad]

I love the "easy to forge" bit. It's easy to forge printed text, too. It's because we use these things called fonts, which ensures that all computers can reproduce character bitmaps identically from a reduced dataset.

Isn't forging a QR code just making a QR code?

Just disable autorun...

Simply disable autorun on the USB QR code readers. Problem solved!

(Yes, I know this is a moronic comment, but I'm trying to match the moronic-ness of the original article).

Re:Just disable autorun...

[wonkey_monkey]

Well played!

The real question...

is why so many Michigan University students are forging US currency.

Re:The real question...

Given that Michigan University doesn't exist, I'm guessing none...

Maybe...

[wbr1]

I am not expert on this, but i agree that ia bank system woudn't go to some url.
However if the QR contained a salted hash of bill identifiers, and the reading app verified it, would it be possible to include well formed enough data to cause some sort of buffer overrun and injection attack? the paylload would have to be very small, and it would likely only crasg the target system. Therefore it would not ba a virus persay, just malicious code.

Re:Maybe...

[PPH]

would it be possible to include well formed enough data to cause some sort of buffer overrun and injection attack?

QR codes contain a known amount of data. Unless the reading program was written by a complete moron, ensuring sufficient buffer space exists to read one is a trivial task.

Re:Maybe...

[wbr1]

I agree.. but complete morons are abundant!

A Wizard Did It

[mothlos]

I guess even on /. computers are devices shrouded in mystery. Watch out before the Gibson gets hacked.

Also in the news

[Chrisq]

Bank staff could break their teeth by trying to bite coins. They could also give themselves a sun burn by keeping their hand under the note-testing UV lamp. And now they have the added hazard that they could follow a link on a QR code to an infected site.

Now I remember

Ah yes, that's why I stopped coming to slashdot. I'd forgotten how moronic some of the articles could be, and actually started coming back to this site.

Re:The submitter doesn't seem to understand QR cod

Look at the submitter's site. If I ever saw a shallow website with nonexistent layout and content, it's his.

Probably some kid trying to play the "security business" but failing utterly. TFS proves it, too.

Submitted by Dan Brown

Did anyone read Dan Brown's book in which the main plot point was a computer that gets taken over? Digital Fortress it might have been called?

This article is even stupider than that book. And that's saying something.

Michigan Univerity?

[Darth_brooks]

1. It's "The University of Michigan." Not trying to be as pedantic as those who insist on THE Ohio State University (as opposed to that other Ohio State?), but no one uses 'Michigan University.'

2. At no point, in any of the three cited articles, is U of M mentioned. The QR / Currency article from engadget refers to The South Dakota School of Mines and Technology, which is slightly different from umich.

Re:Michigan Univerity?

wondering the same thing myself

Re:Michigan Univerity?

Exactly. I wasn't sure if they were talking about the University of Michigan and mixed up the order of the words, or if they were talking about Michigan State University and dropped a word.

It sounds like grammar-nazi pedantry, but honestly this mistake is far worse than ending a sentence in a preposition or splitting an infinitive, or even mistaking their/they're/there: It actually introduced material ambiguity.

Of course, as you said, the only institute of higher education mentioned anywhere in any of the three links is in South Dakota, so I suppose we should probably just note it as the piss-poor summary that it is and move on.

Re:Michigan Univerity?

its worse than that. the actual school from TFA is "South Dakota School of Mines and Technology"

See?

[Barny]

This is why we can't have nice things.

QR codes are not magic code!

[mezion]

Oh FFS!

It's unclear how much malware spread by QR codes in late 2011, but AVG reports that it's an ideal distribution method for nefarious software and it expects the practice to grow throughout 2012. Users are unaware of what the code contains until the malware has already gained foothold. The point being, QR codes aren't as safe as you might expect them to be. The security firm likens scanning unknown QR codes to running an unfamiliar executable on your computer.

Let's repeat this again, people: QR Codes are simply a new version of a barcode. They are not magic pictures that infect computers or phones. There is nothing wrong with taking a picture of a barcode.

OTOH, if you run an application that which upon reading a code will automatically open a webpage that might run a script without user intervention, you giving people a guest pass.

when malware spread through QR codes on a Russian website and forums. The code directed victims to a download location for an infected version of the Jimm mobile ICQ client. The malware sent SMS messages to premium numbers.

They directed their phones to a web address they didn't know and shouldn't have trusted, downloaded an application and then installed it. This was their own fault. This has no more to do with QR codes infecting computers than a hyperlink can.

Michigan University?

Where is that? The engadget article talks about a school in South Dakota, and I've never heard of "Michigan University". Did I miss something?

Why slashdot...?

I can't believe this was allowed to be posted... sometimes /. amazes me.

First off, the bank would have an internally-only accessible database that maintains authorized QR codes
Second, the scanning would only be done on this internally accessible system.
Third, because it's only internally accessible, virus = moot

What does this mean... when they scan a note/bill, it scans the local database if the code exists, if it doesn't then "ding ding ding!!!!!" it ain't real!

Re:Why slashdot...?

Furthermore, banks use proprietary software as well... so good luck writing a virus with only 7,089 characters for a system of unknown etiology.

Re:"can send you to a site that infects your syste

[Jason+Levine]

QR codes can't even launch a browser themselves even if they contain a URL. That action depends on the QR code reader. If a QR code says "http://www.slashdot.com/", then it is up to the QR code reader to say "Hey, this is a URL, I should open a web browser." The QR code reader on my phone presents the URL for me and gives me the option of opening a web browser. I'm sure a hypothetical QR reader for currency wouldn't even do that. It would say "Hey, this QR code reads 'http://www.badsite.com/infect_with_a_virus.php'. That's not the correct hash so this must be counterfeit."

Great, trackable money

[rolfwind]

I see no abuses there nor the goverment forcing the banks to submit the depositor name to look up a serial number, nor promising to limit some type of liability as an incentive to look up serial numbers on each transaction. No sirree, won't happen.

(Btw, I assume they could do all this on current serial numbers but perhaps its easier on the OCR to have as described in the article).

Yet More Slashdot Silliness

Does anyone even read these articles? It wasn't from "Michigan University" (presumably meant to be the University of Michigan) but rather from the South Dakota School of Mines and the University of South Dakota. And on top of that, the article in the journal Nanotechnology (http://iopscience.iop.org/0957-4484/23/39/395201) which is not linked anywhere in the ridiculously stupid Engadget or Ubergizmo articles, makes no such broad sweeping claims. The advancement is presented as a chemical/coloring advance with a shroud of timeliness and applicability to government needs in the form of the QR code. Perhaps not the most astonishing advancement ever, but it's certainly not making the claims that all the Slashdotters here seem to be in a rush to decry and refute.

The tip of the iceberg

[MysteriousPreacher]

The ability to give bank computers AIDS is just the start. What happens when terrorists discover them?

http://qr.kaywa.com/?s=8&d=Death+to+Obama+and+all+Americans.+Allahu+Akbar!

Why assume that a QR code has to contain a URL?

[gh0st1nth3mach1n3]

Although most QR codes âdoâ contain URLs, this isn't the only possible use. If the QR code contains a hash of the bill's serial number that is generated by a sufficiently complex process (private key, anyone?) then it's just a matter of verifying the hash against the serial number for verification.

/., WTF?

[cpotoso]

What a moronic story. It makes no sense whatsoever to whomever knows anything about data, security or whatever. Dozens of stories get rejected from ./ every day. How the F**K this gets approved speaks very lowly of ./ quality control.

Re:/., WTF?

... Checks which editor posted this "story"....

No surprise.

Independence Day?

[angel'o'sphere]

Reminds me at that movie: "uploading virus ..."

Funny was they used a Mac for that ...

worst ever

The recursiveness in the idiocy of this article will soon make my brain stack overflo

In other news

[wonkey_monkey]

Also, paedophiles use money. Now, I'm not saying that QR codes can turn people into paedophiles, but you can't buy candy without money, sheeple!

viruses not the problem

The more worrying thing is that they are trying to make is really easy and fast to track all currency from a distance. When you present a bill they will be able to track whatever accounts that bill was withdrawn from. It would be trivial for a bank to record the serial numbers of the bills it dispenses and who they were given to. When they are then deposited in a bank, you will have a fairly good idea of their path.

If a Serial number doesn't work...

If the serial number doesn't work, why would bar coding it, QR coding it, or anything else suddenly make it harder to counterfeit.

The only thing it does is make it easier to trace the path of money. When you get the same number in 2 locations you know one is counterfeit.

Of course the tin foil hat crowd won't like this, the difficulty tracing is why they use cash in the first place.

You can already do it with 1D barcodes

[sven_eee]

I commonly see developers not clean/check barcode data and just expect it to be numbers but it is easy to print out a database attack as a barcode so when someone scans that barcode it is run against the backend system.

Code128 lets you join many smaller barcode together that will be passed to the system as a single string, so when the system is only expecting a few digits you can flood it with kilobytes of SQL injections or shell code.

And that is all just with 1D barcodes. QR is 2D

Profiling?

This is a plan to stop forgery by students of Michigan University? That's an oddly specific demographic for crime.

Re:Profiling?

Oh, for a mod point right now...

What about bill validators or TITO slots

[Joe_Dragon]

What about bill validators or TITO slots (Ticket-in, ticket-out)

That may be the place where you may be able to do some hacking likely useing buffer over flows with some thing like this.

Real world says you are overconfident.

When I vacation at the beach, I use my linux laptop to surf the Internet through a rogue wireless node at the local bank. I can see their entire internal network, including their ridiculously antique IBM mainframe, which I have not attempted to hack.

I have been doing this for years now.

The institution could just use a vlan

Setup a VLAN or VPN for that one machine that links back to the Fed Reserve or something along those lines that checks the info. The DNS and/or IP filters can be handled at the Fed Reserve side or whatever end point they'd want which would allow good QR codes to be looked up and the information passed back, while bad ones with forged codes trying point out to some website would either be ignored or blocked.

Hell, even an app that just scans the code, sends the code to the remote fed server to be verified as a legit serial number or whatever, and the answer sent back wouldn't have to really worry about being pointed out to an external address as the QR code wouldn't be used to pull a web address, but, just like a barcode, would contain a serial number that would get looked up.

Slashdot "editors"

Which reminds me to ask: an "editorship" here can't possibly be an actual full-time gig, could it?

Why not just jail the students?

Seems like it shouldn;t be that hard to catch and jail those Michigan University responsible for the forgeries.

--
Infinitive Splitter

Michigan University?

What is Michigan University? There are Eastern, Western, and Central Michigan Universities. There is a Michigan State University. There is a University of Michigan. There is no Michigan University.

Not to mention the article is about a team at South Dakota School of Mines and Technology.

This article is nonsense.

[upuv]

QR codes are simply a method of encoding a blob of information. There is no magically connection between a blob of data containing a url and the magically fetching of the URL. You actually have to write more code to make it fetch the url. And fetching the url does not automatically result in infection. You still have to pass that url data through a browser engine to evaluate and act on the data. There are so many steps that would have to be coded that the likely hood of a moron coder making a mistake that would result in infection is 0.

QR codes allow for a visible representation of more information than can typically be printed in human language in the same amount of space. Presumably they can be printed in such a way that they are more durable than say a hologram and thus can be trusted to represent authenticity markings on the bill. As compared to a hologram which is easily damaged.

sure

Help, my computer has the flu! Will I get sick as well?

Can anybody explain to me why QR codes should be more of a thread than forged serial numbers or other forged data? Oh, they are? Then you should not read any further as from this point on there is maliciuos code hidden in the text. Sorry, too late, your machine is infected and will self-destroy in 10, 9, 8,...

Got idea from TV?

[muntis]

Dude probably is watching too much TV where you can burn down computer by scanning bones

Comment removed

[account_deleted]

Comment removed based on user account deletion

Why not a cryptographic signature in the S/N?

[swb]

Each note seems to have a serial number, meaning it should be unique. Why not have each note's S/N cryptographically signed and the signature stamped onto the note along with the S/N in some kind of machine-readable format?

It should then be possible to scan the barcode and verify the signature to determine whether the note was legitimate. They could create unique keys for each Federal Reserve district, perhaps annually, so that you wouldn't have to worry as much about the key being compromised.

Someone could clone the same S/N and signature, but if they did it would be easy for banks or other large cash processors with scanners to identify duplicates and remove them from circulation. Dupes could be identified as currency scanned at more than one geographic location within a certain time window where the chance of the currency being in two places at once was very slim -- kind of like the antifraud calls I've gotten from a credit card company when I've used a card in two cities in the same day.

Small numbers of duplicates would be hard to track, but the economic risk from counterfeiting isn't from some guy with a scanner and a inkjet printer but from mass counterfeiting of thousands of notes.

Re:Why not a cryptographic signature in the S/N?

[catprog]

would that allow tracing of cash?

Re:Why not a cryptographic signature in the S/N?

[swb]

It might make it easier than now, but I'm sure there are already optical scanners for currency that can log the S/Ns on money now.

I don't think it would necessarily enable tracing transactions, that would require some kind of law mandating that all businesses scan all cash they take in and get the info of who gave it to them.

DUMB PEOPLE CAN'T THINK

[PortHaven]

There is a very simple solution...

The QR code should link to specified government Treasury website. If it does not, (and you pre-scan the URL first), then you AUTOMATICALLY KNOW IT'S COUNTERFEIT.

Simple...

Scan != Follow

[DragonWriter]

Invisible nano QR codes have been proposed as a way to stop forgery of U.S currency by students of Michigan University.

Okay. The big problem with this is that the technology to scan and write nano QR codes will become common, which then allows them to be reproduced even if (assuming the use is cryptographic and the keys are adequately protected) it isn't practical to generate new, legitimate ones.

Unfortunately QR codes are easy to forge and can send you to a site that infects your system.

They can't "send you" anywhere unless (1) the QR code is used to contain a URL -- which isn't the original or exclusive use, though its the most popular one in advertising, and (2) the reader expects it to contain a URL and is programmed to navigate to the URL it contains. If, instead, it contains a cryptographic signature of some data on the "visible" part of the bill (such as the serial number, date, value, etc.) then it provides an additional check against certain forms of forgery.

Banks would most likely need to scan currency that have QR codes to ensure the authenticity of the bill. If the QR code was forged it could infect the bank with a virus.

If the bank system was designed not only to scan the QR code, but to also treat the content of the QR code as something more involved than a digital signature like executable code or a URL to navigate to, sure. But since there'd be no reason to do that in this application, and it would take extra work directed at an end with no conceivable relationship to the purpose the QR code was being used for, its pretty hard to see this as a likely problem.

This submission...

proves Slashdot officially sucks now.

Sounds like a typical Yahoo story

[__aaacoe2998]

Did Yahoo buy Slashdot when I wasn't looking? Come on, this is a technology website. We're not ALL morons.

Your right, your IQ isn't 50

[SmallFurryCreature]

Well, your post contains one truth, your IQ isn't 50. It is far far lower.

QR is simply a bar code. You scan it and get a string of data. That is it. It can contain any string valid within its codeset but it is just a string just a barcode is just a number.

Sure, buffer overflows exist but they exist deep within complex code, not on simple basic stuff as reading in a user input especially when there is only one.

And people with IQ of 50 (you call them master or whatever you can manage to utter with your sub-50 IQ) don't work for banks.

It doesn't matter if the string contains characters that together form a URL, that is only valid if someone with a sense of humor starts testing the read string for what it might possibly contain. It could be a string that if processed as a gif shows a image. But why would a banknote scanner contain the code to do that?

I could build a nut screwing robot and then give it an icecream and watch it transform itself into a icecream eating machine OR I could see it reject the input as invalid because it was never programmed to deal with that input.

What do you think that happens if a random string of text in a ssl key happens to form the word "reboot". That the computer will reboot?

You, the submitter, timothy and an awful lot of people who should be on facebook instead of slashdot seem to think computers are magic. They are not.

Only when silly MS programmers try to make their software clever by trying to guess what input could mean, things go wrong. People who software for banks are not silly.

If you spend a million years beating them over the head with a feature for "smart" input where code just tries to run any input whatsoever, they would just not get what you are trying to do. Such a stupid idea just does not exists in the universe of serious coders. There are no serious coders at MS. Or indeed Apple. Or many linux projects. Luckily banks for make it a point to find it for their "oh shit this is going to cost us more money then the worst/best traders in history" projects. Else the treasury goes after them and this ain't the corrupt branch of government, this is the bit that closes you down and then dissects your corpse while you are still using it so they can find the stupid bit and show it to all the banks. There are a lot of banks, so they will have to cut your up pretty small.

Re:Your right, your IQ isn't 50

And people with IQ of 50...don't work for banks.

Haven't been in a bank recently, have you? sigh!

Re:Your right, your IQ isn't 50

I hate ciderbrew as much as the next guy, but your bad troll is bad.

Weird, that hasn't happened to Japan's visa system

[AC-x]

Japan uses QR codes to validate their visa stickers, weird how they haven't been hacked yet. Oh yeah, it's because it just contains a binary string and is not treated as a url, duh.

What lamers voted for accepting this crap?

[LeadSongDog]

It's blatantly just planetzuda.com spamming its own worthless article.

Machine readable serial numbers?

[v1z]

I don't see how this is going to be a big change wrt the current system. You already have to pick a serial number that will either be invalid or a duplicate when forging a bill. Nothing stops a forger from doing the same with a qr-code.

I'm pretty sure banks are already able to machine read sequence numbers -- and embedded metal thread are presumably harder to fake -- I don't see how qr codes would be a big improvement.

And yes, they do.

Remember when infected videos couldn't infect your system, then WMP would go to the given link inside the video to download AND RUN whatever was said to be required to run the video?

Or when jpg images could have a payload? People said the same thing then: it's an image! It can't infect you! Except that the more complicated you make the image, the more you have to run as if it were a genuine program.

jpeg images are just data.

Did that stop jpegs being a security hole?

Can we have a dupe without the blatant stupidity?

[marcosdumay]

This way we could discuss the actual stuff, indead of the report.

Like, for example, how usefull is it in a non-police state to have security features on the money that people can't ever detect?

Stupid post

[gabrygenoa]

Please remove this post, the lamest programmer in the world will be able to avoid this "infection", as said by a lot of people QR codes contain binary datas or strings. I think this is a tabloid level post, an insult to slashdot users.

TFA Written by Dumbshit Fucktard

A QR code is just a novel configuration of a bar code that is able to hold more data than a standard bar code. It is basically a number. It is absolutely impossible for a QR code reader to be infected by the QR code. The machines that will read these codes are not going to care if a particular QR code is really a URL in the context of smartphone QR codes. To it it will just be a number, or perhaps a hash, but that's it. It will check that against a known number or a hashed number, nothing more nothing less.

Wow

This makes as much sense as the people that think the "Cloud" can be affected by weather.

I totally agree. But...

[xded]

Let's suppose that the bill with the forged code randomly ends up in some kind of photo taken with a smartphone, and let's suppose that the smartphone recognizes the QR code and sends the photographer to some kind of phishing website...

I know, totally unlikely as an attack vector, there's far more probability of someone being phished through ordinary spam. But even if the author of TFA didn't had a clue of what he was talking about, the bill with the malicious QR code could indeed be used as an attack vector of sorts...

Re:I totally agree. But...

[skelly33]

It would be super amazing to own a smartphone with an infrared laser illuminated microscope.

I'm baffled by all the comments about the security concerns on this. Barcode scanners have been reading UPC codes at PC-based cash registers operated by high school dropouts for decades, and nobody has yet been able to craft a magic barcode that can crash the system. The argument is asinine. It is not that hard to establish a standard and write some firmware with strict adherence to that standard that will reject anything that is non-sense. Seriously does nobody understand how things work any more?

Here, let's invent a specification and a bill sorter that uses it, it'll be fun. The QR code will implement a cipher using 6-bit characters supporting an input character set of [A-Z0-9] with an exact string length 11 characters, or 66 bits. This is sufficient to encode the serial number on the $5 bill in my pocket right now. The cipher will put out the exact same number of bits, and the "QR style code" will encode exactly those bits, no more, no less (for extra credit, we can add some checksum / error correction bits). When a scanner picks up the code, it will check the bit length and verify that it is 66 bits, then it will reverse the cipher and compare it to the plain text serial number on the front of the bill. If the 66-bit strings match, the sorter will drop the bill in the "accepted bin", else it will be diverted to the "inspection bin".

Now you go ahead and think up a scheme by which you can crash and/or infect my scanner. Any firmware developer worth their salt would be able to see you coming a mile away in such a simple system.

Why just students of Michigan?

[elistan]

Invisible nano QR codes have been proposed as a way to stop forgery of U.S currency by students of Michigan University.

Why are Michigan students forging US currency? Has the Secret Service been informed?

Stupid

[zieroh]

This is easily the stupidest slashdot article I've seen today.

Umm seriously?

[grimmy]

If qrcode.content != integer then bill = forged

The worst 1st year programmer could figure that out. Worst FUD article ever.

Cash would be no longer anonymous

[DickBreath]

I was going to write something like what you stated. The QR code could be digitally signed.

There are some follow on implications that you didn't explore.

When accepting bills, scan the QR codes. If you get more than one bill with the same code, you've just spotted at least one forgery.

If the bills you handle are large in value, then have an online system that allows you to verify that a particular bill is not a known forgery or was not used to create a forgery. It is incumbent on the holder of that bill to turn it in so it can be seen that his bill is in fact the original that was used previously by some forger and he is merely a victim. The victim's bill would be scrutinized to ensure it is the genuine thing.

Eventually if all locations that accept large bills can cheaply scan them and verify them with a central authority, then forgers must turn to smaller and smaller bills. Eventually the terminals that do the bill verification proliferate down to lesser and lesser value points of commerce until they are at every Walmart just like credit card terminals.

Now we have something very interesting.

We didn't create a cashless society. But a lot of people might not understand that every bill is no longer anonymous. If government is able to keep records for every bill, they could know approximately every time it changes hands. They could then know that I got that bill from Target, but Joe spent it at AutoZone.

can /. do better than this?

[bussdriver]

TFA is stupid; however, it does raise an interesting idea. QR codes used to store the serial number on the bills might be easier to scan than the numbers which already can be OCR'd. So that doesn't gain you anything.

How about Digital Signatures? PGP the money!
QR codes then make a lot of sense so any smart phone could ID phoney money.

Yes, somebody could copy the signature; but if it is unique to each bill it would require somebody to copy MANY signatures.

As more devices automatically scanned the cash duplicates would be caught more. Currently, we have serial numbers which are just as useless since they can just randomly be made up but we still have them because they prove useful in many situations. Using encryption you make it harder to generate new ones and by using QR codes you make it faster and easier to spot duplicates.

This Is Not An Issue

The Secret Service would love nothing more than a counterfeiter that prints something on their counterfeit cash that leads the Secret Service back to the counterfeiter. Yes, it's theoretically possible that a counterfeiter could send a bank back to their web site to give the bank some malware, and congrats to planetzuda for contriving the possiblity and getting the submission past the editor, but it's never actually going to be attempted by a counterfeiter.

Re:Huh? What?

[freeze128]

US Currency *ALREADY* has a serial number on each bill. Certainly modern OCR software is accurate enough to read that. Why do we even NEED a QR code?

Re:Huh? What?

[fatphil]

Cos, like, this is, like, *2 dimensional*, man, it's, like, completely different! It's twice as secure! I hear those clever Japanese are working on a 3 dimensional serial number that's 3 times as secure!

nano qr-"style"

The article doesn't actually say it's a QR-code, just 'like' one for us laymen.
In actuality, it's a nano ink particle that is encoded and would be impossible (at the moment) to counterfeit.

That, my friends, is the really cool tech to discuss!
QR-codes are fine and all, but are really not designed to be much more than printed on your magazine ad.

Will banks sanitize their database inputs?

[Mike+Van+Pelt]

My immediate thought was...

http://xkcd.com/327/

One would hope that a bank or other financial institution would do a better job than Little Tommy Tables' school.

But I wouldn't be surprised if they didn't.

nice post

like Chris said I am inspired that a person can make $4125 in 4 weeks on the computer. have you read this web link http://cutt.us/Mr1O

SQL injection

[snaFu07]

Since QR codes can hold arbitrary strings, why not sql injection attacks?

Given that at any time
    1) banks would not be the only party interested in tracking money and/or customers,
    2) codes would be scanned and entered into database,
    3) at some point tracking would become mandatory,
    4) there are still sloppy programmers out there building SQL statements by concatenating
      strings,
I can see, why this could be a not-so-good idea...

showing links infects computers?

[PenguinJeff]

That is the dumbest thing I have ever heard, well maybe not the dumbest but pretty dumb. QR codes are no different then simple bar codes. It is just a way to store information. What some program does with the information is up to the programmer.

In other news...

[SharpFang]

Modifying fingerprints on your fingers to generate a hash containing malicious URLs when fingerprints are scanned may lead to corrupting the police database.

Dumb paranoia

[pubwvj]

You don't just "get infected" by "visiting a site". Your browser or automated software doing the bill scanning needs to do something stupid that allows the site to run code where it shouldn't. Pure text, HTML, etc aren't going to melt your brain. Sad but true.

Rising Tuition Costs must be a real problem...

[_0x783czar]

Now MY question is why are we not arresting these criminal students at the University of Michigan who are forging money! Why is law enforcement not cracking down on this ring of spoiled college brats and their "Free-With-Purchase-Of-Laptop-For-College" ink-jets! Does the treasury think that sitting around and musing over possible longterm solutions is a viable solution to protect the US economy from these Econ Class Flunkies?! We need to send in Treasury agents to bust down the door to their dorms and arrest them! Heck, lets even send in the DEA, I'm sure forgery is only the tip of this tender iceberg! They're probably rollin' doobies with faux Benjamins whilst waiting for their buddies to get more color ink from the bookstore! This is an outrage! (also, I think the poster missed a comma)

Does this stop them?

"...to stop forgery of U.S currency by students of Michigan University" Surely the students will see this article and just find a different way to keep forging...

Or not...

[jacobsm]

If they're smart enough not to enable network connectivity to the scanning computers.

Nothing to see here, move along.

dafuq?

[dave420]

What the fuck sort of shit story is this? Yes, QR codes are easily copied, but not at the nano scale. And why the fuck would a bank, or anyone, connect its QR scanners to the internet? It just has to be sensitive enough to read and verify the QR code and that's it. This is pure nonsense.

idiots

[Tom]

can send you to a site that infects your system

Yes, if you evaluate them as hyperlinks you fucking moron. That's a feature if you use it for a QR reader on your phone intended to be pointed at posters, etc. - but for a reader to verify documents or bank notes or whatever, it would be so unbelievably stupid that I'd instantly fire the developer who wrote or included that piece of code.

Really, have they been handing out the stupid pills again?

obligatory

http://xkcd.com/327/

Sentence Structure

"Invisible nano QR codes have been proposed as a way to stop forgery of U.S. currency by students of the South Dakota School of Mines and Technology"
If this is a known problem with the South Dakota School of Mines and Technology, perhaps some intense interrogation of the students is in order to isolate and prosecute the culprits. Check the computer labs first, to see if the dangerous QR codes were generated there.

Memes

[petteyg359]

Now we can use a background with this site's name in it for "you, sir, are a moron" images.

SUDO

[EnsilZah]

Screw URLs, I'd just forge a note with a QR that says 'sudo give me all your money'.
This is foolproof.

World's Safest QRCode Servers

Hello
We at Pacific Breeze QRs are affliliates of QR.GL Marketing.
This issue can be solved by using a separate QR Code server that is fully monitored by GeoTrust, and the QR Code Optimized Web Page Generator that is retrieved always from our sever will be displayed.
We can also do a proprietory custom Web Page template to make the complete loop very secure.
Security on our QR Code servers is 256 bit encryption.

Please visit us at www.connnectionsqrcodes.com
Or email me at murray@pacificbreezeqrcodes.com

Thank you

Murray