QR codes prone to manipulation by cyber fraudsters, warn IT experts
Kochi, October 18, 2022
Arun Kumar, a Kochi-based businessman, had dinner with his family at a popular restaurant recently. He scanned the QR code he was given, and a sum of ₹6,000 was debited from his account. The restaurant authorities were also convinced of the payment.
“I received a call from the restaurant the next day complaining of not receiving the payment. I countered saying that my bank account has accounted for that payment and that in no way was I going to pay again,” said Mr. Kumar.
After a bit of back-and-forth, it eventually emerged that the original QR code was replaced by another stuck over it, diverting the payment to another account. “It was perhaps the handiwork of one of the restaurant employees. The transaction was traced to an account of a man who runs an eatery in Alappuzha, and the money was recovered,” said Mr. Kumar.
QR codes, as convenient they made transactions, were equally prone to manipulation, considering how cyber fraudsters could embed malicious URLs with malware into them, said IT experts.
“Now, many premium restaurants have even replaced their conventional menu with a digitalised version that can be accessed by scanning QR codes placed on tables. This is a potential way of infiltrating the smartphone and even directing it to a phishing site, thus exposing the user’s personal and financial credentials,” said Padmanabhan Vishwanathan, an IT entrepreneur.
There are also fraudsters who deceive traders with the help of third-party apps that simulate the screen of popular mobile wallets when payments are made.
“The simplest solution is to install a speaker that plays back the message confirming the receipt of payment. Else, ask the customer to wait for a few extra seconds till the trader gets the SMS alert. It is the responsibility of the trader to ensure the receipt of the payment and the genuineness of the QR code being used,” said Kerala Merchants Chamber of Commerce president Muhammed Sageer.
Liyons Jos, who runs a training institute, lost ₹225 recently after making payment at a shop using QR code. “I had scanned the code stuck near the counter, and the payment was through. But then the shop owner said I had scanned a code that was no longer in use and made me pay afresh although I argued that they should have removed the other code or at least alerted me,” he said.