Hao Pan,Yi‐Chao Chen,Lanqing Yang,Guangtao Xue,Chuang-Wen You,Xiaoyu Ji

DOI: https://doi.org/10.1145/3300061.3345428

2019-01-01

Abstract:Quick response (QR) codes are becoming pervasive due to their rapid readability and the popularity of smartphones with built-in cameras. QR codes are also gaining importance in the retail sector as a convenient mobile payment method. However, researchers have concerns regarding the security of QR codes, which leave users susceptible to financial loss or private information leakage. In this study, we addressed this issue by developing a novel QR code (called mQRCode), which exploits patterns presenting a specific spatial frequency as a form of camouflage. When the targeted receiver holds a camera in a designated position (e.g., directly in front at a distance of 30 cm from the camouflaged QR code), the original QR code is revealed in form of a Moire pattern. From any other position, only the camouflaged QR code can be seen. In experiments, the decryption rate of mQRCode was > 98.6% within 10.2 frames via a multi-frame decryption method. The decryption rate for cameras positioned 20° off axis or > 10cm away from the designated location dropped to 0%, indicating that mQRCode is robust against attacks.

Marvin Geisler,Daniela Pöhn

2024-07-23

Abstract:The usage of quick response (QR) codes was limited in the pre-era of the COVID-19 pandemic. Due to the widespread and frequent application since then, this opened up an attractive phishing opportunity for malicious actors. They trick users into scanning the codes and redirecting them to malicious websites. In order to explore whether phishing with QR codes is another successful attack vector, we conducted a real-world phishing campaign with two different QR code variants at a research campus. The first version was rather plain, whereas the second version was more professionally designed and included the possibility to win a voucher. After the study was completed, a qualitative survey on phishing and QR codes was conducted to verify the results of the phishing campaign. Both, the phishing campaign and the survey, show that a professional design receives more attention. They also illustrate that QR codes are used more frequently by curious users because of their easy functionality. Although the results confirm that technical-savvy users are more aware of the risks, they also underpin the malicious potential for non-technical-savvy users and suggest further work regarding countermeasures.

Cryptography and Security

Yijie Li,Yi-Chao Chen,Xiaoyu Ji,Hao Pan,Lanqing Yang,Guangtao Xue,Jiadi Yu

DOI: https://doi.org/10.1109/infocom42981.2021.9488859

2021-01-01

Abstract:Quick response (QR) codes have been widely used in mobile applications due to its convenience and the pervasive built-in cameras on smartphones. Recently, however, attacks against QR codes have been reported that attackers can capture a QR code of the victim and replay it to achieve a fraudulent transaction or intercept private information, just before the original QR code is scanned. In this study, we enhance the security of a QR code by identifying its authenticity. We propose SCREENID, which embeds a QR code with information of the screen which displays it, thereby the QR code can reveal whether it is reproduced by an adversary or not. In SCREENID, PWM frequency of screens is exploited as the unique screen fingerprint. To improve the estimation accuracy of PWM frequency, SCREENID incorporates a model for the interaction between the camera and screen in the temporal and spatial domains. Extensive experiments demonstrate that SCREENID can differentiate screens of different models, types, and manufacturers, thus improve the security of QR codes.

Yijie Li,Yi-Chao Chen,Xiaoyu Ji,Hao Pan,Lanqing Yang,Guangtao Xue,Jiadi Yu

DOI: https://doi.org/10.1145/3372224.3418165

2020-01-01

Abstract:Quick response (QR) codes have been widely used in mobile applications, due to its convenience and the pervasive built-in cameras on smartphones. Recently, however, QR codes have been reported suffering attacks for being sniffed just before the QR code is scanned, which lead to financial loss. In this study, we propose ScreenID, for enhancing the QR code security by identifying its authenticity, which embeds a QR code with information of unique screen fingerprint - PWM frequency. PWM frequencies are adjusted to different values by screen manufacturers, therefore can successfully differentiate screens. To improve the estimation accuracy of PWM frequency, ScreenID incorporates a model for the interaction between the camera and screen in the temporal and spatial domains. Extensive experiments demonstrate that ScreenID can differentiate screens of different models, types and manufacturers and thus improve the security of QR codes.

Guangtao Xue,Yijie Li,Hao Pan,Lanqing Yang,Yi-Chao Chen,Xiaoyu Ji,Jiadi Yu

DOI: https://doi.org/10.1109/tnet.2022.3203044

2022-01-01

IEEE/ACM Transactions on Networking

Abstract:Quick response (QR) codes have been widely used in mobile applications, especially mobile payments, such as Alipay, WeChat, PayPal, etc due to their convenience and the pervasive built-in cameras on smartphones. Recently, however, attacks against QR codes have been reported and attackers can capture a QR code of the victim and replay it to achieve a fraudulent transaction or intercept private information, just before the original QR code is scanned. In this study, we enhance the security of a QR code by identifying its authenticity. We propose ScreenID, which embeds a QR code with information of the screen which displays it, thereby the QR code can reveal whether it is reproduced by an adversary or not. In ScreenID, PWM frequency of screens is exploited as the unique screen fingerprint. To improve the estimation accuracy of PWM frequency, ScreenID incorporates a model for the interaction between the camera and screen in the temporal and spatial domains. Extensive experiments demonstrate that ScreenID can differentiate screens of different models, types, and manufacturers and thus improve the security of QR codes.

Hao Pan,Yi-Chao Chen,Guangtao Xue,Chuang-Wen You,Xiaoyu Ji

DOI: https://doi.org/10.1145/3267305.3267626

2018-01-01

Abstract:Quick Response (QR) codes are rapidly becoming pervasive in our daily life because of its fast readability and the popularity of smartphones with a built-in camera. However, recent researches raise security concerns because QR codes can be easily sniffed and decoded which can lead to private information leakage or financial loss. To address the issue, we present mQRCode which exploit patterns with specific spatial frequency to camouflage QR codes. When the targeted receiver put a camera at the designated position (e.g., 30cm and 0° above the camouflaged QR code), the original QR code is revealed due to the Moiré phenomenon. Malicious adversaries will only see camouflaged QR code at any other position. Our experiments show that the decoding rate of mQR codes is 95% or above within 0.83 seconds. When the camera is 10cm or 15° away from the designated location, the decoding rate drops to 0 so it's secure from attackers.

Thi Nhung Mac,Daniel J. Phipps,Joy Parkinson,Kyra Hamilton

DOI: https://doi.org/10.1002/hpja.868

2024-05-17

Health Promotion Journal of Australia

Abstract:Issue Addressed The implementation of quick response (QR) code check‐in compliance behaviour during the COVID‐19 pandemic featured in infection control strategies in several global jurisdictions, but was of particular interest in the Australian context, where it became mandated on a nationwide scale. We aimed to identify the salient beliefs people hold toward complying with the QR code check‐in using a Theory of Planned Behaviour belief‐based framework. Methods An elicitation study using open‐ended questions (Queensland; N = 93, Mage = 4.77 years, SD = 13.62 and Victoria; N = 76, Mage = 44.92 years, SD = 11.63) and a prospective correlational study using a two‐wave online survey (Queensland; N = 290, Mage = 38.99, 46.6% female and Victoria; N = 290, Mage = 38.27, 53.4% female) were conducted. Results Qualitative data were coded through an iterative content analysis, while quantitative data were analysed using linear multiple regression. Behavioural, normative and control beliefs were associated with intention and behaviour in both samples. Variation in beliefs across the states also were observed. Conclusions Across both samples, beliefs in positive outcomes consistently exhibited stronger associations with both intention and behaviour than the reported negative outcomes. Distinct differences emerged between the two samples in terms of regression effects. So What? Results indicate individual experience may affect the beliefs which guide behaviour, supporting the potential efficacy of health promotion campaigns tapping into context specific beliefs and experiences if QR code check‐in is to be implemented as an infection control measure in future.

public, environmental & occupational health

Elizabeth P. Hu,Cassie E. McDonald,Yida Zhou,Philip Jakanovski,Phyllis Lau

DOI: https://doi.org/10.1071/py24009

2024-10-29

Australian Journal of Primary Health

Abstract:Quick response (QR) codes are an established method of communication in today's society. However, the role of QR codes for linking to health information in general practice waiting areas has not yet been explored. This mixed-methods study used both quantitative data measuring QR scans and qualitative data from follow-up semi-structured interviews with visitors to two general practice waiting areas to determine access to an online health information site and their experience of using the QR code. The technology acceptance model was used to guide the interview questions. Quantitative data were analysed descriptively, and qualitative data were analysed thematically using an inductive approach. A total of 263 QR scans were recorded across the two sites between October 2022 and October 2023. Twelve participants were interviewed. Eleven themes were identified; six were categorised as facilitators and five were barriers to QR code engagement. Motivation for engagement included boredom and curiosity. Facilitators for engaging with the QR code included familiarity secondary to the recent COVID-19 pandemic, benefits of accessing potentially sensitive information with anonymity, convenience of revisiting later and reduced paper waste. Barriers included size and location of the QR code as a limiting factor to engagement, waiting room wait time, privacy and security concerns, and the potential to exclude those without access to technology or those with low technological literacy. Using QR codes in the general practice waiting area is a convenient method of presenting health information to visitors and patients. Our findings indicate that this may be an appropriate method to share health information in waiting areas. Facilitators and barriers identified in this study may assist with optimising engagement with health information via QR codes while waiting for appointments.

public, environmental & occupational health,health care sciences & services,primary health care,health policy & services

Ming Tu,Lei Wu,Hua Wan,Zhoujin Ding,Zizheng Guo,Jiayi Chen

DOI: https://doi.org/10.3389/fpsyg.2021.798199

IF: 3.8

2022-02-16

Frontiers in Psychology

Abstract:The increasing number of quick response (QR) code mobile payment users heralds the coming of a cashless society. However, the extent to which the coronavirus disease 2019 (COVID-19) pandemic accelerated the adoption of QR code mobile payment has not been sufficiently researched. Based on social learning theory, this study models how external interaction with the environment has affected the internal appraisal and behavioral intention to adopt QR code mobile payment during COVID-19. Empirical results from 248 respondents revealed that perceived severity and social influence positively affected the perception of utilitarian and health benefits of respondents, which in turn influenced the behavioral intention to use the QR code mobile payment. The theoretical contribution and managerial implications of this study are also discussed.

psychology, multidisciplinary

Daniel Timko,Daniel Hernandez Castillo,Muhammad Lutfor Rahman

2024-05-30

Abstract:With the booming popularity of smartphones, threats related to these devices are increasingly on the rise. Smishing, a combination of SMS (Short Message Service) and phishing has emerged as a treacherous cyber threat used by malicious actors to deceive users, aiming to steal sensitive information, money or install malware on their mobile devices. Despite the increase in smishing attacks in recent years, there are very few studies aimed at understanding the factors that contribute to a user's ability to differentiate real from fake messages. To address this gap in knowledge, we have conducted an online survey on smishing detection with 187 participants. In this study, we presented them with 16 SMS screenshots and evaluated how different factors affect their decision making process in smishing detection. Next, we conducted a post-survey to garner information on the participants' security attitudes, behavior and knowledge. Our results highlighted that attention and security behavioral scores had a significant impact on participants' accuracy in identifying smishing messages. We found that participants had more difficulty identifying real messages from fake ones, with an accuracy of 67.1% with fake messages and 43.6% with real messages. Our study is crucial in developing proactive strategies to encounter and mitigate smishing attacks. By understanding what factors influence smishing detection, we aim to bolster users' resilience against such threats and create a safer digital environment for all.

Cryptography and Security,Human-Computer Interaction

June Wang,Gabriela Calderon,Erin R Hager,Lorece V Edwards,Andrea A Berry,Yisi Liu,Janny Dinh,August C Summers,Katherine A Connor,Megan E Collins,Laura Prichett,Beth R Marshall,Sara B Johnson

DOI: https://doi.org/10.1371/journal.pgph.0001452

2023-08-23

Abstract:Web-based survey data collection has become increasingly popular, and limitations on in-person data collection during the COVID-19 pandemic have fueled this growth. However, the anonymity of the online environment increases the risk of fraudulent responses provided by bots or those who complete surveys to receive incentives, a major risk to data integrity. As part of a study of COVID-19 and the return to in-person school, we implemented a web-based survey of parents in Maryland between December 2021 and July 2022. Recruitment relied, in part, on social media advertisements. Despite implementing many existing best practices, we found the survey challenged by sophisticated fraudsters. In response, we iteratively improved survey security. In this paper, we describe efforts to identify and prevent fraudulent online survey responses. Informed by this experience, we provide specific, actionable recommendations for identifying and preventing online survey fraud in future research. Some strategies can be deployed within the data collection platform such as careful crafting of survey links, Internet Protocol address logging to identify duplicate responses, and comparison of client-side and server-side time stamps to identify responses that may have been completed by respondents outside of the survey's target geography. Other strategies can be implemented during the survey design phase. These approaches include the use of a 2-stage design in which respondents must be eligible on a preliminary screener before receiving a personalized link. Other design-based strategies include within-survey and cross-survey validation questions, the addition of "speed bump" questions to thwart careless or computerized responders, and the use of optional open-ended survey questions to identify fraudsters. We describe best practices for ongoing monitoring and post-completion survey data review and verification, including algorithms to expedite some aspects of data review and quality assurance. Such strategies are increasingly critical to safeguarding survey-based public health research.

Marzieh Bitaab,Haehyun Cho,Adam Oest,Penghui Zhang,Zhibo Sun,Rana Pourmohamad,Doowon Kim,Tiffany Bao,Ruoyu Wang,Yan Shoshitaishvili,Adam Doupé,Gail-Joon Ahn

DOI: https://doi.org/10.48550/arXiv.2103.12843

2021-03-24

Abstract:As the COVID-19 pandemic started triggering widespread lockdowns across the globe, cybercriminals did not hesitate to take advantage of users' increased usage of the Internet and their reliance on it. In this paper, we carry out a comprehensive measurement study of online social engineering attacks in the early months of the pandemic. By collecting, synthesizing, and analyzing DNS records, TLS certificates, phishing URLs, phishing website source code, phishing emails, web traffic to phishing websites, news articles, and government announcements, we track trends of phishing activity between January and May 2020 and seek to understand the key implications of the underlying trends. We find that phishing attack traffic in March and April 2020 skyrocketed up to 220\% of its pre-COVID-19 rate, far exceeding typical seasonal spikes. Attackers exploited victims' uncertainty and fear related to the pandemic through a variety of highly targeted scams, including emerging scam types against which current defenses are not sufficient as well as traditional phishing which outpaced the ecosystem's collective response.

Cryptography and Security

Ichiro Nakamoto,Sheng Wang,Yan Guo,Weiqing Zhuang

DOI: https://doi.org/10.2196/preprints.22321

2020-07-08

Abstract:UNSTRUCTURED We discuss a pandemic management framework using symptom-based quick response (QR) codes to contain the spread of COVID-19. In this approach, symptom-based QR health codes are issued by public health authorities. The codes do not retrieve the location data of the users; instead, two different colors are displayed to differentiate the health status of individuals. The QR codes are officially regarded as electronic certificates of individuals’ health status, and can be used for contact tracing, exposure risk self-triage, self-update of health status, health care appointments, and contact-free psychiatric consultations. This approach can be effectively deployed as a uniform platform interconnecting a variety of responders (eg, individuals, institutions, and public authorities) who are affected by the pandemic, which minimizes the errors of manual operation and the costs of fragmented coordination. At the same time, this approach enhances the promptness, interoperability, credibility, and traceability of containment measures. The proposed approach not only provides a supplemental mechanism for manual control measures but also addresses the partial failures of pandemic management tools in the abovementioned facets. The QR tool has been formally deployed in Fujian, a province located in southeast China that has a population of nearly 40 million people. All individuals aged ≥3 years were officially requested to present their QR code during daily public activities, such as when using public transportation systems, working at institutions, and entering or exiting schools. The deployment of this approach has achieved sizeable containment effects and played remarkable roles in shifting the negative gross domestic product (–6.8%) to a positive value by July 2020. The number of cumulative patients with COVID-19 in this setting was confined to 363, of whom 361 had recovered (recovery rate 99.4%) as of July 12, 2020. A simulation showed that if only partial measures of the framework were followed, the number of cumulative cases of COVID-19 could potentially increase ten-fold. This approach can serve as a reliable solution to counteract the emergency of a public health crisis; as a routine tool to enhance the level of public health; to accelerate the recovery of social activities; to assist decision making for policy makers; and as a sustainable measure that enables scalability.

Anfu Zhou,Guangyuan Su,Shilin Zhu,Huadong Ma

DOI: https://doi.org/10.1145/3351284

2019-01-01

Proceedings of the ACM on Interactive Mobile Wearable and Ubiquitous Technologies

Abstract:Quick response (QR) codes have found versatile usage in numerous applications, but have also posed severe security threats such as privacy leakage, phishing and even payment inception if the codes are hijacked. The hijacking is often assumed to be preventable by physically isolating the codes from possible attackers, e.g., putting the QR code inside a glass cabinet distant to outsiders. In this paper, we explore a new QR code hijacking attack, named Li-Man, that can subvert such protection using smart LED. The key idea is to illuminate a target victim QR code from afar using specialized flickering light waveforms, which can transform the code to be any other predefined malicious ones when being captured by smart-phone cameras, while keeping the attack invisible to human visual perception. Li-Man builds on a modeling framework that harnesses the disparity between camera and human imaging mechanisms. We develop a Li-Man simulator and also implement a prototype to verify the feasibility and threat level of Li-Man. Experiments demonstrate that Li-Man can successfully realize the invisible hijacking of QR codes from multiple hidden positions in constrained space. On the other hand, we propose and verify a primary countermeasure that is promising to defeat the Li-Man attack.

Catherine Watson,Jeff McCarthy,Jennifer Rowley

DOI: https://doi.org/10.1016/j.ijinfomgt.2013.06.004

IF: 18.958

2013-10-01

International Journal of Information Management

Abstract:This exploratory online questionnaire-based study confirms the findings from earlier studies in the pre-smart phone era regarding consumers’ negative attitudes towards mobile marketing communications. This study shows that these attitudes persist despite increasing frequency of use and increased functionality of mobile phones in the smart phone era. Consumers perceive their mobile device to be for personal communication, and prefer to be able to exercise control over their interaction with organisations. Findings suggest that acceptance can be enhanced by permission marketing, trust-building, creating a sense of being in control, and useful and entertaining website content. Accordingly, pull technologies seem to hold particular promise for mobile marketing communications. This study, therefore, proceeds to explore use of and attitudes towards an important pull technology, QR codes. QR codes, two-dimensional bar codes, can be scanned to provide access to websites, information and applications. Despite their potential, uptake is low. Users in this study who had scanned a QR code had used them to access a variety of different content on different types of items and in different locations. The most frequently accessed type of content was information on a web site, the two most common locations for a scanned QR code were a newspaper or magazine advert, or outdoor advert or poster, and the two most common locations at which scanning was performed were in the street and at home. Ease of use, utility and incentives are drivers to continued use whilst lack of knowledge about how-to scan or of the benefits of QR codes may hinder adoption. Recommendations are offered for practice and for further research.

information science & library science

Rachel Pozzar,Marilyn J Hammer,Meghan Underhill-Blazey,Alexi A Wright,James A Tulsky,Fangxin Hong,Daniel A Gundersen,Donna L Berry

DOI: https://doi.org/10.2196/preprints.23021

2020-07-30

Abstract:BACKGROUND Recruitment of health research participants through social media is becoming more common. In the United States, 80% of adults use at least one social media platform. Social media platforms may allow researchers to reach potential participants efficiently. However, online research methods may be associated with unique threats to sample validity and data integrity. Limited research has described issues of data quality and authenticity associated with the recruitment of health research participants through social media, and sources of low-quality and fraudulent data in this context are poorly understood. OBJECTIVE The goal of the research was to describe and explain threats to sample validity and data integrity following recruitment of health research participants through social media and summarize recommended strategies to mitigate these threats. Our experience designing and implementing a research study using social media recruitment and online data collection serves as a case study. METHODS Using published strategies to preserve data integrity, we recruited participants to complete an online survey through the social media platforms Twitter and Facebook. Participants were to receive $15 upon survey completion. Prior to manually issuing remuneration, we reviewed completed surveys for indicators of fraudulent or low-quality data. Indicators attributable to respondent error were labeled suspicious, while those suggesting misrepresentation were labeled fraudulent. We planned to remove cases with 1 fraudulent indicator or at least 3 suspicious indicators. RESULTS Within 7 hours of survey activation, we received 271 completed surveys. We classified 94.5% (256/271) of cases as fraudulent and 5.5% (15/271) as suspicious. In total, 86.7% (235/271) provided inconsistent responses to verifiable items and 16.2% (44/271) exhibited evidence of bot automation. Of the fraudulent cases, 53.9% (138/256) provided a duplicate or unusual response to one or more open-ended items and 52.0% (133/256) exhibited evidence of inattention. CONCLUSIONS Research findings from several disciplines suggest studies in which research participants are recruited through social media are susceptible to data quality issues. Opportunistic individuals who use virtual private servers to fraudulently complete research surveys for profit may contribute to low-quality data. Strategies to preserve data integrity following research participant recruitment through social media are limited. Development and testing of novel strategies to prevent and detect fraud is a research priority.

Danni Zheng,Shasha Liu,Wei Lu

DOI: https://doi.org/10.1080/19388160.2022.2087817

2022-01-01

Journal of China Tourism Research

Abstract:Health information technology has been widely implemented to ensure travel safety in the current normalization stage of COVID-19. However, levels of public trust and acceptance toward health QR codes are low in many countries, impeding tourism recovery after the outbreak. Thus, this study aims to explore the psychological mechanisms underpinning tourist trust, confidence, and behaviors toward traveling with health QR codes. Using a quota sampling, 1089 respondents were collected across mainland China. Results identify that tourists' trust in health QR codes is affected by knowledge, perceived efficacy, privacy risk, and security. People's trust in digital health applications can boost travel confidence and increase acceptance of tracing technology and travel intention after the pandemic. Practical implications for developing policies and strategies to encourage travel are provided.

Rubia Fatima,Affan Yasin,Lin Liu,Jianmin Wang

DOI: https://doi.org/10.1504/ijics.2024.138492

2024-01-01

International Journal of Information and Computer Security

Abstract:The COVID-19 pandemic has sparked considerable alarm amongst the general community and has significantly affected the societal attitudes and perceptions. In the current era, social engineers are applying various strategies to exploit human weakness. Phishing, a social engineering technique, is one of the most widely used and effective ways to undermine human assets. In this research study, firstly, we aim to educate the participants regarding phishing attacks; secondly, the dangers associated with excessive online sharing; and thirdly, how to utilise game scenarios developed by the participants to elicit security requirements. We have employed various research methods, such as, survey, observation, personas development, and scenario-based technique to achieve these objectives. Our re-evaluation results show that the PhishI game effectively educates participants regarding phishing attacks and dangers associated with disclosing excessive online information.

Riccardo Focardi,Flaminia L. Luccio,Heider A.M. Wahsheh

DOI: https://doi.org/10.1016/j.jisa.2019.102369

IF: 4.96

2019-10-01

Journal of Information Security and Applications

Abstract:<p>QR codes are widely used in various settings such as consumer advertising, commercial tracking, ticketing and marketing. People tend to scan QR codes and trust their content, but there exists no standard mechanism for providing authenticity and confidentiality of the code content. Attacks such as the redirection to a malicious website or the infection of a smartphone with a malware are realistic and feasible in practice. In this paper, we present the first systematic study of <em>usable</em> state-of-the-art cryptographic primitives inside QR codes. We select standard, popular cryptographic schemes and we compare them based on performance, size and security. We conduct tests that show how different usability factors impact on the QR code scanning performance and we evaluate the usability/security trade-off of the considered cryptographic schemes. Interestingly, we find out that in some cases security breaks usability and we provide recommendations for the choice of secure and usable cryptographic schemes.</p>

computer science, information systems

Cori Faklaris,Heather Richter Lipford,Sarah Tabassum

DOI: https://doi.org/10.48550/arXiv.2309.06322

IF: 6.4588

2023-09-12

Human-Computer Interaction

Abstract:As adoption of mobile phones has skyrocketed, so have scams involving them. The text method is called SMiShing, (aka SMShing, or smishing) in which a fraudster sends a phishing link via Short Message Service (SMS) text to a phone. However, no data exists on who is most vulnerable to SMiShing. Prior work in phishing (its e-mail cousin) indicates that this is likely to vary by demographic and contextual factors. In our study, we collect this data from N=1007 U.S. adult mobile phone users. Younger people and college students emerge in this sample as the most vulnerable. Participants struggled to correctly identify legitimate messages and were easily misled when they knew they had an account with the faked message entity. Counterintuitively, participants with higher levels of security training and awareness were less correct in rating possible SMiSH. We recommend next steps for researchers, regulators and telecom providers.