QR Codes As Anti-Forgery On Currency Could Infect Banks

New submitter planetzuda writes "Invisible nano QR codes have been proposed as a way to stop forgery of U.S. currency by students of the South Dakota School of Mines and Technology. Unfortunately QR codes are easy to forge and can send you to a site that infects your system. Banks would most likely need to scan currency that have QR codes to ensure the authenticity of the bill. If the QR code was forged it could infect the bank with a virus."

Sigh.

[ledow]

Only if they're stupid enough to execute code formed from non-executable input.

Re:Sigh.

[RyuuzakiTetsuya]

What I came to say. I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.

Maybe if the QR code was a URL. But you'd have to be stupid to do that too.

A QR code that was a hash of the batch, the release series the serial number and a salt, sure. This could be awesome. Otherwise? Not so much.

Re:Sigh.

[Joce640k]

Ummm....do QR codes have to be a URL? Why would a bank want to put URLs on their bank notes then visit the URL when they scan them?

Whoever wrote that is a moron.

Re:Sigh.

[postbigbang]

The poster is confused. QR Codes are data, not actionable unless you take action on them. Moronic? That's a little rough. In need of a lot of education? Oh.Yeah.

Re:Sigh.

[Hazel+Bergeron]

A helpful rewrite for someone from a few years in the past:

"Sequences of letters and numbers have been proposed as a way to stop forgery of U.S currency by bored students of Michigan University. Unfortunately sequences of letters and numbers are easy to forge and can be typed into an editor, compiled, and run, infecting your system. Banks would most likely need to read currency that have seuqneces of letters and numbers to ensure the authenticity of the bill. If the sequences of letters and numbers were forged, typed into an editor, compiled, and run, it could infect the bank with a virus."

Re:Sigh.

No, they can be plain text. It's always been part of the standard.

Looks like the summary is just the usual flamebait, containing some stupid statement that commenters will feel compelled to correct.

Re:Sigh.

[jeffmeden]

* FIX

They're stupid enough to execute code formed from non-executable input.

* FIX OVER

Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over... Why, there is no way every single bank, even the podunk credit unions that dot the land near and far, can figure out how to run a completely public banking portal without getting completely pwned on their first day and having their vaults emptied. Wait, no, I have that backwards. Good security IS possible, it's just hard for most slashpundits to imagine since it is completely beyond them.

Re:Sigh.

[gman003]

A QR code is just a text string. Or binary string, even (I think - haven't tried it yet).

However, the most common use, so far, has been embedding URLs - most phone-app QR code readers automatically interpret the string as a URL and redirect you there, since that's generally what those users want. However, that's a feature of the particular scanner, not of QR codes themselves.

The original author's mistake is thinking that's a fundamental design feature of QR codes - you scan them, it takes you to a website. Which, if it were true, would indeed be a glaring security hole. Which is why nobody would do such a thing.

Re:Sigh.

[Joce640k]

Would it even be a URL? A QR code is just binary data. I'm sure a bank would interpret them as a binary number, not a download link.

Re:Sigh.

[Joce640k]

It's 1s and 0s...I can tell that just by looking at one.

Re:Sigh.

[Joce640k]

What if I get a sharpie and wrote "FE0634E70F327A6B32C" on a bank note? Would they assume it was JVM bytecode and try to execute it for me?

(If so, I can get the bank computers to generate Bitcoins for me...?)

Re:Sigh.

[kelemvor4]

* FIX

They're stupid enough to execute code formed from non-executable input.

* FIX OVER

Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over... Why, there is no way every single bank, even the podunk credit unions that dot the land near and far, can figure out how to run a completely public banking portal without getting completely pwned on their first day and having their vaults emptied. Wait, no, I have that backwards. Good security IS possible, it's just hard for most slashpundits to imagine since it is completely beyond them.

Recent history suggest financial institutions do not have a good deal of competence. Maybe they once did, but not in recent years.

Re:Sigh.

[ciderbrew]

Can you post that chip and pin is safe next? How about cards can't be cloned?

Re:Sigh.

[Hazel+Bergeron]

Well, there's one way to guarantee an irrational, over-the-top response: write it clearly on a dollar bill then hand it to a TSA employee at your local friendly airport, grinning wildly.

Re:Sigh.

A QR code itself can NOT send you to a site. That is a 'feature' of certain apps running on smartphones etc.

The Michigan University proposal does not suggest that banks should run any such browser-linked software. They essentially propose banks to run software that reads a QR code and validates that code, using algorithms and data that would not require a browser.

This is the lamest conclusion I've seen yet on Slashdot - either flame bait or a submitter and editorial combined IQ of 50.

Come on slashdot editors, keep it mildly informed or have standards fallen so low that it's time to move away from slashdot?

Re:Sigh.

[jeffmeden]

So, you would rather see more submissions like this one? (18 comments after 24 hours) Come on, trolls are a part of the internet, so they might as well be a part of slashdot submissions (god knows we see enough of them in the comments section). Be open to a little fun!

Re:Sigh.

[msauve]

Not to worry. The summary is trash, and you're correct about the submitter's IQ. Of course, if you've been here over a week, this sort of thing is simply expected from timothy. Anyone who can change "South Dakota School of Mines and Technology" to the non-existent "Michigan University" has serious comprehension problems.

Re:Sigh.

[tragedy]

I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.

That doesn't seem to be what this article is proposing, however. This article seems to be proposing that the scanners at the bank will read the QR codes on the notes, interpret the code into a URL, then direct a web browser to that URL and, if the URL is for a compromised site, the bank's computer will become infected.

I've been reading Slashdot for 15 years. I'm not going to claim that all the articles in that time have been gems. This kind of thing almost makes me want to cry, however. It just seems to be happening more and more often.

Re:Sigh.

[TWX]

There's absolutely no reason for a currency validity checker to use a URL. There's no reason for it to use anything other than a defined standard created by the central banking authority that prints legitimate bills.

Any data in a QR code that is invalid should only be marked as invalid and the bill sorted aside for later, manual investigation. No "action" with the data itself is required. It shouldn't matter if the data is a URL or an IP address or "echo y|format C: /q". There should be nothing processed but an ack that the data doesn't correspond to correct ranges.

When a human checks the contents of the flagged bill, the human decides what to do, and more importantly doesn't use a computer on the network with the processing machine. It doesn't then matter if that human is stupid, they don't infect the whole bank if they're so stupid that they load a URL.

Re:Sigh.

[mlts]

Some institutions are extremely good at keeping their flies zipped up. Others have fallen into the "security has no ROI" trap that seems to be the PHB mating call.

In the past, banks had a reputation to uphold, so a security breach would be extremely damaging with accountholders moving elsewhere. These days, because it is so hard to move to another provider, coupled with the bar lowered so low about perceived security, a security breach may not be something a bank cares about unless it is a regulator they would find hard-pressed to fight in court due to bad PR.

Re:Sigh.

[dolmen.fr]

Who said that the QR code will encode an URL?
This is not written in the engadget article, and that's the main erroneous assumption of the Slasdot poster (planetzuda).

Re:Sigh.

[DarkOx]

The real source of the problem is government. FDIC has taken the reputation out of banking. As a depositor I don't care if the bank gets knocked over because I know its insured at no cost to me anyway. Well it does cost me actually as the insurance fees are passed on in the form of lower rates.

Now if it were not for government intervention banks competing for depositors would be strongly incentive to protect their reputation for not losing customers money, EVER, as it would be the major sell point. This is why banks chose names like Bank of Granite, in the first place. The wanted to sound and look like immoveable impermeable objects.

If you want more smaller banks, people would want to spread their money around more places rather than risk it for the convenience of on big nation wide chain, and one provider.

And Or if you want banks to be more conservative and take security (of all kinds) seriously, you get rid of government backed deposit insurance.

Re:Sigh.

[Belial6]

My number one use for them is to use them as a shared clipboard from my PC to my phone. Sure, there are dozens of ways to get text transferred over, but I have found the easiest way for me is to copy the text, past it into the QRCode website I have pinned to my taskbar, and scan it with QR Droid. No, I don't do that with data that I would be worried about the site stealing. It is mostly package tracking numbers.

Re:Sigh.

[SharpFang]

I really wonder how critically faulty the system would have to be to scan in a signature data and execute it. You could just as well create a license plate with SQL injection code to corrupt photoradars.

Re:Sigh.

[achbed]

You're all not thinking clearly. The easiest thing for a counterfeiter to do is to simply duplicate the same serial number over and over. The QR code would only stop those that want to randomize their serial numbers. A copied note with a QR code will still validate all the way through the system. The bank would notice in the same way they do today - they check and make sure the serial numbers in the batch match the correct year and print facility (also on the bill), and then verify that there are no duplicate serial numbers with in the deposit.

What this would help stop (at least until the central private key is compromised) is "randomizing" of the serial numbers by counterfeiters. By using the serial number and signing it with a private key, it would at least increase the level of difficulty beyond that available to most counterfeiters. The resulting "pros" would need to get a copy of the private key in order to continue, which would involve conspiracy, hacking, bribery, or other methods to get it. Of course, those methods are just as effective now as they always have been.

Encryption is only as strong as the weakest link. In this case, the weakest link is probably the underpaid, stepped on, underappreciated staff of the central bank.

Re:Sigh.

[lennier]

Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over.

Yes, that's pretty much it. We're that stupid.

As evidence for the prosecution, I present: Flash, Java, JPEG, PNG, PDF, Word .DOC, SQL, PHP, ASN.1, and TCP/IP.

All of the above are either sandboxed-by-design programming languages that don't expose binary code, or somple data encapsulation formats that aren't even Turing-complete. They're all in common use in industry. We, our peers, our industry, trumpeted their safety and deployed them. You'd expect that it would be pretty simple for implementation of a parser for any of these formats to at least not fail in catostraphically hilarious ways, eg, randomly snarfing a bunch of raw untrusted bytes into its runtime code page and then attempting to execute it. In much the same way that you might expect that the bricks a skyscraper is made from will not unexpectedly one day turn into penguins and fly away.

You'd expect that, and you'd be dead wrong.

Re:Sigh.

[lennier]

There's absolutely no reason

Any data in a QR code that is invalid should only be marked as invalid

It shouldn't matter

There should be nothing processed but an ack that the data doesn't correspond to correct ranges.

Ah, "should". The system administrator's favourite word.

Followed closely by:
"it can't"
"did it just"
"there's no way it just"
"they say it's impossible that it could have"
"their lawyers say they could never have foreseen that it would"
"marketing give us every assurance that it absolutely probably maybe won't again"

Re:Sigh.

[xenobyte]

That was my first thought. Not sure why types of forgery they are aiming to protect against. Once common attack is bleaching. Basically the counterfeiter tries erase the print on small bill like $5 and replace it with that of $100.

Smart, but still incredibly stupid.

First of all, it will only work if the bills are all the same size. US currency is, but this isn't the case in many other countries.

Second, it will only work if the paper is identical across all denominations. It isn't. Most countries include both distinct watermarks and holographic silver threads that are unique to each denomination, including the US.

Lastly, most countries (including the US) use a closely guarded method of computing serial numbers, which signatures etc. so ether your copies will have invalid combinations or be exactly identical using a known good combination.

If only...

There was a way to scan a QR code without having an unpatched IE6 accessing the url in the code...

not if programmers are 1/2 way competent

[RichMan]

A bank note QR code would refer to a single site. It would not go to "the world".
Input hardening in such a case should be reasonably trivial. And if it failed to have the proper form it would be false.

Er, wrong.

I guess that's why all the checkouts at our local grocery stores get viruses when we scan the wrong barcodes.

Use appropriate software. Fuck.

What?

What? QR codes can hold arbitrary strings, they don't have to be just URLs. This summary makes no sense. There isn't even an article here! Who is editing this shit?

Huh?

[ccccc]

A QR code is a two-dimensional barcode. A pretty decent way to embed a serial number. What exactly about the idea makes the poster believe the banks' scanning software would jump to some arbitrary website after the scan? Presumably, a much more sane and secure thing to do would be to look up the serial number in a database on a single, secure site.

Re:Huh?

Muhhahahhahahahaha

Robert');DROP TABLE CURRENCY;

will be my QR Code and will bust the world economy! Muhahahahhahahahaha

Re:Huh?

[jittles]

Not only that, but the article I read last night on the BBC talked about how these QR codes are done. First of all, they imbed the QR code on the bill using a special ink that is only luminescent with an exact frequency of laser light, which is invisible to the naked eye. Using a process of (I believe they called it) "photon upconversion" the light becomes visible to sensors in another segment of the spectrum. They can alter the ink they use to change the frequencies in question. This means you would have to have special equipment to see the QR code. They also said that they can imbed two QR codes on top of each other, which respond to different frequencies of light. They can use the two QR codes together to help validate the authenticity of the bill.

So certainly someone with the right scientists may be able to reproduce the ink, bleach the bill, and print a new face and QR code on it, but it would be very difficult. And who would hook their bill verifying machine up to the internet? And why would you use a URL? You could embed anything into that code, and you could probably even cryptographically sign the data embedded in the bill.

WTF?

[iYk6]

QR Codes don't send you anywhere. They're just data. They can contain web links, just like any written sentence, but a device won't download the content at a linked URL unless it is programmed to.

QR codes are futuristic, 2D versions of bar codes. Nothing more.

Re:WTF?

Nothing futuristic about QR codes! They're 15 years old already.

Re:WTF?

[L4t3r4lu5]

You've obviously not read Snow Crash.

Really?

[ajdlinux]

This story displays an incredibly low understanding about what a QR code even is, let alone how you would write a QR code reader for a secure environment. I'm surprised this even got accepted.

The submitter doesn't seem to understand QR codes

[yincrash]

This plan in all likelihood would not comprise of URLs encoded as QR codes. It wold be some data that would be matched against some other data, so why would the currency verification involve accessing a URL at all to implant a virus?

The only way I could remotely see that happening would be if there was a vulnerability in the system that allowed for a buffer overflow attack of some sort. The problem with that is that QR codes only have a limited amount a data, which would make this all but impossible.

Re:Super high tech solution

Next problem: idiotic user submissions combined with lazy "editors" could infect Slashdot with terrible articles on the front page.

Also in the news

[Chrisq]

Bank staff could break their teeth by trying to bite coins. They could also give themselves a sun burn by keeping their hand under the note-testing UV lamp. And now they have the added hazard that they could follow a link on a QR code to an infected site.

Michigan Univerity?

[Darth_brooks]

1. It's "The University of Michigan." Not trying to be as pedantic as those who insist on THE Ohio State University (as opposed to that other Ohio State?), but no one uses 'Michigan University.'

2. At no point, in any of the three cited articles, is U of M mentioned. The QR / Currency article from engadget refers to The South Dakota School of Mines and Technology, which is slightly different from umich.

QR codes are not magic code!

[mezion]

Oh FFS!

It's unclear how much malware spread by QR codes in late 2011, but AVG reports that it's an ideal distribution method for nefarious software and it expects the practice to grow throughout 2012. Users are unaware of what the code contains until the malware has already gained foothold. The point being, QR codes aren't as safe as you might expect them to be. The security firm likens scanning unknown QR codes to running an unfamiliar executable on your computer.

Let's repeat this again, people: QR Codes are simply a new version of a barcode. They are not magic pictures that infect computers or phones. There is nothing wrong with taking a picture of a barcode.

OTOH, if you run an application that which upon reading a code will automatically open a webpage that might run a script without user intervention, you giving people a guest pass.

when malware spread through QR codes on a Russian website and forums. The code directed victims to a download location for an infected version of the Jimm mobile ICQ client. The malware sent SMS messages to premium numbers.

They directed their phones to a web address they didn't know and shouldn't have trusted, downloaded an application and then installed it. This was their own fault. This has no more to do with QR codes infecting computers than a hyperlink can.

Re:redundant ? redundant?

[azadrozny]

As other posters have pointed out, what if the QR code contained a hash of the serial number and a few other identifying marks visible on the bill? Now you can use the infrared QR and OCR to validate a given bill. In general I think the mints have given up on creating a forge-proof bills. They just keep updating the design with forge resistant features to stay one step ahead. The only problem I have with this is that there are so many different designs in circulation that a lay person cannot easily spot a fake, and may be more likely to accept one.

Independence Day?

[angel'o'sphere]

Reminds me at that movie: "uploading virus ..."

Funny was they used a Mac for that ...

Got idea from TV?

[muntis]

Dude probably is watching too much TV where you can burn down computer by scanning bones

Why not a cryptographic signature in the S/N?

[swb]

Each note seems to have a serial number, meaning it should be unique. Why not have each note's S/N cryptographically signed and the signature stamped onto the note along with the S/N in some kind of machine-readable format?

It should then be possible to scan the barcode and verify the signature to determine whether the note was legitimate. They could create unique keys for each Federal Reserve district, perhaps annually, so that you wouldn't have to worry as much about the key being compromised.

Someone could clone the same S/N and signature, but if they did it would be easy for banks or other large cash processors with scanners to identify duplicates and remove them from circulation. Dupes could be identified as currency scanned at more than one geographic location within a certain time window where the chance of the currency being in two places at once was very slim -- kind of like the antifraud calls I've gotten from a credit card company when I've used a card in two cities in the same day.

Small numbers of duplicates would be hard to track, but the economic risk from counterfeiting isn't from some guy with a scanner and a inkjet printer but from mass counterfeiting of thousands of notes.

Your right, your IQ isn't 50

[SmallFurryCreature]

Well, your post contains one truth, your IQ isn't 50. It is far far lower.

QR is simply a bar code. You scan it and get a string of data. That is it. It can contain any string valid within its codeset but it is just a string just a barcode is just a number.

Sure, buffer overflows exist but they exist deep within complex code, not on simple basic stuff as reading in a user input especially when there is only one.

And people with IQ of 50 (you call them master or whatever you can manage to utter with your sub-50 IQ) don't work for banks.

It doesn't matter if the string contains characters that together form a URL, that is only valid if someone with a sense of humor starts testing the read string for what it might possibly contain. It could be a string that if processed as a gif shows a image. But why would a banknote scanner contain the code to do that?

I could build a nut screwing robot and then give it an icecream and watch it transform itself into a icecream eating machine OR I could see it reject the input as invalid because it was never programmed to deal with that input.

What do you think that happens if a random string of text in a ssl key happens to form the word "reboot". That the computer will reboot?

You, the submitter, timothy and an awful lot of people who should be on facebook instead of slashdot seem to think computers are magic. They are not.

Only when silly MS programmers try to make their software clever by trying to guess what input could mean, things go wrong. People who software for banks are not silly.

If you spend a million years beating them over the head with a feature for "smart" input where code just tries to run any input whatsoever, they would just not get what you are trying to do. Such a stupid idea just does not exists in the universe of serious coders. There are no serious coders at MS. Or indeed Apple. Or many linux projects. Luckily banks for make it a point to find it for their "oh shit this is going to cost us more money then the worst/best traders in history" projects. Else the treasury goes after them and this ain't the corrupt branch of government, this is the bit that closes you down and then dissects your corpse while you are still using it so they can find the stupid bit and show it to all the banks. There are a lot of banks, so they will have to cut your up pretty small.

What lamers voted for accepting this crap?

[LeadSongDog]

It's blatantly just planetzuda.com spamming its own worthless article.

Stupid post

[gabrygenoa]

Please remove this post, the lamest programmer in the world will be able to avoid this "infection", as said by a lot of people QR codes contain binary datas or strings. I think this is a tabloid level post, an insult to slashdot users.

Re:I totally agree. But...

[skelly33]

It would be super amazing to own a smartphone with an infrared laser illuminated microscope.

I'm baffled by all the comments about the security concerns on this. Barcode scanners have been reading UPC codes at PC-based cash registers operated by high school dropouts for decades, and nobody has yet been able to craft a magic barcode that can crash the system. The argument is asinine. It is not that hard to establish a standard and write some firmware with strict adherence to that standard that will reject anything that is non-sense. Seriously does nobody understand how things work any more?

Here, let's invent a specification and a bill sorter that uses it, it'll be fun. The QR code will implement a cipher using 6-bit characters supporting an input character set of [A-Z0-9] with an exact string length 11 characters, or 66 bits. This is sufficient to encode the serial number on the $5 bill in my pocket right now. The cipher will put out the exact same number of bits, and the "QR style code" will encode exactly those bits, no more, no less (for extra credit, we can add some checksum / error correction bits). When a scanner picks up the code, it will check the bit length and verify that it is 66 bits, then it will reverse the cipher and compare it to the plain text serial number on the front of the bill. If the 66-bit strings match, the sorter will drop the bill in the "accepted bin", else it will be diverted to the "inspection bin".

Now you go ahead and think up a scheme by which you can crash and/or infect my scanner. Any firmware developer worth their salt would be able to see you coming a mile away in such a simple system.