Content uploaded by L. Roger Yin
Author content
All content in this area was uploaded by L. Roger Yin on Dec 05, 2020
Content may be subject to copyright.
L. R. Yin, M. Senior, Z. Zhang and N. Baldwin, "Perceived security risks of scanning
quick response (QR) codes in mobile computing with smart phones," 2013
International Conference on Engineering, Management Science and Innovation
(ICEMSI), Taipa, 2013, pp. 1-7, doi: 10.1109/ICEMSI.2013.6913997.
Perceived Security Risks of Scanning Quick Response
(QR) Codes in Mobile Computing with Smart Phones
L. Roger Yin1, Zhuo Zhang2, Nicholas Baldwin1,
and Mitchum Senior1
1 University of Wisconsin-Whitewater, 800 W. Main St. Whitewater, WI 53190, USA
{yinl, baldwinnw19, senriormb12}@uww.edu
2 Macau University of Science and Technology, Avenida Wai Long, Taipa, Macau
zzhang@must.edu.mo
Abstract. Quick response (QR) code utilization is everywhere from magazines
and posters to Facebook and Twitter. Today’s mobile devices offer advanced
capabilities along with unprecedented security risks that the majority of users
don’t realize exist – QR code scanning is a good example. In this study we
intend to investigate the perceived risk and its mitigation of employing a digital
QR code certification pop-up message that warns users against malicious QR
codes and prevent users from being tricked into a hacker scheme. Data analysis
and results will be presented and discussed.
Keywords: Quick response (QR) code, mobile computing, smart phone, e-
commerce, m-commerce, information security, digital certificate, hacker.
1 Introduction
Quick response (QR) code – or matrix barcode – utilization is presently ubiquitous
from bank statements and magazines to Facebook and Twitter. It is estimated over
one-third of e-commerce merchants have invested in QR codes to advertise off-line
and the number is expected to grow rapidly [1]. With nearly one in every two
Americans of all ages owning a smart phone or tablet device, there is an ever-growing
population interfacing with QR codes [2]. Today’s mobile devices offer advanced
capabilities along with new security risks that the majority of users don’t realize exist.
There are currently no security measures in place to verify a QR code's authenticity
leaving mobile users vulnerable to fraud. To address this problem, our study intends
to examine whether an alert message representing a digital certificate upon scanning a
QR code will deter mobile device users of different characteristics. the method of
creating registered digital certificates to prove whether or not a QR code has credible
ownership. The implications will include awareness for QR scanning risks for both
companies that use QR code to enhance marketing and users who might consume
information disseminated via scanning QR code that influence their purchase
decisions.
1.1 Mobile Communication Tradeoff: Convenience vs. Security
In the midst of advent of wireless communication comes the exponential growth of
smart phones, tablets, and other mobile devices that are increasingly more handy and
versatile. But what is the price for the mass of mobile users to pay for convenience?
Identifying security risks not yet discovered of mobile devices would be of imperative
importance to all businesses and individuals.
For instance, in a Best Buy store if you want more information on a product you
can look it up via QR codes. Currently there is no system in place that would only
allow QR codes to go to credential or certified websites only similar to the verified
certificates we see with normal Internet use. Previously, designs of simple user
authentication schemes were proposed [3][4]. However, such user-to-server
authentication can be easily tampered with man-in-the-middle and other spoofing
techniques. To better protect both the reputation of legitimate merchants who use QR
codes for marketing and promotion and the users who retrieve Web-based information
via scanning QR codes, there is a need to design and develop a server-to-user
authentication scheme by first certify the target Website then authenticate Website
address as well the content with issuing digital certificates. In doing so a pop-up
warning message representing the verification of the digital certificate will appear on
the user's smart phone upon scanning a given QR code. In this research project we
will look into the relatively uncharted security risks of mobile devices involving
specifically with QR codes that could be tempered by social engineering
methodologies on the mobile platform. It would involve the users to make a decision
that, upon scanning a QR code with their smart phones whether they will ignore to
proceed or cancel and abort when they see a pop-up warning message of a potential
“hijack” from the intended Website to a malicious one.
1.2 Research Question and Hypotheses
Our research question is, “Will employing a digital certificate pop-up warning
message deter users of different characteristics against malicious QR codes and
prevent a user from being tricked into a hacker scheme, or will users ignore the
notification and fall prey?”
In order to understand the relationship between the types of user characteristics
and decision to ignore the warning message upon scanning a QR code, we suggest the
following research hypotheses:
H1: Gender has a significant effect on ignoring the warning message.
H2: Geographical location has a significant effect on ignoring the warning
message.
H3: Prior technological proficiency has a significant effect on ignoring the
warning message.
H4: Prior experience of scanning QR codes has a significant effect on ignoring
the warning message.
2 Review of Literature
QR code (abbreviated from Quick Response Code) is the trademark for a type of
matrix barcode (or two-dimensional bar code) first designed for the automotive
industry in Japan [5]. Recently, the QR Code system has become popular outside the
automotive industry due to its fast readability and greater storage capacity. QR code
are used primarily for mobile tagging, which is the process of providing data read
from tags for display on mobile devices, commonly encoded in a QR code. The
contents of the tag code are usually a URL for information addressed and accessible
through the Internet. According to David Maman, CTO of database security company
GreenSQL, more than 30% of QR code readers in the Google Play app store are
malicious code. He says, "Malicious code providers have started realizing that a lot of
people will try downloading QR reader applications". Maman says hackers have
accessed the advertising programs used to generate the QR codes themselves, to
redirect the internet addresses they generate to malicious sites. He asserted that
another threat is fraudulent ads containing malicious QR codes. Maman said, “mobile
devices are becoming more and more the way to surf the web and Facebook has
declared 50% of its users come in through smart phones. I think within a year it will
be 75%.” The most important from Maman was, "Think before you click anything”
[6].
Hackers are now re-angling sophisticated techniques they use to break into
personal computers to target and steal information from unaware smart phone users
[7]. Internet security specialist AVG expresses the number of cyber assaults on those
with smart phones is likely to soar this year as more people upgrade to the technology
[8]. The AVG report highlights the risks of quick response codes, stolen digital
certificates and root kits - all of which hackers are targeting to covertly break into
smart phones. The growth in sales of Android devices continued last year with 200
million sold worldwide by November - and more than half a million people activating
a smart phone each day. Michael McKinnon, AVG security adviser, said this in turn
was attracting cyber criminals who were making greater use of stolen digital
certificates, which are used to verify the identity of the author of applications used on
smart phones. "These developers create variations of legitimate applications and
embed some nasty stuff in them and sign them cryptographically." McKinnon stated
that while applications similar to anti-virus software applications were available for
smart phone users, some people were not taking the same precautions they would
when downloading material from the internet on a personal computer [8].
In June 01, 2012, armed with a sheet of black-and-white stickers resembling a
cross between traditional USB barcodes and a Rorschach test, Eric Mikulas, a security
expert, embarked on a mission to protect the city's smart phones [9]. What he didn't
know was whether customers understood that scanning a QR code is an act of trust
equivalent to opening a locked door before checking the peephole. In Russia, cyber
criminals used imposter QR codes to siphon cash and personal information from
hundreds of smart phone owners in 2011 and were refining their methods to dupe
even more users.
Anyone who isn't aware of the risks, at least in Pittsburgh, may soon find out
whether they want to or not. Mikulas kicked off the QR Code Experiment - a plan to
place his QR-coded stickers in high traffic areas - throughout Downtown and the East
End last month, but said he's planning to hit the entire region for the experiment's
second phase. The QR stickers link scanners to a Wordpress.com site that informs
them of the experiment, warns them of dangers such as the risk of linking to
malicious sites and lightly chides them for scanning an unknown code. According to
the 2011 Community Powered Threat Report by Amsterdam-based security software
provider AVG, the world should expect a drastic increase in malicious QR codes,
which they call "printed malware," this year and beyond. Techniques such as linking
QR codes to malicious sites with shortened Web addresses, replacing legitimate QR
codes on Web pages with fakes and Mikulas' sticker technique will all spike in
conjunction with the number of people who begin to regularly scan QR codes, AVG
warns. A legitimate concern, considering that 14 million of the country's smart phone
users scanned a QR or bar code last June, according to a study by Reston, Va.-based
digital marketing research company comScore [9].
It is estimated the global revenue expected from m-commerce and related services
is about $88 billion in 2009 [10]. According to the Mobile Payments 2002 report,
published by Wireless World Forum, the size of the mobile internet based mobile
payment market will grow from around 5 billion Euros in 2002 to nearly 55 billion
Euros in 2006 in the key 13 markets. As more businesses and merchants are paying
their attention to mobile users for product and service sales, there is a strong demand
to for vendors to provide reliable and user-friendly mobile payment services to
delivery secured and efficient payment transactions at anytime and anywhere. Secure
mobile payment systems supporting 2D Barcodes are definitely needed by mobile
users and merchants.
Mobile payment is very important and critical solution for mobile commerce. A
user-friendly mobile payment solution is strongly needed to support mobile users to
conduct secure and reliable payment transactions using mobile devices. An innovative
mobile payment system based on 2-Dimentional (2D) barcodes for mobile users to
improve mobile user experience in mobile payment. The paper discusses system
architecture, design and implementation of the proposed mobile payment solution, as
well as 2D barcode based security solutions. A digital certificate authority would
improve QR code security on mobile computing [10].
Online domestic banking has been increased steadily since 2009. The average
online banking transaction per day was 26,410,000 while the amount of dealings went
beyond 27 trillion won. Banks are becoming increasingly reluctant to reimburse user
who fall prey to online scams such as phishing or a pharming. The first hacking
incident in Korea in 2005 spurred the FSS (The Korean Financial Supervisory
Service) to announce a comprehensive countermeasure. One of the countermeasures
that draw high attention of the financial agencies is OTP (One Time Password) [11].
One-Time Password is a password system where passwords can only be used
once and the user has to be authenticated with a new password key each time. OTP
features anonymity, portability, and extensity, and enables to keep the information
from being leaked.
Lee, et. el. [11] propose authentication system for online banking which can
provide greater security and convenience by using mobile OTP with the QR-code.
The proposed authentication system assumptions the following:
• User and the certification authority (CA) has been shared the hashed the
serial number (SN) of users mobile device through a secure process.
• User can recognize the QR-code by their mobile device and it can decode of
the code.
• Assume the secure communication through SSL/TLS handshaking between
the user (PC) and the certification authority (CA) and the service providers
(Bank).
• User to download the mobile OTP program (algorithm) provided by
certification authority (CA) or the service providers (Bank) and used it.
• Generates the OTP algorithm between the user and the certification authority
(CA) is synchronized by Time-Event combinations method.
• A digital certificate authority is required to secure mobile banking [7].
3 Research Design and Data Collection
A 10-question survey instrument was developed and made available at
Surveymonkey.com. Approximately 182 undergraduate and masters students
majoring in various business disciplines volunteer to complete the anonymous survey
in two universities, one in U.S. Midwest (n=55) and the other in Macau (n=127),
respectively. The survey results filled out by these participants will help us better
understand basic characteristics of individuals most vulnerable to mobile device
hacking risks. Survey questions will collect information on: academic level (e.g.,
freshman, junior, masters, etc.), gender, whether scanned QR codes before, and self-
rated level of level of technological proficiency (using a scale of 0 through 10, 0
being None and 10 being Expert). We anticipate the majority of users will be alert to
the digital certification pop-up warning message (see Figure 1) and discontinue the
interaction. However, for those individuals not deterred by the warning and willing to
continue the browsing session will likely fall into victim of fraudulent schemes. That
said, we will verify the characteristics of those non-deterred users to further study
ways to better help them steer away from fallen victims. We anticipate that the
creation of a centralized digital certification process would be able to enhance users’
awareness related to the mobile computing security issue. Additionally, we hope this
information will attract educational and awareness training to those mobile users most
likely at risk.
Figure 1: Pop-up warning message generated by a digital certificate
4 Data Analysis and Hypotheses Test
4.1 Participant statistics
Among the total of 182 participants who successfully completed the survey, the
following is a list of key statistics relevant to this study:
• Age: 158 participants (86.8%) are between 18 and 22 years old, 19 of them
(10.4%) are between 23 and 30 years old, while the rest are 30 years or
older. It suggests the majority of participants are undergraduate students.
• Class level: 141 participants (77.5) are college juniors. It may be because the
survey was administered through a number of class-specific courses.
• Gender: 111 participants (61%) are female and 71 of them (39%) are male.
• Technological proficiency: 15.9% of the participants felt that their
proficiency level is below the neutral point (6). In addition, we learned that
the mean of this average is 7.1, indicating that most respondents felt that they
are somewhat proficient in information and communication technology.
• Experience of scanning QR codes: 116 participants (63.7%) reported that
they had scanned QR codes before, while 66 of them (36.3%) said they had
not done that before.
• Ignoring the pop-up warning message: 34 participants (18.7%) said they
might ignore the warning message and keep browsing. 148 of them (81.3%)
would prefer to click cancel and not to continue the Web redirection.
• Location: 55 participants (30.2%) are in U.S. Midwest while 127 (69.8%)
are located in Macau.
4.2 Hypotheses Test
In this study, we employ “Ignoring pop-up warning message” as the dependent
variable, and examine its relationship with four independent variables as factors:
gender, experience of QR code scanning, location, and self-assessed level of
technological proficiency. Table 1 shows the number counts in the categories of these
factors.
Table 1: Between-Subjects Factors
N
Gender
Female
111
Male
71
Scanning QR
Code Before
Yes
116
No
66
Location
U.S.
55
Macau
127
Technological
Proficiency
Less
73
More
109
In Table 2, the result of a two-way analysis of variance (ANOVA) is outlined. For the
main effects of the four independent variables, only “Scanning QR Code Before”
shows statistical significance as its p value at .043 is smaller than .05 (α). The test
results lead us to reject the hypotheses H1, H2, and H4, while accepting H3. In other
words, the data analysis indicates that:
• Gender does not have a significant effect on ignoring the warning message.
• Geographical location does not have a significant effect on ignoring the warning
message.
• Prior experience of scanning QR codes does not have a significant effect on
ignoring the warning message.
• Prior technological proficiency has a significant effect on ignoring the warning
message.
Table 2: Tests of Between-Subjects Effects
Dependent Variable: Ignoring Pop-up Warning Message
Source Type III Sum
of Squares
df Mean
Square
F Sig.
Corrected Model
.867
a
4
.217
1.433
.225
Intercept
435.237
1
435.237
2876.524
.000
Gender
.168
1
.168
1.111
.293
Scanning QR
Code Before
.629 1 .629 4.154 .043
Location
.009
1
.009
.063
.802
Technological
Proficiency
.029 1 .029 .193 .661
Error
26.781
177
.151
Total
626.000
182
Corrected Total
27.648
181
a. R Squared = .031 (Adjusted R Squared = .009)
Interestingly, as shown in the crosstabulation in Table 3, for those who ignored the
warning message, most of them (79.4%) had QR scanning experience. However,
those who did not ignore the warning message, the majority (60.1%) had QR
scanning experience. It appears that QR using experience would only moderately
reduce the technology users’ risk in exploring dangerous materials online.
Table 3: Crosstabulation between Ignoring Warning Message and Experience
of QR Code Scanning
Experience of QR Scanning
Yes
No
Ignoring
Warning
Message
Yes
Count
27
7
% within “Ignoring
Warning Message”
79.4% 20.6%
% within “Experience
of QR Code Scanning”
23.3% 10.6%
% of Total
14.8%
3.8%
No
Count
89
59
% within “Ignoring
Warning Message”
60.1% 39.9%
% within “Experience
of QR Code Scanning”
76.7% 89.4%
% of Total
48.9%
32.4%
Total
Count
116
66
% within “Ignoring
Warning Message”
63.7% 36.3%
% within “Experience
of QR Code Scanning”
100.0% 100.0%
% of Total
63.7%
36.3%
5 Conclusion and future studies
As mobile devices, especially smart phones, have rapidly grown to become a
dominant method of conducting e-commerce activities due to portability and
convenience, it is inevitable that these mobile computing devices will become
preferred targets of cyber crimes and malicious attacks. As is, mobile devices have
significantly less security protection from both hardware and software perspectives
comparing to desktop and laptop computers of business and home uses. We contend
that establishing a server-to-user authenticated digital certificate authority will
improve QR code security on smart phones and all other mobile computing devices.
However, more research is needed to make a decision on whether or not the value of a
digital certificate authority would be justifiable of its cost. More research is also
needed to determine the specific type of security schemes that is best for securing
QR-codes.
It is imperative to advocate user awareness and education of the risks involved in
QR code scanning fraud. Though there are limitations of this study, the result is
promising in that 81.3% of the survey respondents indicate that they would not ignore
the pop-up warning message generated by a digital certificate and either abort or
further examine the legitimacy of the Website and its content redirected via the QR
code scan. Future studies may survey larger number of users from even more
locations, wider age groups, occupations, income levels, and consumption of assorted
services and goods. It is to believe that the more we learn about the characteristics of
mobile device users, including qualitative data collected from focus groups or
interviews, the better we can design adaptive user training and education to mitigate
the negative effects of our increasing dependence of smart phones and tablet
computers.
References
1. Grannis, K.: Online Retailers Preparing for Promotion-Heavy Holiday
Season,
http://www.nrf.com/modules.php?name=News&op=viewlive&sp_id=1227
2. Entner, R.: Smartphones to Overtake Feature Phones in U.S. By 2011,
http://blog.nielsen.com/nielsenwire/consumer/smartphones-to-overtake-
feature-phones-in-u-s-by-2011
3. Lee, Y., et. el.: Design of a Simple User Authentication Scheme Using
QR-Code for Mobile Device. Information Technology Convergence,
Secure and Trust Computing, and Data Management, 180, 241-247 (2012)
4. Liao, K., Lee, W.: A Novel User Authentication Scheme Based on QR-Code.
Journal of Networks, 5 (8), 937-941, (2010)
5. Denso-wave: http://www.denso-wave.com/qrcode/index-e.html
6. Crossman, P.: The hidden dangers of quick-response codes. American
Banker, 177, 7-8 (2012)
7. Sharma, V.: A Study of Malicious QR Codes. International Journal of
Computational Intelligence and Information Security, 3 (5), 21-26 (2012)
8. Ihaka, J.: Your 'smart' phone can be hacked,
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10782308
9. Todd, D. M.: Security expert warns smart phone users of the risks in
scanning cyber coding, http://www.post-
gazette.com/stories/business/news/security-expert-warns-smartphone-users-
of-the-risks-in-scanning-cybercoding-638479/
10. Gao, J.: A 2D Barcode-Based Mobile Payment System. Multimedia and
Ubiquitous Engineering (MUE), 3rd International Conference (2009)