QR code scams rise in China, putting e-payment security in spotlight
By replacing legitimate merchants’ codes with malevolent copies, fraudsters can gain access to consumers’ data and even raid their bank accounts
It may look harmless enough, with its random pattern of tiny black squares on a white grid, but the next time you scan one of China’s ubiquitous QR codes, you could end up seriously out of pocket.
Because the seemingly innocuous barcode may be hiding malevolent software ready to latch itself onto your smartphone and drain your bank account.
A recent spate of scams involving QR codes – or quick response codes – has shone a spotlight on the issue of security in mobile payments and sparked calls for the authorities to do more to protect consumers.
In Guangdong province, about 90 million yuan (US$13 million) has reportedly been stolen via QR code scams, according to a report this month in the Southern Metropolis Daily.
According to other Chinese news reports, policemen in Foshan, a city in the same province, recently arrested a man on suspicion of pocketing 900,000 yuan through QR code frauds.
The suspect had replaced legitimate codes created by merchants with fake ones embedded with a virus programmed to steal the personal information of consumers.
Scammers have also been profiting handsomely from the mainland’s multibillion dollar bike-sharing industry. By replacing the original QR code used to unlock the bicycle with a fake one, they have been able to cheat users into transferring their money into their own bank accounts.
The proliferation of this type of crime has been made possible by the explosion of mobile payments in China, as the concept of a cashless society moves ever closer to becoming a reality.
Nowhere is this shift more evident than in the abundance of QR codes – a type of barcode, or machine-readable image – that allow consumers to make small payments by simply scanning the image and confirming the transaction.
QR codes were invented in 1994 by Denso Wave, a unit of Japan’s largest automotive parts maker, to allow for quick scanning when tracking vehicles during the assembly process. From the car factory, the codes later spread to broader usage, encompassing everything from consumer purchases to social media. Visitors to Japan get a sticker with their personal details embedded in QR.
Unfortunately for the unsuspecting consumer and law enforcement agencies, QR codes are easily penetrated and manipulated, and cannot be verified as genuine by the human eye. These two factors have made the cybercriminals’ task that much easier.
According to one senior official and technology expert, almost a quarter of Trojans – malicious programmes disguised as benign software – and other viruses are transmitted though QR codes.
Speaking at the National People’s Congress in Beijing earlier this month, deputy Liu Qingfeng, chairman of voice recognition cloud service provider iFlytek, advised regulators to tighten their oversight of QR codes by bringing them under the scope of the National Security Law.
“Currently, over 23 per cent of Trojans and viruses are transmitted via QR codes. The [difficulty] threshold to make QR codes is so low that fraudsters could implant Trojans and viruses into a QR code very easily,” said Liu. “On the other hand, consumers cannot verify the authenticity of QR codes by eye and are therefore prone to be deceived if criminals paste their fake code over the original one.”
Although the emergence of QR codes had greatly encouraged consumption, he said, the recent scams have stymied people’s willingness to adopt the technology.
To make detection and enforcement even harder, several websites exist that offer do-it-yourself QR codes, which essentially enable anybody -- including scammers with malevolent intent -- to create a short cut.
Regulators should step up their supervision of the usage of QR codes by adopting a ‘real-name rule’ – a requirement that anyone producing one register their real identity – and strengthening punishment for illegal acts, added Liu.
The security of QR codes has long been an issue in the mainland.
In March 2014, the People’s Bank of China temporarily banned payments made by scanning QR codes with mobile devices after Alibaba and Tencent announced plans to launch “virtual credit cards” – an innovative mobile payment method based on QR codes seen as an alternative to traditional credit cards – citing concerns over their security.
As the two major third-party payment methods in China, Alipay and WeChat Pay have invariably borne the blame whenever a QR code scam has occurred.
Alipay, the financial arm of Alibaba, which owns the South China Morning Post, has said that it owns a technology to determine whether a QR code is generated by its own system, or if the embedded code being scanned is a malicious link.
Once a security risk is detected, it will send out a message allowing users to determine whether to proceed with the payment or not.
Tencent said upholding users’ security is one of its top priorities, and it has committed to ensure the safe usage of QR codes especially when it comes to WeChat payments. The Chinese third-party payment giant said in an emailed response to questions that it will continue to fine-tune security measures and educate consumers about the risks.
Ouyang Liangyi, an associate professor of Peking University HSBC Business School, said third-party payment services like Alipay and WeChat Pay are not generally the root cause of QR code scams because consumers often become victims by using other mobile apps to scan fake QR codes first.
“It’s very important for the third-party payment providers to educate users and keep them alerted even for the sake of their own businesses, or it is their long-term interests that will be jeopardised,” Ouyang said.