Reply to post: Good research, but...

Reflection of a QR code on PoS scanner used to own mobile payments

Frank Bitterlich

Good research, but...

... some of the scenarios are somewhat constructed.

His tactic for such tokens was to surreptitiously turn on a smartphone’s front-facing camera to photograph the reflection of a QR code in a point of sale scanner’s protective cover. This attack also detects the configuration of the QR code and subtly changes its appearance to make it unreadable. The malware running the attack on the smartphone, however, manages to retain a perfect and usable QR code.

OK, so the targeted phone has already been compromised to such a level that the attack app has control over the screen. What's the point then to use the camera to try and catch the code? Why not just get it from a screengrab?

The technique can also be used to craft malicious QR codes that, when used for smartphone-to-smartphone payments, see the victim machine directed to download and run malware.

That's a vuln in the target smartphone's payment app. If it expects a payment token, and gets a "http:..." instead, it probably won't blindly say "oh, hey, why not, let's visit that site..."

All interesting techniques, and good that he did that research, but not very close to see that in the wild. Way more likely (and easier) to attack the payment service (for example with POS malware) directly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2021