Guangtao Xue,Yijie Li,Hao Pan,Lanqing Yang,Yi-Chao Chen,Xiaoyu Ji,Jiadi Yu

DOI: https://doi.org/10.1109/tnet.2022.3203044

2022-01-01

IEEE/ACM Transactions on Networking

Abstract:Quick response (QR) codes have been widely used in mobile applications, especially mobile payments, such as Alipay, WeChat, PayPal, etc due to their convenience and the pervasive built-in cameras on smartphones. Recently, however, attacks against QR codes have been reported and attackers can capture a QR code of the victim and replay it to achieve a fraudulent transaction or intercept private information, just before the original QR code is scanned. In this study, we enhance the security of a QR code by identifying its authenticity. We propose ScreenID, which embeds a QR code with information of the screen which displays it, thereby the QR code can reveal whether it is reproduced by an adversary or not. In ScreenID, PWM frequency of screens is exploited as the unique screen fingerprint. To improve the estimation accuracy of PWM frequency, ScreenID incorporates a model for the interaction between the camera and screen in the temporal and spatial domains. Extensive experiments demonstrate that ScreenID can differentiate screens of different models, types, and manufacturers and thus improve the security of QR codes.

Yijie Li,Yi-Chao Chen,Xiaoyu Ji,Hao Pan,Lanqing Yang,Guangtao Xue,Jiadi Yu

DOI: https://doi.org/10.1145/3372224.3418165

2020-01-01

Abstract:Quick response (QR) codes have been widely used in mobile applications, due to its convenience and the pervasive built-in cameras on smartphones. Recently, however, QR codes have been reported suffering attacks for being sniffed just before the QR code is scanned, which lead to financial loss. In this study, we propose ScreenID, for enhancing the QR code security by identifying its authenticity, which embeds a QR code with information of unique screen fingerprint - PWM frequency. PWM frequencies are adjusted to different values by screen manufacturers, therefore can successfully differentiate screens. To improve the estimation accuracy of PWM frequency, ScreenID incorporates a model for the interaction between the camera and screen in the temporal and spatial domains. Extensive experiments demonstrate that ScreenID can differentiate screens of different models, types and manufacturers and thus improve the security of QR codes.

Yijie Li,Yi-Chao Chen,Xiaoyu Ji,Hao Pan,Lanqing Yang,Guangtao Xue,Jiadi Yu

DOI: https://doi.org/10.1109/infocom42981.2021.9488859

2021-01-01

Abstract:Quick response (QR) codes have been widely used in mobile applications due to its convenience and the pervasive built-in cameras on smartphones. Recently, however, attacks against QR codes have been reported that attackers can capture a QR code of the victim and replay it to achieve a fraudulent transaction or intercept private information, just before the original QR code is scanned. In this study, we enhance the security of a QR code by identifying its authenticity. We propose SCREENID, which embeds a QR code with information of the screen which displays it, thereby the QR code can reveal whether it is reproduced by an adversary or not. In SCREENID, PWM frequency of screens is exploited as the unique screen fingerprint. To improve the estimation accuracy of PWM frequency, SCREENID incorporates a model for the interaction between the camera and screen in the temporal and spatial domains. Extensive experiments demonstrate that SCREENID can differentiate screens of different models, types, and manufacturers, thus improve the security of QR codes.

Hao Pan,Yi‐Chao Chen,Lanqing Yang,Guangtao Xue,Chuang-Wen You,Xiaoyu Ji

DOI: https://doi.org/10.1145/3300061.3345428

2019-01-01

Abstract:Quick response (QR) codes are becoming pervasive due to their rapid readability and the popularity of smartphones with built-in cameras. QR codes are also gaining importance in the retail sector as a convenient mobile payment method. However, researchers have concerns regarding the security of QR codes, which leave users susceptible to financial loss or private information leakage. In this study, we addressed this issue by developing a novel QR code (called mQRCode), which exploits patterns presenting a specific spatial frequency as a form of camouflage. When the targeted receiver holds a camera in a designated position (e.g., directly in front at a distance of 30 cm from the camouflaged QR code), the original QR code is revealed in form of a Moire pattern. From any other position, only the camouflaged QR code can be seen. In experiments, the decryption rate of mQRCode was > 98.6% within 10.2 frames via a multi-frame decryption method. The decryption rate for cameras positioned 20° off axis or > 10cm away from the designated location dropped to 0%, indicating that mQRCode is robust against attacks.

Hao Pan,Lanqing Yang,Yi-Chao Chen,Guangtao Xue,Chuang-Wen You,Xiaoyu Ji,Pai-Yen Chen

DOI: https://doi.org/10.1145/3300061.3343391

2019-01-01

Abstract:Quick response (QR) codes are becoming pervasive due to their rapid readability and the popularity of smartphones with built-in cameras. QR codes are also gaining importance in the retail sector as a convenient mobile payment method. However, researchers have concerns regarding the security of QR codes, which leave users susceptible to financial loss or private information leakage. In this study, we address this issue by developing a novel QR code (called mQR code), which exploits patterns presenting a specific spatial frequency as a form of camouflage. When the targeted receiver holds a camera in a designated position (e.g., directly in front at a distance of 30 cm from the camouflaged QR code), the original QR code is revealed in form of a Moiré pattern. From any other position, only the camouflaged QR code can be seen. In experiments, the decryption rate of mQR codes is $> 98%$. The decryption rate for cameras positioned $20\degree$ off axis or $> 10cm$ from the designated location drops to $0%$, indicating that any attackers will be unable to steal a usable image.

Hao Pan,Yi-Chao Chen,Guangtao Xue,Chuang-Wen You,Xiaoyu Ji

DOI: https://doi.org/10.1145/3267305.3267626

2018-01-01

Abstract:Quick Response (QR) codes are rapidly becoming pervasive in our daily life because of its fast readability and the popularity of smartphones with a built-in camera. However, recent researches raise security concerns because QR codes can be easily sniffed and decoded which can lead to private information leakage or financial loss. To address the issue, we present mQRCode which exploit patterns with specific spatial frequency to camouflage QR codes. When the targeted receiver put a camera at the designated position (e.g., 30cm and 0° above the camouflaged QR code), the original QR code is revealed due to the Moiré phenomenon. Malicious adversaries will only see camouflaged QR code at any other position. Our experiments show that the decoding rate of mQR codes is 95% or above within 0.83 seconds. When the camera is 10cm or 15° away from the designated location, the decoding rate drops to 0 so it's secure from attackers.

Enis Ulqinaku,Julinda Stefa,Alessandro Mei

DOI: https://doi.org/10.48550/arXiv.1905.10141

2019-05-24

Cryptography and Security

Abstract:Mobile payments have increased significantly in the recent years and one-to-one money transfers are offered by a wide variety of smartphone applications. These applications usually support scan-and-pay -- a technique that allows a payer to easily scan the destination address of the payment directly from the payee's smartphone screen. This technique is pervasive because it does not require any particular hardware, only the camera, which is present on all modern smartphones. However, in this work we show that a malicious application can exploit the overlay feature on Android to compromise the integrity of transactions that make use of the scan-and-pay technique. We implement Malview, a proof-of-concept malicious application that runs in the background on the payee's smartphone and show that it succeeds in redirecting payments to a malicious wallet. We analyze the weaknesses of the current defense mechanisms and discuss possible countermeasures against the attack.

Jianfeng Lu,Zaorang Yang,Lina Li,Wenqiang Yuan,Li Li,Chin-Chen Chang

DOI: https://doi.org/10.1155/2017/4356038

2017-01-01

Mobile Information Systems

Abstract:QR code (quick response code) is used due to its beneficial properties, especially in the mobile payment field. However, there exists an inevitable risk in the transaction process. It is not easily perceived that the attacker tampers with or replaces the QR code that contains merchant’s beneficiary account. Thus, it is of great urgency to conduct authentication of QR code. In this study, we propose a novel mechanism based on visual cryptography scheme (VCS) and aesthetic QR code, which contains three primary schemes for different concealment levels. The main steps of these schemes are as follows. Firstly, one original QR code is split into two shadows using VC multiple rules; secondly, the two shadows are embedded into the same background image, respectively, and the embedded results are fused with the same carrier QR code, respectively, using XOR mechanism of RS and QR code error correction mechanism. Finally, the two aesthetic QR codes can be stacked precisely and the original QR code is restored according to the defined VCS. Experiments corresponding to three proposed schemes are conducted and demonstrate the feasibility and security of the mobile payment authentication, the significant improvement of the concealment for the shadows in QR code, and the diversity of mobile payment authentication.

computer science, information systems,telecommunications

Hongxin Zhang,Xin Zou,Guanghuan Xie,Zhuo Li

DOI: https://doi.org/10.1007/978-981-19-8877-6_3

2022-01-01

Abstract:In order to avoid the risk of theft and loss of the private key of the blockchain wallet, a novel secure and stable blockchain multi-party signature system combining software and hardware is proposed. First, at the software level, multi-party key management method is adopted to divide the blockchain wallet key into multiple fragments for multi-point storage. Threshold signature technology is adopted to provide key escrow and retrieval services. Then a cold wallet for storing keys is designed at the hardware level. In order to avoid the risk of being attacked by hackers through network contact, a visible light communication method based on Quick Response Code is proposed. The Base45 coding scheme is adopted to improve the coding efficiency of QR Code, and the GG18 multi-party signature process is optimized. Finally, this paper analyzes the security of visible light communication, and verifies the efficiency of this method by experiments.

Chiachih Wu,Yajin Zhou,Kunal Patel,Zhenkai Liang,Xuxian Jiang

DOI: https://doi.org/10.14722/ndss.2014.23164

2014-01-01

Abstract:Recent years have experienced explosive growth of smartphone sales. Inevitably, the rise in the popularity of smartphones also makes them an attractive target for attacks. In light of these threats, current mobile platform providers have developed various server-side vetting processes to block malicious applications (“apps”). While helpful, they are still far from ideal in achieving their goals. To make matters worse, the presence of alternative (less-regulated) mobile marketplaces also opens up new attack vectors, which necessitate client-side solutions (e.g., mobile anti-virus software) to run on mobile devices. However, existing client-side solutions still exhibit limitations in their capability or deployability. In this paper, we present AirBag, a lightweight OS-level virtualization approach to enhance the popular Android platform and boost our defense capability against mobile malware infection. Assuming a trusted smartphone OS kernel and the fact that untrusted apps will be eventually installed onto users’ phones, AirBag is designed to isolate and prevent them from infecting our normal systems (e.g., corrupting the phone firmware) or stealthily leaking private information. More specifically, by dynamically creating an isolated runtime environment with its own dedicated namespace and virtualized system resources, AirBag not only allows for transparent execution of untrusted apps, but also effectively mediates their access to various system resources or phone functionalities (e.g., SMSs or phone calls). We have implemented a proof-of-concept prototype on three representative mobile devices, i.e., Google Nexus One, Nexus 7, and Samsung Galaxy S III. The evaluation results with a number of untrusted apps, including real-world mobile malware, demonstrate its practicality and effectiveness.

Vineetha K R -,Habeeba Sinu -

DOI: https://doi.org/10.36948/ijfmr.2023.v05i02.2326

2023-04-11

International Journal For Multidisciplinary Research

Abstract:In this paper, the design and implementation of a secure payment system based on QR codes will be covered. In recent years, QR codes have been widely used due to their capacity to speed up payments and provide customers with the highest comfort. Yet, as convenient as QR-based online payment systems may seem, they are vulnerable to a variety of attacks. Transaction processing needs to be adequately secure in order to protect the privacy and accuracy of each payment operation. The online payment system must also guarantee the legitimacy of each transaction for both the sender and the recipient. This article offers security for the proposed QR-based system using visual cryptography. The recommended solution consists of a mobile application and a payment gateway server that employs visual cryptography. Customers who use the application may conduct financial transactions in a secure environment thanks to its clear and user-friendly layout.

Xiaolong Bai,Zhe Zhou,XiaoFeng Wang,Zhou Li,Xianghang Mi,Nan Zhang,Tongxin Li,Shi-Min Hui,Kehuan Zhang

2017-01-01

Abstract:Mobile off-line payment enables purchase over the counter even in the absence of reliable network connections. Popular solutions proposed by leading payment service providers (e.g., Google, Amazon, Samsung, Apple) rely on direct communication between the payer's device and the POS system, through Near-Field Communication (NFC), Magnetic Secure Transaction (MST), audio and QR code. Although pre-cautions have been taken to protect the payment transactions through these channels, their security implications are less understood, particularly in the presence of unique threats to this new e-commerce service. In the paper, we report a new type of over-the-counter payment frauds on mobile off-line payment, which exploit the designs of existing schemes that apparently fail to consider the adversary capable of actively affecting the payment process. Our attack, called Synchronized Token Lifting and Spending (STLS), demonstrates that an active attacker can sniff the payment token, halt the ongoing transaction through various means and transmit the token quickly to a colluder to spend it in a different transaction while the token is still valid. Our research shows that such STLS attacks pose a realistic threat to popular offline payment schemes, particularly those meant to be backwardly compatible, like Samsung Pay and AliPay. To mitigate the newly discovered threats, we propose a new solution called POSAUTH. One fundamental cause of the STLS risk is the nature of the communication channels used by the vulnerable mobile off-line payment schemes, which are easy to sniff and jam, and more importantly, unable to support a secure mutual challenge-response protocols since information can only be transmitted in one-way. POSAUTH addresses this issue by incorporating one unique ID of the current POS terminal into the generation of payment tokens by requiring a quick scan-ning of QR code printed on the POS terminal. When combined with a short valid period, POSAUTH can ensure that tokens generated for one transaction can only be used in that transaction.

Young Sil Lee,Nack Hyun Kim,Hyotaek Lim,HeungKuk Jo,Hoon Jae Lee

DOI: https://doi.org/10.1109/iccit.2010.5711134

2010-11-01

Abstract:As a high-speed internet infrastructure is being developed and people are informationized, the financial tasks are also engaged in internet field. However, the existing internet banking system was exposed to the danger of hacking. Recently, the personal information has been leaked by a high-degree method such as Phishing or Pharming beyond snatching a user's ID and Password. Seeing that most of examples which happened in the domestic financial agencies were caused by the appropriation of ID or Password belonging to others, a safe user confirmation system gets much more essential. In this paper, we propose a new Online Banking Authentication system. This authentication system used Mobile OTP with the combination of QR-code which is a variant of the 2D barcode.

Doyel Pal,Praveenkumar Khethavath,Tingting Chen,Yuan Zhang

DOI: https://doi.org/10.1002/dac.3293

2017-01-01

International Journal of Communication Systems

Abstract:Payment methods using mobile devices instead of using traditional methods (cash, credit card, etc) has been gaining popularity all over the world. The ubiquitous nature of smartphones and tablets has widened the ambit for using these devices for payments and other daily life activities. Recent advancements in mobile technology along with the convenience of mobile devices made these applications possible. Despite the worldwide user adoption of mobile applications, security is the key challenge in mobile banking and payments system. Mobile payments systems need to be very efficient and provide utmost security endlessly. State‐of‐the‐art mobile payment systems need the physical presence of a merchant agent to make a payment. In this article, we had described in detail about the design and implementation of a mobile payments application, used to make in‐store purchases and make secure payments without any physical presence of a cashier or a merchant agent. We proposed a novel privacy‐preserving and secure authentication algorithm to make mobile payments using biometrics. The analysis and experimental results show the reliability and efficiency of our proposed solution.

Bingsheng Zhang,Kui Ren,Guoliang Xing,Xinwen Fu,Cong Wang

DOI: https://doi.org/10.1109/tmc.2015.2413791

IF: 6.075

2016-01-01

IEEE Transactions on Mobile Computing

Abstract:As an alternative to NFC technology, 2D barcodes have been increasingly used for security-sensitive applications including payments and personal identification. However, the security of barcode-based communication in mobile applications has not been systematically studied. Due to the visual nature, 2D barcodes are subject to eavesdropping when they are displayed on the screen of a smartphone. On the other hand, the fundamental design principles of 2D barcodes make it difficult to add security features. In this paper, we propose SBVLC - a secure system for barcode-based visible light communication (VLC) between smartphones. We formally analyze the security of SBVLC based on geometric models and propose physical security enhancement mechanisms for barcode communication by manipulating screen view angles and leveraging user-induced motions. We then develop two secure data exchange schemes. These schemes are useful in many security-sensitive mobile applications including private information sharing, secure device pairing, and mobile payment. SBVLC is evaluated through extensive experiments on both Android and iOS smartphones.

Jack Sturgess,Ivan Martinovic

2024-09-24

Abstract:Cashless payment systems offer many benefits over cash, but also have some drawbacks. Fake terminals, skimming, wireless connectivity, and relay attacks are persistent problems. Attempts to overcome one problem often lead to another - for example, some systems use QR codes to avoid skimming and connexion issues, but QR codes can be stolen at distance and relayed. In this paper, we propose a novel mobile payment scheme based on biometric identification that provides mutual authentication to protect the user from rogue terminals. Our scheme imposes only minimal requirements on terminal hardware, does not depend on wireless connectivity between the user and the verifier during the authentication phase, and does not require the user to trust the terminal until it has authenticated itself to the user. We show that our scheme is resistant against phishing, replay, relay, and presentation attacks.

Cryptography and Security

Tianqi Wang,Ting Liu,Huimin Zhu

DOI: https://doi.org/10.56397/ist.2024.01.07

2024-01-01

Abstract:As the mobile payment landscape continues to evolve rapidly, this paper examines the emerging threats and future challenges facing Alipay and the broader industry. The analysis encompasses cybersecurity innovations, regulatory landscape changes, user privacy concerns, integration with emerging technologies, global expansion challenges, competition and market saturation, technological infrastructure scalability, consumer education and trust, geopolitical risks, and social and ethical considerations. With the aim of fostering a comprehensive understanding, the paper explores how Alipay can strategically adapt to these challenges through continuous innovation, regulatory compliance, user-centric approaches, and global collaboration. The insights derived from this exploration contribute to a holistic perspective on the dynamic future of mobile payments.

Chahil Choudhary,Adil Husain Rather,Inam ul Haq

DOI: https://doi.org/10.1109/ICCSAI59793.2023.10421294

2023-11-23

Abstract:Quick Response code model plays an important role in mobile security and payments market. All QR code looks similar but technology behind these makes it unique. For the transactions security there always has been a concern in information security. So, to handle this a new system is introduced which is achieved by cryptographic QR code algorithm which is dynamic and makes it even more secure and its unique ability makes it even more secure. Dynamic QR codes have emerged as a pivotal technology in the realm of payments, revolutionizing the way transactions are conducted. Proposed model and working architecture of the system shows that system has achieved the desired output. The performance of system hardware has more efficiency than traditional algorithms and compared it to some other algorithm the processing time is less and execution speed is fast which makes it even more secure and reliable. As the technology evolves and matures, it is poised to further transform the way we conduct financial transactions, paving the way for a more secure, efficient, and inclusive payment ecosystem.

Computer Science

Ruxin Wang,Long Huang,Kaitlyn Madden,Chen Wang

DOI: https://doi.org/10.1145/3643833.3656128

2024-01-01

Abstract:Because of the great convenience and being not readable to humans, Quick Response (QR) codes are increasingly being utilized to offer a variety of security applications to mobile users, such as online payments, website logins, and private data sharing. To facilitate these security applications, QR codes usually contain sensitive information, such as bank account details, credit card numbers, and personal/organizational/device data, or they are specifically designed to work with cloud servers to provide security services. However, there is currently no existing solution to verify the identity of the smartphone user who scans a QR code from a Kiosk or another phone's screen. Verifying the scanner's identity is essential to ensure that financial transactions go to the correct recipient and that sensitive data is securely shared to its intended destination. This work aims to equip QR code providers with the ability to verify human scanners' identities, facilitating authorization and auditing. When a phone is held close to scan a QR code, we utilize the front camera of the code provider (a Kiosk or phone) to simultaneously verify the scanner's hand. Instead of requiring the scanner to present a stretched palm to obtain traditional hand geometries, we find that the geometry of an individual's hand, when it grips a phone, is also identifiable. We thus design a vision-based approach to extract gripping hand biometrics. We leverage the QR code's screen to cast light onto the scanner's gripping hand, ensuring adequate illumination even in low-light conditions. We then use a hand tracking tool, MediaPipe, to detect and localize the hand and develop a transformer-based algorithm to verify four types of gripping hand biometric features extracted from the hand image, including hand contour, skeleton, color, and surface. We further capture the subtle hand joint movements for liveness validation, because the user needs to click touchscreen buttons to start QR code scanning. Extensive experiments, including a long-term study spanning over 32 months, show that the system achieves 98.3% accuracy in verifying the user and mitigating 2D and 3D replay attacks. Compared to the widely used facial recognition, this approach addresses the recent struggles of identifying faces behind masks and the public concerns about privacy erosion.

Jung-San Lee,Kuo-Jui Wei,Shin-Jen Chen,Yi-Hua Wang

DOI: https://doi.org/10.1007/s11042-014-2403-6

IF: 2.577

2014-12-05

Multimedia Tools and Applications

Abstract:Telecommunication micropayment (Tele-micropayment) is an alternative of shelling out from traditional electronic commerce with high flexibility. It has been applied to the applications of online software, music, e-book, and game credit, in which the consumers are only charged with petty expense. The verification procedure of this payment relies on OTP(one time password) via SMS(short message service). Obtaining the OTP from smart phone and importing the content into the website is easy for a consumer to complete the transaction. Nevertheless, the SMS Spam Blocker has brought a fatal damage to Tele-micropayment, which could be spread by malicious smart phone Apps(Applications). With the intercepted SMS, an attacker can further learn the content to launch a micropayment scam. As the amount of micropayment is petty, it is hard to be aware of this behavior after the victim receives the bill. In this proposal, we aim to design a brand-new OTP by introducing visual secret sharing technique. According to the experiments, even the attacker can intercept the SMS to get OTP, he cannot learn the content via OCR(Optical character recognition) software. This has proved that our design can greatly help to stop this micropayment scam.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering