No one can tell the difference between one QR code and another which allows scammers to use a sneaky trick to steal your Bitcoin.
When the people behind the ZenGo wallet wanted to add QR code support, they decided to do a bit of research into the security aspects first.
What they found was disturbing – but not entirely unexpected.
QR Codes are those graphics that users can scan that tells a phone or device which wallet to send Bitcoin or some other cryptocurrency to.
According to Cryptocurrencyfacts.com:
“A QR code is a simple, fast, and secure way to share an address when transferring cryptocurrency between two devices.
“This is especially useful in face-to-face point-of-sale transactions because copy and paste isn’t an option and it avoids having to type in very long codes by hand (if you get even one character wrong, it won’t work).”
It’s pretty easy to fake a QR code
The flaw in this is obvious: anyone can simply generate a QR code that sends money to their address instead of the one intended. And no one can tell as pretty much all QR codes look alike.
For example, ZenGo used a Googled site to request a QR code for the address 18Vm8AvDr9Bkvij6UfVR7MerCyrz3KS3h4
They instead received a QR code that sent funds to the scammer’s address: 17bCMmLmWayKGCH678cHQETJFjhBR44Hjx
Scammers get creative
Interestingly, they noticed that some scammers have upped the ante with a few tricks.
Some of the fake QR codes sites manipulated the QR code so that if you checked, it superficially looks like the right address by matching the first letter or numeral such as ‘1’, ‘3’ or ‘bc’.
Others muck around with code so that if you try and copy and paste the address to double check it, the site will copy your own address to the clipboard instead of theirs so that you think it matches.
ZenGo tracked about $20,000 worth of scammed Bitcoin using the addresses they examined and believe it’s just the tip of the iceberg.
A few tips to protect your Bitcoin
They recommend users:
Do not Google “QR code generators”. Instead, use a known site such as your favourite block explorer, or ask a friend for a recommendation.
Before sharing the QR code on your site, send a small test transaction and see where it ends up.
You can also use a ‘threat intelligence service’ such as a browser add-on like MetaCert’s Cryptonite. These will bring up an alert on scammy sites and addresses. However, they are not a silver bullet and don’t cover all threats.
Opens an avenue for fraud
ZenGo’s Tal Be’ery writes: “QR code is a very easy way to share data. However, due to the fact that the codes are not humanly readable, it opens an avenue for fraud.
“Fraud can be on the receiver side when generating as shown here, but also on the sender side if the sender is using a rogue wallet or even a good wallet using a rogue QR implementation.
“We believe that we will hear on more QR related fraud in the future and that the cryptocurrency community needs to address these issues and come up with better protections.”
QR scams are well known in cryptocurrency
Malwarebytes reported in July about scammers going up to people in carparks in two cities in the Netherlands, offering them $5 if they would ‘pay for their carpark’ using a QR code and their banking app.
The QR code gave them access to the victim’s bank account which they promptly drained.
In China, scammers have been known to replace the QR codes on bike share schemes with their own.
This brings in a large volume of small transactions, which users typically shrug off when the bike does not unlock, assuming the transaction has not worked, and move on to the next bike
In Canada, scammers have targeted Bitcoin ATMs with signs suggesting they are out of order and suggesting that users can instead complete transactions by sending funds to their QR code wallet.
In public it’s always worth double checking if a QR code has been placed over another existing QR code.