×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

QR Codes As Anti-Forgery On Currency Could Infect Banks

timothy posted about a year and a half ago | from the fiat-money's-been-hacked-long-ago dept.

The Almighty Buck 289

New submitter planetzuda writes "Invisible nano QR codes have been proposed as a way to stop forgery of U.S. currency by students of the South Dakota School of Mines and Technology. Unfortunately QR codes are easy to forge and can send you to a site that infects your system. Banks would most likely need to scan currency that have QR codes to ensure the authenticity of the bill. If the QR code was forged it could infect the bank with a virus."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

289 comments

Sigh. (5, Insightful)

ledow (319597) | about a year and a half ago | (#41322447)

Only if they're stupid enough to execute code formed from non-executable input.

Re:Sigh. (0)

ciderbrew (1860166) | about a year and a half ago | (#41322469)

* FIX
They're stupid enough to execute code formed from non-executable input.
* FIX OVER

Re:Sigh. (4, Insightful)

jeffmeden (135043) | about a year and a half ago | (#41322681)

* FIX

They're stupid enough to execute code formed from non-executable input.

* FIX OVER

Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over... Why, there is no way every single bank, even the podunk credit unions that dot the land near and far, can figure out how to run a completely public banking portal without getting completely pwned on their first day and having their vaults emptied. Wait, no, I have that backwards. Good security IS possible, it's just hard for most slashpundits to imagine since it is completely beyond them.

Re:Sigh. (1)

jhoegl (638955) | about a year and a half ago | (#41322893)

Agreed, if it attempts to go anywhere else, it just says "invalid".

Done...
That fix will cost you $5 million dollars + patent fees.

Re:Sigh. (2)

kelemvor4 (1980226) | about a year and a half ago | (#41323039)

* FIX

They're stupid enough to execute code formed from non-executable input.

* FIX OVER

Yes, let's go ahead and presume that the institutions that figuratively and in some cases literally built the first world nations we sit on our asses in have no idea how to sandbox and bound check a code read from a scanner in order to stop an "infection" from taking over... Why, there is no way every single bank, even the podunk credit unions that dot the land near and far, can figure out how to run a completely public banking portal without getting completely pwned on their first day and having their vaults emptied. Wait, no, I have that backwards. Good security IS possible, it's just hard for most slashpundits to imagine since it is completely beyond them.

Recent history suggest financial institutions do not have a good deal of competence. Maybe they once did, but not in recent years.

Re:Sigh. (4, Interesting)

RyuuzakiTetsuya (195424) | about a year and a half ago | (#41322475)

What I came to say. I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.

Maybe if the QR code was a URL. But you'd have to be stupid to do that too.

A QR code that was a hash of the batch, the release series the serial number and a salt, sure. This could be awesome. Otherwise? Not so much.

Re:Sigh. (1)

jeffmeden (135043) | about a year and a half ago | (#41322731)

What I came to say. I can't imagine a qr code being able to stack overflow anything, there aren't enough bits.

Maybe if the QR code was a URL. But you'd have to be stupid to do that too.

A QR code that was a hash of the batch, the release series the serial number and a salt, sure. This could be awesome. Otherwise? Not so much.

Quite right. I suspect near the beginning of the forgery algorithm there lies something to the effect of "if scanned_code.urlCheck == true { forgeryAlert(scanned_code) }" and certainly not "if scanned_code.urlCheck == true { browser(scanned_code.text) }". Just a five minute observation though, someone might have a better way to do that.

Re:Sigh. (4, Interesting)

Joce640k (829181) | about a year and a half ago | (#41322859)

Would it even be a URL? A QR code is just binary data. I'm sure a bank would interpret them as a binary number, not a download link.

Re:Sigh. (1)

Anonymous Coward | about a year and a half ago | (#41322797)

As someone who has written a QR code encoder and created his fair share of malformed QR codes, I can attest that some very popular QR code readers are not at all robust. The only thing keeping them from doing something bad is that they're mobile phone software written in managed languages where the typical bugs just throw an exception and end the process.

Re:Sigh. (4, Informative)

Joce640k (829181) | about a year and a half ago | (#41322503)

Ummm....do QR codes have to be a URL? Why would a bank want to put URLs on their bank notes then visit the URL when they scan them?

Whoever wrote that is a moron.

Re:Sigh. (5, Insightful)

postbigbang (761081) | about a year and a half ago | (#41322531)

The poster is confused. QR Codes are data, not actionable unless you take action on them. Moronic? That's a little rough. In need of a lot of education? Oh.Yeah.

Re:Sigh. (0)

Anonymous Coward | about a year and a half ago | (#41322823)

All computer programs are data, and only do stuff when executed. It is unlikely there is any QR code reader that deliberately executes the data it decodes - but a reader that contains a bug potentially writing data to the wrong place in memory? Not implausible.

Re:Sigh. (1)

postbigbang (761081) | about a year and a half ago | (#41322949)

This is why you parse data before you accept it as input. A QR code is unlikely to blow a parsing buffer because it contains a known maximum data read from the scanning device. You set the boundaries to a number and that's the bound/domain of the input source. Should it exceed that size, kill your code on the way to making an error message (should the buffer overflow be huge, thus not able to execute the error branch). E.g., standard buffer overflow execution prevention code technique(s).

Nothing is impossible. Should you set your buffer length large enough for the input to be parsed/type-checked, it won't happen. Therefore, it's implausible in a bank reader that's going to scan thousands of bills in a minute as a duty cycle. Yes, there are stupid coders. Yes, there are smart forgers-- but you're not going to print a bill like that easily, either.

Re:Sigh. (1, Redundant)

Joce640k (829181) | about a year and a half ago | (#41322905)

Moronic? That's a little rough. In need of a lot of education? Oh.Yeah.

Disagree. The assumptions made by the poster are moronic, i.e. A bank would visit a web page whenever they scan a bank note.

(then download all the content from that page and try to do something with it...LOL)

Re:Sigh. (5, Insightful)

Anonymous Coward | about a year and a half ago | (#41322543)

No, they can be plain text. It's always been part of the standard.

Looks like the summary is just the usual flamebait, containing some stupid statement that commenters will feel compelled to correct.

Re:Sigh. (1)

oneiros27 (46144) | about a year and a half ago | (#41322765)

A couple of years back, one of the Slashdot admin (Scuttlemonkey? Samzenpus?) gave an interview, and they mentioned that they specifically selected articles that they thought would provoke discussion.

Which I interpreted as 'yes, we troll our users and put up complete flamebait'.

Not having much luck finding it again, though.

Re:Sigh. (4, Informative)

gman003 (1693318) | about a year and a half ago | (#41322809)

A QR code is just a text string. Or binary string, even (I think - haven't tried it yet).

However, the most common use, so far, has been embedding URLs - most phone-app QR code readers automatically interpret the string as a URL and redirect you there, since that's generally what those users want. However, that's a feature of the particular scanner, not of QR codes themselves.

The original author's mistake is thinking that's a fundamental design feature of QR codes - you scan them, it takes you to a website. Which, if it were true, would indeed be a glaring security hole. Which is why nobody would do such a thing.

Re:Sigh. (1)

Chris Mattern (191822) | about a year and a half ago | (#41322903)

Which is why nobody would do such a thing.

Oh, I wish I had your confidence. While it's true that the QR scheme doesn't contain any inherent security holes, a quick glance at security practices in the industry today does not fill me with confidence that someone won't introduce some.

Re:Sigh. (5, Funny)

Hazel Bergeron (2015538) | about a year and a half ago | (#41322541)

A helpful rewrite for someone from a few years in the past:

"Sequences of letters and numbers have been proposed as a way to stop forgery of U.S currency by bored students of Michigan University. Unfortunately sequences of letters and numbers are easy to forge and can be typed into an editor, compiled, and run, infecting your system. Banks would most likely need to read currency that have seuqneces of letters and numbers to ensure the authenticity of the bill. If the sequences of letters and numbers were forged, typed into an editor, compiled, and run, it could infect the bank with a virus."

Re:Sigh. (2)

Joce640k (829181) | about a year and a half ago | (#41322991)

What if I get a sharpie and wrote "FE0634E70F327A6B32C" on a bank note? Would they assume it was JVM bytecode and try to execute it for me?

(If so, I can get the bank computers to generate Bitcoins for me...?)

Re:Sigh. (1)

tolkienfan (892463) | about a year and a half ago | (#41323009)

OMG there are some bits - the code might misinterpret them as a URL, load the destination and execute it!
WTF seriously???

If only... (5, Funny)

Anonymous Coward | about a year and a half ago | (#41322451)

There was a way to scan a QR code without having an unpatched IE6 accessing the url in the code...

not if programmers are 1/2 way competent (2)

RichMan (8097) | about a year and a half ago | (#41322453)

A bank note QR code would refer to a single site. It would not go to "the world".
Input hardening in such a case should be reasonably trivial. And if it failed to have the proper form it would be false.

Re:not if programmers are 1/2 way competent (1)

Jerry Atrick (2461566) | about a year and a half ago | (#41322527)

Actually a bank note QR code wouldn't hold a URL at all. QR codes encode arbitrary strings. Unless they're incredibly dumb implementing it the worst that would happen is it mistaking a serial number for a phone number and trying to call it. Not much chance of a scanner getting infected trying that!

Re:not if programmers are 1/2 way competent (1)

RabidReindeer (2625839) | about a year and a half ago | (#41322707)

Actually a bank note QR code wouldn't hold a URL at all. QR codes encode arbitrary strings. Unless they're incredibly dumb implementing it the worst that would happen is it mistaking a serial number for a phone number and trying to call it. Not much chance of a scanner getting infected trying that!

They're incredibly dumb. The QR code would probably become the infection string for a SQL Injection attack on the bank's servers.

Er, wrong. (2, Insightful)

Anonymous Coward | about a year and a half ago | (#41322455)

I guess that's why all the checkouts at our local grocery stores get viruses when we scan the wrong barcodes.

Use appropriate software. Fuck.

Super high tech solution (1)

Anonymous Coward | about a year and a half ago | (#41322463)

Don't allow the machines that scan the bills to open urls.

Next problem, please.

Re:Super high tech solution (2, Insightful)

Anonymous Coward | about a year and a half ago | (#41322545)

Next problem: idiotic user submissions combined with lazy "editors" could infect Slashdot with terrible articles on the front page.

What? (5, Insightful)

Anonymous Coward | about a year and a half ago | (#41322465)

What? QR codes can hold arbitrary strings, they don't have to be just URLs. This summary makes no sense. There isn't even an article here! Who is editing this shit?

Re:What? (1)

oPless (63249) | about a year and a half ago | (#41322671)

Mod parent up.

I've known QR Codes be used to hold PKI Certificate info. URLs just happen to be a common use.

Huh? (5, Informative)

ccccc (888353) | about a year and a half ago | (#41322471)

A QR code is a two-dimensional barcode. A pretty decent way to embed a serial number. What exactly about the idea makes the poster believe the banks' scanning software would jump to some arbitrary website after the scan? Presumably, a much more sane and secure thing to do would be to look up the serial number in a database on a single, secure site.

Re:Huh? (2, Funny)

Anonymous Coward | about a year and a half ago | (#41322651)

Muhhahahhahahahaha

Robert');DROP TABLE CURRENCY;

will be my QR Code and will bust the world economy! Muhahahahhahahahaha

Re:Huh? (4, Informative)

jittles (1613415) | about a year and a half ago | (#41322787)

Not only that, but the article I read last night on the BBC talked about how these QR codes are done. First of all, they imbed the QR code on the bill using a special ink that is only luminescent with an exact frequency of laser light, which is invisible to the naked eye. Using a process of (I believe they called it) "photon upconversion" the light becomes visible to sensors in another segment of the spectrum. They can alter the ink they use to change the frequencies in question. This means you would have to have special equipment to see the QR code. They also said that they can imbed two QR codes on top of each other, which respond to different frequencies of light. They can use the two QR codes together to help validate the authenticity of the bill.

So certainly someone with the right scientists may be able to reproduce the ink, bleach the bill, and print a new face and QR code on it, but it would be very difficult. And who would hook their bill verifying machine up to the internet? And why would you use a URL? You could embed anything into that code, and you could probably even cryptographically sign the data embedded in the bill.

Re:Huh? (0)

Anonymous Coward | about a year and a half ago | (#41322901)

Have you read the QR code specification? There's a lot in there where a programmer can create an exploitable bug. If the bank decides to use an existing library for reading the codes and only scans the output for malformed content, there's a good chance that the library contains buffer overflows which can be exploited before the payload scanner even sees any output. Malformed QR-codes look just like normal QR codes. I have some that kill popular QR code reader apps: you scan the code and the app is terminated on the spot.

WTF? (5, Informative)

iYk6 (1425255) | about a year and a half ago | (#41322477)

QR Codes don't send you anywhere. They're just data. They can contain web links, just like any written sentence, but a device won't download the content at a linked URL unless it is programmed to.

QR codes are futuristic, 2D versions of bar codes. Nothing more.

Re:WTF? (2, Informative)

Anonymous Coward | about a year and a half ago | (#41322565)

Nothing futuristic about QR codes! They're 15 years old already.

Re:WTF? (0)

Anonymous Coward | about a year and a half ago | (#41322597)

QR codes are futuristic, 2D versions of bar codes. Nothing more

Ok I wasnt the only one thinking that...

How is this *any* better than the serial number already on every bill out there? Which are well sized and positioned. Other than the extra bits to reconstitute the data?

This is a horrible example of cryptography using open keys. If I can perfectly copy the key it does not matter how good your lock is.

Even if you embed 'code' in them what stops the counterfeiter from copying the code? It just means he needs to have a larger sample set. Not terribly hard to do with a bit of regular deposits and withdrawals.

We are using physical items to do monetary transactions. There is 0 cryptography you can do on them that someone else could not copy. If you can make it so can someone else.

Re:WTF? (1)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#41322835)

The Michigan proposal involved some assorted fancy-materials-science tricks(inks with very atypical optical properties and other stuff that the anti-counterfieting guys have been poking around at to raise the cost and required sophistication of producing a convincing fake) in addition to QR codes. If anything, the QR part seemed like something of a trend-crazed afterthought.

(Incididentally, the one thing that cryptography can do for physical items like currency is make it impossible for forgers to produce novel forgeries: If, for instance, the bill has a data field that is its serial number/place/time of manufacturer/etc. signed with a treasury private key, that doesn't stop me from just photocopying it; but it does prevent me from producing any bills that aren't direct copies of official bills. If combined with a reasonably effecient automated scanning system, to identify duplicates, this makes it more difficult to pass large numbers of copies of a single legitimate bill, and makes it impossible to produce anything other than copies of bills that were actually produced by the private key holder. Whether this is actually useful depends on what your mechanisms are for weeding out duplicates and tracing them back to their originators; but it can be done.)

only stupid apps send you directly to a site (1)

Anonymous Coward | about a year and a half ago | (#41322479)

qr code is a method to encode strings or binary data into a pixelized black/white bitmap. it is as good as the serial number printed on the bill. only it can incorporate full range of characters, printable or non-printable. i don't think op understands what qr code is.

What? (0)

Anonymous Coward | about a year and a half ago | (#41322485)

QR Codes are just binary representation of data. The US Treasury could use QR Code as barcodes and require banks to use software certified by the treasury herself. The treasury could also require the software to run on a read-only system, or on TCPA protected hardware with secure boot on a system with a software that runs on user-mode, with kernel-mode (or root-access) software checking for tampering.

singles will have a QR code for wheresgeorge.com (0)

Anonymous Coward | about a year and a half ago | (#41322491)

doesn't really seem like a good idea.

Couldn't they just arrest the students? (0)

Anonymous Coward | about a year and a half ago | (#41322495)

"...as a way to stop forgery of U.S currency by students of Michigan University"

English is hard.

Assuming that banks are complete idiots (1)

CheeseTroll (696413) | about a year and a half ago | (#41322497)

I can't speak to whether QR codes can stop forgery of the currency, but a QR code, by itself, can't infect anyone with a virus. What kind of bank system would blindly go to whatever website is suggested by an illegitimate QR code?

Re:Assuming that banks are complete idiots (1)

bluefoxlucid (723572) | about a year and a half ago | (#41322627)

it would work if the QR code held a digital signature for that particular mint and year of the serial, along with the denomination. Each code would fit one bill from one mint from one year with one serial number.

Really? (4, Insightful)

ajdlinux (913987) | about a year and a half ago | (#41322499)

This story displays an incredibly low understanding about what a QR code even is, let alone how you would write a QR code reader for a secure environment. I'm surprised this even got accepted.

Re:Really? (0)

Anonymous Coward | about a year and a half ago | (#41322665)

But its a qr CODE and we all know hackers write CODE to HACK.

Re:Really? (1)

Excelcia (906188) | about a year and a half ago | (#41323059)

It doesn't matter if it shows incredibly low understanding of what a QR code is. Slashdot doesn't care about accuracy as much as it cares about what will stir up comments. Put in a story that has, like this one does, an error in understanding of the technology or risk of a virus, is poking a stick into a nerd's nest. They'll all come out buzzing angrily posting about it, and Slashdot is all happy because they get comments and clicks and interest.

There are a lot of this type of story with the kind of tauntingly inaccuracies that this one has posted to Slashdot recently. So many, I suspect their editors are making a conscious effort to do so.

what will really happen (1)

slashmydots (2189826) | about a year and a half ago | (#41322507)

If you think a massive security flaw will stop some private company from selling them their product suite, you are WRONG. They'll cover it up like their jobs depend on it...because they do.

"can send you to a site that infects your system" (1)

Voyager529 (1363959) | about a year and a half ago | (#41322517)

Seriously? You're telling me that a bank system using a barcode to check a serial number would spawn a web browser because the bill said so? How hard could it possibly be to *not* allow a browser to start while scanning in QR codes, and catching attempts to try as a guaranteed way to prove that the bill is a counterfeit?

Re:"can send you to a site that infects your syste (1)

Jason Levine (196982) | about a year and a half ago | (#41322691)

QR codes can't even launch a browser themselves even if they contain a URL. That action depends on the QR code reader. If a QR code says "http://www.slashdot.com/", then it is up to the QR code reader to say "Hey, this is a URL, I should open a web browser." The QR code reader on my phone presents the URL for me and gives me the option of opening a web browser. I'm sure a hypothetical QR reader for currency wouldn't even do that. It would say "Hey, this QR code reads 'http://www.badsite.com/infect_with_a_virus.php'. That's not the correct hash so this must be counterfeit."

The submitter doesn't seem to understand QR codes (2)

yincrash (854885) | about a year and a half ago | (#41322523)

This plan in all likelihood would not comprise of URLs encoded as QR codes. It wold be some data that would be matched against some other data, so why would the currency verification involve accessing a URL at all to implant a virus?

The only way I could remotely see that happening would be if there was a vulnerability in the system that allowed for a buffer overflow attack of some sort. The problem with that is that QR codes only have a limited amount a data, which would make this all but impossible.

Re:The submitter doesn't seem to understand QR cod (1)

Anonymous Coward | about a year and a half ago | (#41322607)

Look at the submitter's site. If I ever saw a shallow website with nonexistent layout and content, it's his.

Probably some kid trying to play the "security business" but failing utterly. TFS proves it, too.

Not the Banks Really (1)

dahl_ag (415660) | about a year and a half ago | (#41322525)

I would think that the banks would have dedicated systems that would not even know how to go to such an infected site. Just because a device has an operating system and programs running on it, doesn't mean it has the ability to interpret a url and use it to retrieve content from the internet. (For example, my 2003 Taurus is not at risk of getting an infection from a malicious web site, but yes it has a computer that processes input from the outside world.)

On the other hand, I could see small businesses using said QR codes to authenticate larger bills. But they would probably do so with some software running on a PC, iPad, etc....

redundant ? redundant? (1)

slashmydots (2189826) | about a year and a half ago | (#41322529)

Isn't it a bit redundant, seeing as how they have serial numbers already?!?!?! A QR code would contain what, a serial number? Obviously this article thinks it's a web link, which is what QR codes were designed for. If it's a web URL, wtf?! If it's a serial number, just real the serial number instead. They have OCR that does that already.

Re:redundant ? redundant? (1)

mister2au (1707664) | about a year and a half ago | (#41322615)

Pretty easy to forge serial numbers on a counterfeit note.

Not so easy to forge serial numbers encoded on nano-dots ...

So presumably like they do with nano-dots sprayed onto high-end cars as security.

Re:redundant ? redundant? (0)

Anonymous Coward | about a year and a half ago | (#41322643)

But the point is they're invisible and so only the bank knows where they are.. they coud be just a check sum for the actual serial number so a potential forger has to know,
(i) where to place his invisible QR code - okay this might be easy if shops want to instal anti-forgery scanners...
(ii) find out the algorithm used to calculate the check-sum

they're there to act as a deterent, by increasing the cost of producing a forgery to the point where it becomes too expensive to make forgeries

Re:redundant ? redundant? (2)

azadrozny (576352) | about a year and a half ago | (#41322697)

As other posters have pointed out, what if the QR code contained a hash of the serial number and a few other identifying marks visible on the bill? Now you can use the infrared QR and OCR to validate a given bill. In general I think the mints have given up on creating a forge-proof bills. They just keep updating the design with forge resistant features to stay one step ahead. The only problem I have with this is that there are so many different designs in circulation that a lay person cannot easily spot a fake, and may be more likely to accept one.

Re:redundant ? redundant? (0)

Anonymous Coward | about a year and a half ago | (#41322711)

Isn't it a bit redundant, seeing as how they have serial numbers already?!?!?!

Only if it is implemented stupidly. Under no circumstances do you have a web page address there. With the US government demanding the ability to "turn off" the public internet during times of civil unrest, I certainly would not want some merchant refusing my $20 bill because the "government currency validation" web site was down.

Ideally it would have the serial number and denomination of the bill in plain text which would be signed by a government cryptographic signature. And even this implementation doubtless has flaws it would take a crypto mathematician to find. But it's a moot point anyway, so far the US government has been refusing to put machine readable information on US Currency because it would make things too easy for the blind.

Bank employees are not... (1)

slashdyke (873156) | about a year and a half ago | (#41322533)

Bank employees are not stupid enough to have their software blindly follow/execute QR codes, so I do not think there is a serious concern of bank systems being infected with virii from forged QR codes. But if there was, I would hope the virus programmers would make include code to allow banks to help those that need help, not just the ones that have lots already.

Re:Bank employees are not... (1)

Anonymous Coward | about a year and a half ago | (#41322583)

VIRUSES. This awful disease of calling viruses "virii" must end!

Wow (1)

Anonymous Coward | about a year and a half ago | (#41322535)

1 article about using QR codes in money
1 article about how easy it is to forge QR codes
1 article about how automatically opening a url found in a QR code could infect your computer.

How did this summary possibly make it past filters. Not one article talks about how banks might be incompetent enough to auto execute code without first sanitizing their input, let alone whether the QR codes would link to a URL in the first place. I've been reading this website for a while and haven't been wanting to leave it, but this just pushed me over the edge. I'm not sure how this got past editor filters, but it's definitely not worth my time. I'm sorry slashdot, you were the first content aggregation site that I actually enjoyed reading.

Re:Wow (0)

Anonymous Coward | about a year and a half ago | (#41322619)

I've been reading this website for a while and haven't been wanting to leave it, but this just pushed me over the edge.

This is the conclusion I came to as well. This site has been getting progressively worse over time, but slowly enough that it was hard to tell how bad things had really gotten until now. In retrospect, I guess I should have taken the hint when CmdrTaco left.

QR codes can hold data other than URLs (0)

Anonymous Coward | about a year and a half ago | (#41322547)

The author of the post says: "QR codes are easy to forge and can send you to a site", which is very naive.

QR codes are not required to store only URLs; they can store arbitrary text. The banks would likely not store URLs, and whatever reader code they have could just ignore or not follow URLs. Even if they wanted to use URLs, they could validate them and only follow ones to a particular trusted domain or set of domains, and ignore all others.

Just disable autorun... (1)

Anonymous Coward | about a year and a half ago | (#41322555)

Simply disable autorun on the USB QR code readers. Problem solved!

(Yes, I know this is a moronic comment, but I'm trying to match the moronic-ness of the original article).

The real question... (0)

Anonymous Coward | about a year and a half ago | (#41322561)

is why so many Michigan University students are forging US currency.

Re:The real question... (0)

Anonymous Coward | about a year and a half ago | (#41322631)

Given that Michigan University doesn't exist, I'm guessing none...

Maybe... (1)

wbr1 (2538558) | about a year and a half ago | (#41322563)

I am not expert on this, but i agree that ia bank system woudn't go to some url.
However if the QR contained a salted hash of bill identifiers, and the reading app verified it, would it be possible to include well formed enough data to cause some sort of buffer overrun and injection attack? the paylload would have to be very small, and it would likely only crasg the target system. Therefore it would not ba a virus persay, just malicious code.

A Wizard Did It (1)

mothlos (832302) | about a year and a half ago | (#41322567)

I guess even on /. computers are devices shrouded in mystery. Watch out before the Gibson gets hacked.

Also in the news (2)

Chrisq (894406) | about a year and a half ago | (#41322575)

Bank staff could break their teeth by trying to bite coins. They could also give themselves a sun burn by keeping their hand under the note-testing UV lamp. And now they have the added hazard that they could follow a link on a QR code to an infected site.

Now I remember (0)

Anonymous Coward | about a year and a half ago | (#41322595)

Ah yes, that's why I stopped coming to slashdot. I'd forgotten how moronic some of the articles could be, and actually started coming back to this site.

Submitted by Dan Brown (0)

Anonymous Coward | about a year and a half ago | (#41322621)

Did anyone read Dan Brown's book in which the main plot point was a computer that gets taken over? Digital Fortress it might have been called?

This article is even stupider than that book. And that's saying something.

Michigan Univerity? (2)

Darth_brooks (180756) | about a year and a half ago | (#41322633)

1. It's "The University of Michigan." Not trying to be as pedantic as those who insist on THE Ohio State University (as opposed to that other Ohio State?), but no one uses 'Michigan University.'

2. At no point, in any of the three cited articles, is U of M mentioned. The QR / Currency article from engadget refers to The South Dakota School of Mines and Technology, which is slightly different from umich.

Re:Michigan Univerity? (0)

Anonymous Coward | about a year and a half ago | (#41322827)

wondering the same thing myself

QR codes are not magic code! (2)

mezion (936475) | about a year and a half ago | (#41322673)

Oh FFS!

It's unclear how much malware spread by QR codes in late 2011, but AVG reports that it's an ideal distribution method for nefarious software and it expects the practice to grow throughout 2012. Users are unaware of what the code contains until the malware has already gained foothold. The point being, QR codes aren't as safe as you might expect them to be. The security firm likens scanning unknown QR codes to running an unfamiliar executable on your computer.

Let's repeat this again, people: QR Codes are simply a new version of a barcode. They are not magic pictures that infect computers or phones. There is nothing wrong with taking a picture of a barcode.

OTOH, if you run an application that which upon reading a code will automatically open a webpage that might run a script without user intervention, you giving people a guest pass.

when malware spread through QR codes on a Russian website and forums. The code directed victims to a download location for an infected version of the Jimm mobile ICQ client. The malware sent SMS messages to premium numbers.

They directed their phones to a web address they didn't know and shouldn't have trusted, downloaded an application and then installed it. This was their own fault. This has no more to do with QR codes infecting computers than a hyperlink can.

Michigan University? (0)

Anonymous Coward | about a year and a half ago | (#41322685)

Where is that? The engadget article talks about a school in South Dakota, and I've never heard of "Michigan University". Did I miss something?

Why slashdot...? (0)

Anonymous Coward | about a year and a half ago | (#41322687)

I can't believe this was allowed to be posted... sometimes /. amazes me.

First off, the bank would have an internally-only accessible database that maintains authorized QR codes
Second, the scanning would only be done on this internally accessible system.
Third, because it's only internally accessible, virus = moot

What does this mean... when they scan a note/bill, it scans the local database if the code exists, if it doesn't then "ding ding ding!!!!!" it ain't real!

Re:Why slashdot...? (0)

Anonymous Coward | about a year and a half ago | (#41322727)

Furthermore, banks use proprietary software as well... so good luck writing a virus with only 7,089 characters for a system of unknown etiology.

Great, trackable money (1)

rolfwind (528248) | about a year and a half ago | (#41322701)

I see no abuses there nor the goverment forcing the banks to submit the depositor name to look up a serial number, nor promising to limit some type of liability as an incentive to look up serial numbers on each transaction. No sirree, won't happen.

(Btw, I assume they could do all this on current serial numbers but perhaps its easier on the OCR to have as described in the article).

Yet More Slashdot Silliness (0)

Anonymous Coward | about a year and a half ago | (#41322719)

Does anyone even read these articles? It wasn't from "Michigan University" (presumably meant to be the University of Michigan) but rather from the South Dakota School of Mines and the University of South Dakota. And on top of that, the article in the journal Nanotechnology (http://iopscience.iop.org/0957-4484/23/39/395201) which is not linked anywhere in the ridiculously stupid Engadget or Ubergizmo articles, makes no such broad sweeping claims. The advancement is presented as a chemical/coloring advance with a shroud of timeliness and applicability to government needs in the form of the QR code. Perhaps not the most astonishing advancement ever, but it's certainly not making the claims that all the Slashdotters here seem to be in a rush to decry and refute.

Why assume that a QR code has to contain a URL? (1)

gh0st1nth3mach1n3 (554152) | about a year and a half ago | (#41322781)

Although most QR codes âdoâ contain URLs, this isn't the only possible use. If the QR code contains a hash of the bill's serial number that is generated by a sufficiently complex process (private key, anyone?) then it's just a matter of verifying the hash against the serial number for verification.

/., WTF? (1)

cpotoso (606303) | about a year and a half ago | (#41322803)

What a moronic story. It makes no sense whatsoever to whomever knows anything about data, security or whatever. Dozens of stories get rejected from ./ every day. How the F**K this gets approved speaks very lowly of ./ quality control.

Re:/., WTF? (0)

Anonymous Coward | about a year and a half ago | (#41323007)

... Checks which editor posted this "story"....

No surprise.

worst ever (0)

Anonymous Coward | about a year and a half ago | (#41322847)

The recursiveness in the idiocy of this article will soon make my brain stack overflo

In other news (1)

wonkey_monkey (2592601) | about a year and a half ago | (#41322865)

Also, paedophiles use money. Now, I'm not saying that QR codes can turn people into paedophiles, but you can't buy candy without money, sheeple!

viruses not the problem (0)

Anonymous Coward | about a year and a half ago | (#41322879)

The more worrying thing is that they are trying to make is really easy and fast to track all currency from a distance. When you present a bill they will be able to track whatever accounts that bill was withdrawn from. It would be trivial for a bank to record the serial numbers of the bills it dispenses and who they were given to. When they are then deposited in a bank, you will have a fairly good idea of their path.

If a Serial number doesn't work... (0)

Anonymous Coward | about a year and a half ago | (#41322937)

If the serial number doesn't work, why would bar coding it, QR coding it, or anything else suddenly make it harder to counterfeit.

The only thing it does is make it easier to trace the path of money. When you get the same number in 2 locations you know one is counterfeit.

Of course the tin foil hat crowd won't like this, the difficulty tracing is why they use cash in the first place.

You can already do it with 1D barcodes (1)

sven_eee (196651) | about a year and a half ago | (#41322977)

I commonly see developers not clean/check barcode data and just expect it to be numbers but it is easy to print out a database attack as a barcode so when someone scans that barcode it is run against the backend system.

Code128 lets you join many smaller barcode together that will be passed to the system as a single string, so when the system is only expecting a few digits you can flood it with kilobytes of SQL injections or shell code.

And that is all just with 1D barcodes. QR is 2D

Profiling? (0)

Anonymous Coward | about a year and a half ago | (#41322997)

This is a plan to stop forgery by students of Michigan University? That's an oddly specific demographic for crime.

What about bill validators or TITO slots (1)

Joe_Dragon (2206452) | about a year and a half ago | (#41323019)

What about bill validators or TITO slots (Ticket-in, ticket-out)

That may be the place where you may be able to do some hacking likely useing buffer over flows with some thing like this.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...