Slashdot Mirror

← Back to Stories (view on slashdot.org)

QR Codes As Anti-Forgery On Currency Could Infect Banks

Posted by timothy on from the fiat-money's-been-hacked-long-ago dept.

New submitter planetzuda writes "Invisible nano QR codes have been proposed as a way to stop forgery of U.S. currency by students of the South Dakota School of Mines and Technology. Unfortunately QR codes are easy to forge and can send you to a site that infects your system. Banks would most likely need to scan currency that have QR codes to ensure the authenticity of the bill. If the QR code was forged it could infect the bank with a virus."

9 of 289 comments (clear)

  1. Huh? by ccccc · · Score: 5, Informative

    A QR code is a two-dimensional barcode. A pretty decent way to embed a serial number. What exactly about the idea makes the poster believe the banks' scanning software would jump to some arbitrary website after the scan? Presumably, a much more sane and secure thing to do would be to look up the serial number in a database on a single, secure site.

    1. Re:Huh? by jittles · · Score: 4, Informative

      Not only that, but the article I read last night on the BBC talked about how these QR codes are done. First of all, they imbed the QR code on the bill using a special ink that is only luminescent with an exact frequency of laser light, which is invisible to the naked eye. Using a process of (I believe they called it) "photon upconversion" the light becomes visible to sensors in another segment of the spectrum. They can alter the ink they use to change the frequencies in question. This means you would have to have special equipment to see the QR code. They also said that they can imbed two QR codes on top of each other, which respond to different frequencies of light. They can use the two QR codes together to help validate the authenticity of the bill.

      So certainly someone with the right scientists may be able to reproduce the ink, bleach the bill, and print a new face and QR code on it, but it would be very difficult. And who would hook their bill verifying machine up to the internet? And why would you use a URL? You could embed anything into that code, and you could probably even cryptographically sign the data embedded in the bill.

  2. WTF? by iYk6 · · Score: 5, Informative

    QR Codes don't send you anywhere. They're just data. They can contain web links, just like any written sentence, but a device won't download the content at a linked URL unless it is programmed to.

    QR codes are futuristic, 2D versions of bar codes. Nothing more.

    1. Re:WTF? by Anonymous Coward · · Score: 2, Informative

      Nothing futuristic about QR codes! They're 15 years old already.

  3. Re:Sigh. by Joce640k · · Score: 4, Informative

    Ummm....do QR codes have to be a URL? Why would a bank want to put URLs on their bank notes then visit the URL when they scan them?

    Whoever wrote that is a moron.

    --
    No sig today...
  4. Re:Sigh. by gman003 · · Score: 4, Informative

    A QR code is just a text string. Or binary string, even (I think - haven't tried it yet).

    However, the most common use, so far, has been embedding URLs - most phone-app QR code readers automatically interpret the string as a URL and redirect you there, since that's generally what those users want. However, that's a feature of the particular scanner, not of QR codes themselves.

    The original author's mistake is thinking that's a fundamental design feature of QR codes - you scan them, it takes you to a website. Which, if it were true, would indeed be a glaring security hole. Which is why nobody would do such a thing.

  5. Re:Sigh. by msauve · · Score: 4, Informative

    Not to worry. The summary is trash, and you're correct about the submitter's IQ. Of course, if you've been here over a week, this sort of thing is simply expected from timothy. Anyone who can change "South Dakota School of Mines and Technology" to the non-existent "Michigan University" has serious comprehension problems.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  6. Re:Sigh. by TWX · · Score: 4, Informative

    There's absolutely no reason for a currency validity checker to use a URL. There's no reason for it to use anything other than a defined standard created by the central banking authority that prints legitimate bills.

    Any data in a QR code that is invalid should only be marked as invalid and the bill sorted aside for later, manual investigation. No "action" with the data itself is required. It shouldn't matter if the data is a URL or an IP address or "echo y|format C: /q". There should be nothing processed but an ack that the data doesn't correspond to correct ranges.

    When a human checks the contents of the flagged bill, the human decides what to do, and more importantly doesn't use a computer on the network with the processing machine. It doesn't then matter if that human is stupid, they don't infect the whole bank if they're so stupid that they load a URL.

    --
    Do not look into laser with remaining eye.
  7. What lamers voted for accepting this crap? by LeadSongDog · · Score: 4, Informative

    It's blatantly just planetzuda.com spamming its own worthless article.

    --
    Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.