QR Codes As Anti-Forgery On Currency Could Infect Banks

New submitter planetzuda writes "Invisible nano QR codes have been proposed as a way to stop forgery of U.S. currency by students of the South Dakota School of Mines and Technology. Unfortunately QR codes are easy to forge and can send you to a site that infects your system. Banks would most likely need to scan currency that have QR codes to ensure the authenticity of the bill. If the QR code was forged it could infect the bank with a virus."

Sigh.

[ledow]

Only if they're stupid enough to execute code formed from non-executable input.

Re:Sigh.

[RyuuzakiTetsuya]

What I came to say. I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.

Maybe if the QR code was a URL. But you'd have to be stupid to do that too.

A QR code that was a hash of the batch, the release series the serial number and a salt, sure. This could be awesome. Otherwise? Not so much.

Re:Sigh.

[Joce640k]

Ummm....do QR codes have to be a URL? Why would a bank want to put URLs on their bank notes then visit the URL when they scan them?

Whoever wrote that is a moron.

Re:Sigh.

[postbigbang]

The poster is confused. QR Codes are data, not actionable unless you take action on them. Moronic? That's a little rough. In need of a lot of education? Oh.Yeah.

Re:Sigh.

[Hazel+Bergeron]

A helpful rewrite for someone from a few years in the past:

"Sequences of letters and numbers have been proposed as a way to stop forgery of U.S currency by bored students of Michigan University. Unfortunately sequences of letters and numbers are easy to forge and can be typed into an editor, compiled, and run, infecting your system. Banks would most likely need to read currency that have seuqneces of letters and numbers to ensure the authenticity of the bill. If the sequences of letters and numbers were forged, typed into an editor, compiled, and run, it could infect the bank with a virus."

Re:Sigh.

No, they can be plain text. It's always been part of the standard.

Looks like the summary is just the usual flamebait, containing some stupid statement that commenters will feel compelled to correct.

Re:Sigh.

[jeffmeden]

* FIX

They're stupid enough to execute code formed from non-executable input.

* FIX OVER

Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over... Why, there is no way every single bank, even the podunk credit unions that dot the land near and far, can figure out how to run a completely public banking portal without getting completely pwned on their first day and having their vaults emptied. Wait, no, I have that backwards. Good security IS possible, it's just hard for most slashpundits to imagine since it is completely beyond them.

Re:Sigh.

[gman003]

A QR code is just a text string. Or binary string, even (I think - haven't tried it yet).

However, the most common use, so far, has been embedding URLs - most phone-app QR code readers automatically interpret the string as a URL and redirect you there, since that's generally what those users want. However, that's a feature of the particular scanner, not of QR codes themselves.

The original author's mistake is thinking that's a fundamental design feature of QR codes - you scan them, it takes you to a website. Which, if it were true, would indeed be a glaring security hole. Which is why nobody would do such a thing.

Re:Sigh.

[Joce640k]

Would it even be a URL? A QR code is just binary data. I'm sure a bank would interpret them as a binary number, not a download link.

Re:Sigh.

[Joce640k]

It's 1s and 0s...I can tell that just by looking at one.

Re:Sigh.

A QR code itself can NOT send you to a site. That is a 'feature' of certain apps running on smartphones etc.

The Michigan University proposal does not suggest that banks should run any such browser-linked software. They essentially propose banks to run software that reads a QR code and validates that code, using algorithms and data that would not require a browser.

This is the lamest conclusion I've seen yet on Slashdot - either flame bait or a submitter and editorial combined IQ of 50.

Come on slashdot editors, keep it mildly informed or have standards fallen so low that it's time to move away from slashdot?

Re:Sigh.

[msauve]

Not to worry. The summary is trash, and you're correct about the submitter's IQ. Of course, if you've been here over a week, this sort of thing is simply expected from timothy. Anyone who can change "South Dakota School of Mines and Technology" to the non-existent "Michigan University" has serious comprehension problems.

Re:Sigh.

[tragedy]

I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.

That doesn't seem to be what this article is proposing, however. This article seems to be proposing that the scanners at the bank will read the QR codes on the notes, interpret the code into a URL, then direct a web browser to that URL and, if the URL is for a compromised site, the bank's computer will become infected.

I've been reading Slashdot for 15 years. I'm not going to claim that all the articles in that time have been gems. This kind of thing almost makes me want to cry, however. It just seems to be happening more and more often.

Re:Sigh.

[TWX]

There's absolutely no reason for a currency validity checker to use a URL. There's no reason for it to use anything other than a defined standard created by the central banking authority that prints legitimate bills.

Any data in a QR code that is invalid should only be marked as invalid and the bill sorted aside for later, manual investigation. No "action" with the data itself is required. It shouldn't matter if the data is a URL or an IP address or "echo y|format C: /q". There should be nothing processed but an ack that the data doesn't correspond to correct ranges.

When a human checks the contents of the flagged bill, the human decides what to do, and more importantly doesn't use a computer on the network with the processing machine. It doesn't then matter if that human is stupid, they don't infect the whole bank if they're so stupid that they load a URL.

Re:Sigh.

[dolmen.fr]

Who said that the QR code will encode an URL?
This is not written in the engadget article, and that's the main erroneous assumption of the Slasdot poster (planetzuda).

Re:Sigh.

[SharpFang]

I really wonder how critically faulty the system would have to be to scan in a signature data and execute it. You could just as well create a license plate with SQL injection code to corrupt photoradars.

If only...

There was a way to scan a QR code without having an unpatched IE6 accessing the url in the code...

What?

What? QR codes can hold arbitrary strings, they don't have to be just URLs. This summary makes no sense. There isn't even an article here! Who is editing this shit?

Huh?

[ccccc]

A QR code is a two-dimensional barcode. A pretty decent way to embed a serial number. What exactly about the idea makes the poster believe the banks' scanning software would jump to some arbitrary website after the scan? Presumably, a much more sane and secure thing to do would be to look up the serial number in a database on a single, secure site.

Re:Huh?

[jittles]

Not only that, but the article I read last night on the BBC talked about how these QR codes are done. First of all, they imbed the QR code on the bill using a special ink that is only luminescent with an exact frequency of laser light, which is invisible to the naked eye. Using a process of (I believe they called it) "photon upconversion" the light becomes visible to sensors in another segment of the spectrum. They can alter the ink they use to change the frequencies in question. This means you would have to have special equipment to see the QR code. They also said that they can imbed two QR codes on top of each other, which respond to different frequencies of light. They can use the two QR codes together to help validate the authenticity of the bill.

So certainly someone with the right scientists may be able to reproduce the ink, bleach the bill, and print a new face and QR code on it, but it would be very difficult. And who would hook their bill verifying machine up to the internet? And why would you use a URL? You could embed anything into that code, and you could probably even cryptographically sign the data embedded in the bill.

WTF?

[iYk6]

QR Codes don't send you anywhere. They're just data. They can contain web links, just like any written sentence, but a device won't download the content at a linked URL unless it is programmed to.

QR codes are futuristic, 2D versions of bar codes. Nothing more.

Really?

[ajdlinux]

This story displays an incredibly low understanding about what a QR code even is, let alone how you would write a QR code reader for a secure environment. I'm surprised this even got accepted.

Got idea from TV?

[muntis]

Dude probably is watching too much TV where you can burn down computer by scanning bones

Why not a cryptographic signature in the S/N?

[swb]

Each note seems to have a serial number, meaning it should be unique. Why not have each note's S/N cryptographically signed and the signature stamped onto the note along with the S/N in some kind of machine-readable format?

It should then be possible to scan the barcode and verify the signature to determine whether the note was legitimate. They could create unique keys for each Federal Reserve district, perhaps annually, so that you wouldn't have to worry as much about the key being compromised.

Someone could clone the same S/N and signature, but if they did it would be easy for banks or other large cash processors with scanners to identify duplicates and remove them from circulation. Dupes could be identified as currency scanned at more than one geographic location within a certain time window where the chance of the currency being in two places at once was very slim -- kind of like the antifraud calls I've gotten from a credit card company when I've used a card in two cities in the same day.

Small numbers of duplicates would be hard to track, but the economic risk from counterfeiting isn't from some guy with a scanner and a inkjet printer but from mass counterfeiting of thousands of notes.

What lamers voted for accepting this crap?

[LeadSongDog]

It's blatantly just planetzuda.com spamming its own worthless article.