For the uninitiated, QR codes are the square-shaped barcode which can now be seen displayed by brands in their advertisements, offices, and even uniforms. With smart mobile phones turning ubiquitous, the adoption of QR code has been an on a constant rise. It has been used popularly for allowing download of apps, checking prices of products, enlisting in online polls and competitions. However, in recent times corporates and business are trying to drive more operations using QR codes. For example, banks advertising its products and features using QR codes in its branches and ATMs. One of the most successful adoptions of QR code was by digital payments in China. It is reported that a substantial percentage of payment transactions by Alibaba and Tencent is through QR codes.
Moving to India, where a move to cashless economy is opened doors to new disruptive technologies in its banking and financial sector. As payment industry looks up to digital solutions to ride over the opportunity, the use of QR code for transactions is a serious candidate. Any such system has to factor in risks related to using QR codes for payment transactions. The biggest challenge is of course that QR code is not at all human readable. A payer has to rely on the service provider’s security and business controls and use the QR code at its face value. A known risk with QR codes is that they can tamper.
The tampering can happen in two ways. One, after the QR code, is released by the service provider. Second, by replacing the QR code with a malicious one before the service provider releases it. A manipulated QR code has the potential to alter target payee, introduce malignant code in the payer’s phone, or even introduce a ransomware. However, relatively strong security controls around the payment process using QR code can reduce these risks to zilch. A long as the cryptic transaction for the payment transaction is secured using strong process; the threat of manipulating a QR code becomes impossible. The another security control is to have burnable QR code. Codes which will work only once through an authorized scanner (payer) and will be rendered useless after it is used once. This will ensure fraudulent activity is flushed out of the system. A very good example can be found in Alibaba’s use of dotless QR codes. These codes are tamper proof, they burn (become unusable) after they are used once. Add to that, it also allows putting brand image within the QR code at the center of it. This helps not only the buyer or payer but also helps service providers and manufacturers to brand themselves.