... and what can be done about them ?
QR Code scams on the rise - what are you doing about them?
It seems to be raining QR code scams in India’s IT capital, Bangalore. This onslaught of QR code scams seems to have caught the Bangalore Police off their feet, just as much as the citizens who are victims of such frauds. In one such case, a gang that hoodwinked ‘sellers’ on an online seller platform, to part with money, had even used the Police Commissioner Mr. Bhaskar Rao’s picture as whatsapp DP ! In other cases, the conmen have posed as ex-army personnel. Interestingly, the modus operandi has been similar for most of them and it could have been fixed with some thought and the use of Secure QR codes.
In all these cases, the victim had limited if not zero understanding of how the QR code worked to dupe them. It is hence the responsibility of the websites (like OLX and other such transaction sites/platforms) to protect the transacting parties by ensuring that they provide end to end secure transaction capability.
A QR code is like a barcode, that can be read by a machine. It allows people to make payments by scanning the image and confirming the transaction. Many apps and e-wallets today have this feature for payment.
The cybercrime police have arrested five men, for allegedly cheating over 200 people using QR codes over the past year.
The modus operandi of the gang was simple. Like a good crime thriller, this seems to have had a cast of characters. This included a QR code expert, a former employee of a private bank and an e-wallet firm, one who provides a bank account for the money transfer and two ‘victim-facing’ persons who would approach potential victims - those who had put up items for sale on online platforms. The ‘victim facing’ folks would use off-line chat and finalize the deal. They would get the phone number of the seller and would send a QR code. The potential victim would be asked to scan the code to get his money. But when they did that, the victims (sellers) would find that that money would disappear from their accounts instead.
How are victims skimmed?
In most cases the victim is the one who is supposed to be the recipient of the money. Instead of the buyer getting a payment request from the seller - ironically, it is the intended recipient of payment or the seller, who gets a “pay-request” QR code (without actually realising it is a pay request). The potential victim, oblivious to such a scam would scan the unsecure, unvalidated QR code, and their account is then debited by that amount. Though it may seem uncommon but with 200+ cases, this is definitely an issue which needs to be addressed. The urgency perpetuated by the scamsters to complete the transaction is designed to force the victim to overlook checking details or following through on their suspicion to ask for more proof which may have revealed the issue or saved them from this fraud. Once the victim’s account is debited, there is little that can be done to get the money back.
A simple closed-loop solution can fix this
With rapid advances and ubiquitous use of QR code, creating an authentic-looking QR code is not too complicated. But all QR codes are not the same. The red flag here is that it is the seller who is getting a QR code rather than the buyer. This is where it becomes crucial that online platforms like OLX and similar websites should have secure QR code systems that would generate transaction details on behalf of the seller once the buyer has agreed to the transaction and then the buyer can scan the QR code and be assured about the authenticity of the transaction before making the payment. It is the buyer who gets the pay request from the seller (through the transacting platform).
Transaction platforms like OLX can deploy a secure QR code based transaction confirmation system as below. This may even be integrated directly with payment gateways and mobile wallets in such a way that the transaction is secured end-end.
Building a secure QR Code system that works
Secure QR code based transaction system
The issuing organization OLX seals all the information of the proposed transaction inside a secure code and signs it with their secret private key. The buying party receives the code from OLX or any such transaction platform on which such transaction is being done. The seller or any intermediaries would have no means of altering such a QR Code because they don’t control the final generation which happens only after both transacting parties have submitted details from their end. Though S, B or M handle the information, they cannot tamper or generate fake QR codes on behalf of issuing organization O because they do not have issuing organization’s O’s private key
What would be the basic guidelines of such a system?
1. It should be simple, easy, and cost-effective to create secure transaction details
2. Such secure transaction details may be used in both electronic or physical format depending on the use and convenience and once generated cannot be altered. If they have to be, then the original transaction is cancelled and a fresh secure transaction detail is generated
3. Finally, the verification of such transaction details should be easy and universally understood so that everyone can trust the information and proceed with the completion of the transaction
This is where Qryptal, the world’s most secure QR code-based document security solution, comes in. With the Qryptal QR code generator, the issuing organization or platform (in this case say OLX) can generate confirmations for any number of transaction details (ranging from a few to several million) that are secure, tamper-proof and easily verifiable. This can be done with speed and simplicity in an affordable manner.
The validation of such QR codes containing the transaction details has been made really simple using either an App or a web validation mechanism and can be done across both electronic and physical formats.
This is how the Qryptal system would work in this case
At the time of generation of the transaction advice with specified details, a Secure QR code is added with these critical details that need to be verified
Such information is signed by the private key of the issuer/transaction platform. This ensures that the secure information can only be generated by the authorized entity (for example the transacting platform)
Subsequently, the verification is done with the corresponding public key. This public key would decrypt the critical information and display authenticated content to the verifier. Here the buyer (as well as seller) can both verify that the details are correct before the payment is made
Validation is flexible and can be done through multiple channels - via the website of the issuer using a web browser camera, uploading a PDF or image of the document/invoice/bill with the QR code, or by using an App.
QR Code-based fraud is a stark reality and simple but effective solutions like above can go a long way in helping issuers tackle the security risk while enabling users to trust these transaction platforms.
Some interesting use cases