Beware of the Barcode!

So there has recently been talk of possible phishing attempts using QR barcodes. (I was hoping that someone actually tried this but I have still not heard of this being used in the wild...)

For those of you who do not know, QR codes are two dimensional barcodes created by a Japanese company in 1994 and are found EVERYWHERE in Japan since around 2003. Japanese cellphones started having built-in cameras since 1999 and by 2003 they became so popular and necessary by the public that you can not find a phone without a built in camera since then. Also, in 2003 they gained the ability to read these QR barcodes. They are mainly found on flyers and advertisements to get people to visit the restaurant/store's website for coupons, etc... These things are great because instead of having to waste time typing a long URL, you can just scan the barcode and off you go.

So having an easy mechanism to get people to blindly access URLs is a phishers/hackers dream, right?

Even in the U.S., even before these 2D barcodes have become widespread, (which they probably will in the next couple years now that cellphones there are finally high tech enough to read barcodes), there is talk about the dangers of phishing with these evil codes! If you do a google search for "qr code phishing" you will already find people talking about this.


However, there are no inherent dangers in these barcodes at all.

After scanning the QR code, the URL is displayed and confirmation by the user is required to continue. So even if a malicious person replaces the QR code on a flyer or even the whole flyer itself with a different QR code and URL written, the problem lies with people trusting the URL and the mechanism itself for inputting the URL quickly has nothing to do with anything.

This is still the classic problem of users that are not trained in security issues.

However, this is even less of a problem because even if you get someone to access a URL of your choice on a Japanese cellphone, chances are you are not going to be able to profit much from it.

That is, there are no remote exploits available, nobody does their banking through their cellphone and no one would put their credit card information into a cellphone site they got from a flyer or advertisement.
I am sure someone with enough time could think of a way to profit from someone going to your malicious site, but if you wanted a high number of users to connect to a URL via cellphones you would get 10,000 more hits by just posting a link to a hot topic in 2 channel, and you wouldn't even have to spend time and money printing out things and posting them!

I really don't know what the fuss is all about.


Sources:
http://web-tan.forum.impressrd.jp/e/2009/02/19/4418
http://ja.wikipedia.org/wiki/%E3%82%AB%E3%83%A1%E3%83%A9%E4%BB%98%E3%81%8D%E6%90%BA%E5%B8%AF%E9%9B%BB%E8%A9%B1
http://slashdot.jp/security/article.pl?sid=09/02/21/0116201