The fair is in town, and I need money. Where do I get money from? The bank.
I enter the bank. I see a piece of paper loosely stuck to the ATM advertising the bank’s mobile application, and conveniently including a QR code.
Anyone else see a problem here?
Critical #fail by @ING bank – a paper with a QR code stuck to an ATM, apparently for a bank app. Wide open to abuse! pic.twitter.com/RvnyYU1w71
— Steve Chaloner (@steve_objectify) September 5, 2013
Examples of malicious QR code were already being reported two years ago. Is it really such a stretch of the imagination, given the number of phishing sites that mimic banks, that fraudulent mobile applications won’t appear? QR codes represent a potential path to get these apps onto devices.
For any company to offer an app via a QR code printed on a scrap of paper and pasted to the side of an ATM shows a stunning lack of understanding of the potential for damage. Even an offical poster bearing a QR code can be hijacked by scammers placing QR code stickers over the true QR code. Even that modicum of effort isn’t needed in this situation. A scammer can print out a piece of paper, fasten it to an ATM after the bank has closed, and remove it before the bank opens.
What could the app do?
An app that you cheerfully feed your bank details into can at least harvest your account details. If your bank’s online browser-based web app requires a card reader code to access, that code can be requested by the mobile app and used to – manually or automatically – log into the bank’s web app. A simple “service unavailable” message delivered to the user leads them to believe no access has occurred, while in reality their account is being drained.
An unlikely scenario? Hardly. Nothing I have described above is new, and even fairly rudimentary coding skills would suffice to pull this off.
What should the bank do?
Not use QR codes! If my bank calls me with a question, I tell them I’ll call them back and hang up. I never accept “pushed” data – instead, I get the phone number from my bank documentation and call that number. The same principle applies here – banks should advertise the availability of mobile apps, but actual installation should only occur from a trusted source.
Needless to say, I don’t scan QR codes.