Retail fraud and returns fraud hurt every company. According to a new report from financial tech platform Adyen, 50% of businesses fell victim to fraudulent activity or cyber-attacks in 2023, an increase of 19% when compared to 2022. One major issue is the vulnerability of commonly used QR codes. Hackers can quickly develop malicious QR codes that lead to fraudulent websites designed to steal personal information.
These QR codes can be physically pasted over legitimate ones, tricking unsuspecting users. This method is particularly harmful to small business owners and restaurants that use QR codes for digital menus, as these can be duplicated and modified to steal customers' payment details.
This type of attack is easy to accomplish, targets low-security infrastructure, and is difficult to resolve, leading to damaged user trust and challenges in tracking attackers.
The Oregon FBI’s Cybercrime division highlighted this significant threat as recently as 2021.
To address this problem, I have developed a proof-of-concept application utilizing the Reverse Logistics Association's (RLA) 12N QR standard, which incorporates encrypted authentication data within the QR code. The 12N QR standard includes additional encrypted fields, allowing for more identification data to be held within the tag.
This authentication data confirms and displays the QR code's author to users, aiming to reduce and prevent incidents of fraud in the retail and service industries.
By implementing 12N QR codes, businesses can safeguard against these vulnerabilities, restore customer trust, and protect their financial interests.
Proposed Solution
As a student at the Oregon Institute of Technology (Portland-Metro), I have developed a proof-of-concept application utilizing the RLA’s 12N QR standard as a potential solution. The application relies on the 12N QR standard’s variable and encrypted fields to hold authentication data. When scanned, the authentication data is then compared against a third-party database, which contains information about the QR code's author. Users are then shown information about the QR code's author, when it was created, etc., to confirm its authenticity before interaction. Additionally, further potential security features can be implemented to enhance the platform's capabilities.
These measures include geofencing, which uses GPS or RFID technology to create a virtual boundary around a specific location and restricts access based on the user's geographic location. Enrollment verification ensures that only authorized individuals can register and access the platform by validating their identity through various checks.
Benefits and Anticipated Results
Implementing this solution is expected to yield multiple benefits:
- Enhanced Security: The 12N QR standard’s integrated security features will significantly reduce the risk of phishing and fraud.
- User Trust and Safety: Users will have greater confidence in the authenticity and safety of the QR codes they scan, fostering trust in digital transactions.
- Innovation Leadership: Organizations that adopt this technology will be seen as leaders in providing secure digital solutions.
- Accessible Security: Small businesses will have access to enhanced security without significant investment, as the cost is limited to printing QR codes.
Additional benefits include a reduction in fraud incidents, increased user engagement due to improved trust, and enhanced brand reputation as a secure service provider. Overall, the solution ensures for both business owners and users a secure physical portal to their intended website or information. In addition, the solution is cost-effective, without relying on additional hardware solutions like RFID, digital displays, or costly materials.
POC Application Development
The application was developed as a proof-of-concept (POC), designed to accomplish specific project goals as part of the completion of a Bachelor’s of Cybersecurity Keystone project. The project aimed specifically on producing an application capable of scanning and generating encrypted 12N QR codes with embedded data to be checked against an authentication server. Despite unforeseen depreciation and integration challenges, the application can successfully read, decode, decrypt, and authenticate a variety of 12N QR codes. Overall, while this successfully demonstrates my project's concept, this development also represents a significant contribution to the 12N standard and potential authentication integrations. This is due to a lack of public development resources for aspiring 12N developers, which I have provided a publicly available implementation in the form of this application (located onGitHub). Planned future developments include, but are not limited to: enhanced implementation of 12N features, full development of third party authentication server, and enhance application security across domains. Should this concept be properly implemented, I believe it would need to be standardized and managed by key industry members and business solution providers to be successful. To accomplish this, I have shared my developments with some members, and remain open to inquires from interested parties.
Jacob Powell is an Oregon Institute of Technology’s Cybersecurity program student and regional IT provider. Previously, he has developed security studies focused on enhancing security and trust in the physical media domain.