What Maharashtra Motor Vehicle Department did not tell you about QR code verification?

What Maharashtra Motor Vehicle Department did not tell you about QR code verification?

We have written about the use of Quick Response (QR) codes in Driving Licences in the past too. The blog post Secure Driving Licence from Identity Theft was a very exhaustive article on the problem explaining how rampant forgery was and the possible solution. We feel compelled to once again write about a specific aspect of QR code validation that is often overlooked, despite the best of intentions.

Recently, the Maharashtra Motor Vehicles Department (MMVD) has committed that they will issue smart driving licences with these quick response (QR) codes to make it easy for officials to check if the licence was genuine. Read the full article here.

This is a laudable initiative, and its good to know that the QR code is finally getting into mainstream document verification systems. The idea of the QR code has been in existence for many years now and it is used for a variety of reasons from marketing to information capture & storing (which can then be consumed as required). But its important to note - while there has been immense growth in the adoption of QR codes, the security aspect of QR codes, has not been given adequate attention.

While there has been immense growth in the adoption of QR codes, the security aspect of QR codes, has not been given adequate attention.

Most of the QR codes in use today, are primarily for information capture and readability on a smartphone or to direct to a website. That is the more straightforward part. However, this ubiquity and ease of use is also the reason that makes generic QR code solutions highly insecure and susceptible to easy manipulation. The normal or generic “QR reading” apps available on most phones are designed to read a regular QR without any layer of security. If someone changes that code to say something else - the reader will show the fresh information. Hence a generic QR reading app cannot be used for validation.

This has led to many incidents where fraudsters take advantage of the lack of awareness and create fraudulent documents with simple QR codes. This includes driving licences, Aadhaar cards or Bank Cheque books. Since the entire document is fake, the accompanying QR code is also generated to show the same fraudulent information. Now the verifier (in this case any third party who may use a generic QR reader app) would not be able to detect that the document is tampered as the QR code on scanning shows the exact same information which is on the document itself. The very purpose of the initiative is lost. Not only do such static non-secure QR codes compromise security but they also expose users to phishing attacks especially if a URL is used to direct the user to a web page on scanning the QR code.

To prevent something like this from happening, these regular QR codes should be replaced by Secure QR codes. This is particularly important when critical information needs to be sealed and made tamper-proof after generation (as in the case of driving licences, ID cards etc) for it to act as identity proof or similar. In such a case the secure QR codes must be read by specific pre-approved apps; this helps to validate the digital signature and the QR reader would be able to establish the authenticity of the code. The Secure QR code would be generated with adequate security and with the digital signature of the authorised issuer of that information - this helps to maintain the integrity of the information. This would also mean that fraudsters are no longer able to create fraudulent documents or tamper with the authorised document.

Qryptal is a pioneer in the field of document security and is used by many clients worldwide. When it comes to documentation and specifically reliable, authentic, tamper proof documentation, secure QR codes are a way of ensuring document security. This means, the secure QR code is generated using a system like Qryptal’s, and subsequently anyone would have the capability to check the authenticity of the information inside the QR code by using a dedicated app which can help verify the digital signature of the issuer and make sure the document is not tampered with. The overall system has two parts - generation and validation. The code is generated using the private key of the issuer and it is validated using the public key which is embedded in the App.

How can Qryptal help you?

Such solutions from Qryptal, make documents like driving licences tamper proof and instantly verifiable and help to stop document fraud at the source. Qryptal’s Secure QR codes can be created either on the cloud or on-premise within the organisation. This QR code solution works seamlessly with an existing document production system to generate a document made secure with the Qryptal Secure QR Code. There is no major change required in existing workflow and it is painless and quick to set this up. What are you waiting for?

Also, read

• Blogpost : Secure Driving Licence from Identity theft

• Secure QR Codes for Driving Licences, Passports and identity cards