How is sending bitcoin through a QR-code safe ?

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: Fuso.hp on July 19, 2023, 05:19:07 AM

Quote from: Adbitco on July 14, 2023, 05:19:28 PM

QR code to me is the safest way to scan and send payment since there is no copy and paste to send payment only scan and pay without copying address. QR code is already being designed with rightful address so there's no way to be attacked by any scammer or hacker. Although I can not say with all assurance that it can't be hacked, nowadays things are really happening because scammer are exploring different ways to phish people's funds.

I consider QR code scanning to be a safe mode of payment transfer as there is no option to make a mistake by scanning the QR code or sending the payment to another address.

Not at all.

Faulty QR readers may result in making mistake and sending payment into wrong address. Besides of that, QR code may be compromised by malware sitting on the source device. So it is a good practice to always check the details of transaction rather than rely on QR code itself.

Fuso.hp

sr. member

Activity: 490

Merit: 294

Quote from: Adbitco on July 14, 2023, 05:19:28 PM

QR code to me is the safest way to scan and send payment since there is no copy and paste to send payment only scan and pay without copying address. QR code is already being designed with rightful address so there's no way to be attacked by any scammer or hacker. Although I can not say with all assurance that it can't be hacked, nowadays things are really happening because scammer are exploring different ways to phish people's funds.

I consider QR code scanning to be a safe mode of payment transfer as there is no option to make a mistake by scanning the QR code or sending the payment to another address. Most of the time we copy the address seen in the case of payment transfer and then send the money to that address but many times due to our little mistake we use the wrong address or some other word in the middle of the address, as a result of which our money goes to someone else's wallet or disappears. Mainly to eliminate this possibility QR code is scanned so that payment can be transferred to 100% correct address. If you have the option to scan the QR code for your payment transfer, you must scan the QR code and transfer the payment.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: Becassine on July 19, 2023, 03:39:40 AM

https://upgradedtamilan.com/an-ordinary-cup-of-tea-cost-a-woman-from-singapore-1-5-million-rubles/

This attack could just as well have happened by email. The main problem isn't the QR-code, the problem is giving a phone access to a bank account that can send $20,000.
Here, banks are more and more moving towards mobile usage. Until now, I've been able to avoid it, but they're replacing more and more dedicated hardware devices by a code on an app. It's cheaper for the bank, but they sacrifice security for convenience.

Becassine

hero member

Activity: 1820

Merit: 775

A bitcointalker sent a very interesting article about the potential fraudulent use of a QR-code (on another topic). This is of course not the same as sending btc to an address, but it had to be thought about nonetheless.

The QR-code refers to a fraudulent third-party application whose all authorizations must be validated. Then the scammer takes control of the smartphone remotely. Always the same thing: it is a question of promising a gift or threatening a fine (and sending the victim to pay on a fraudulent site). It is therefore quite simply a question of phishing as it has existed for a long time by email.

https://upgradedtamilan.com/an-ordinary-cup-of-tea-cost-a-woman-from-singapore-1-5-million-rubles/

Despairo

hero member

Activity: 1064

Merit: 843

Either you use QR code or paste your address, make sure you double or triple check all the characters, not only check on the last three characters. What make QR code isn't more safe than copy paste is you wouldn't know what it is especially it's shortened link.

Quote from: Mpamaegbu on July 16, 2023, 07:24:21 AM

You see? In summary, it then simply means that the security of our funds lies only with us and not on some gadgets. These gadgets, to start with, are the creation of man. Man can manipulate them. It takes a man to break any system or manipulate any computer or software.

You're just like saying there's nothing safe for anything created by other people, what about hardware wallet, non custodial wallet or device that used to be a cold storage? you're use that for holding your Bitcoin and those weren't created by you.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: Becassine on July 15, 2023, 07:40:40 PM

I know you can personalize a QR-code so that people scan it and go to a website for example (I've already done this by modifying the colors, adding a logo etc), can you do the same with a bitcoin address (I assume so?) and which site do you recommend to do it safely?

I wouldn't recommend any website. I've used command line qrencode (a standard package easily installed on Linux).
Adding a logo is basically abusing the QR-code's built-in error correction: set is as high as possible, and test if the QR-code still works after you cover part of it with a logo.

Mpamaegbu

legendary

Activity: 2716

Merit: 1225

Once a man, twice a child!

Quote from: hatshepsut93 on July 14, 2023, 06:53:17 PM

First of all, the QR code itself can be replaced without hacking. For example, if it's a sticker, someone can put their own sticker on top of the original one. If it's a photo posted on social media, someone can edit it in Photoshop to put their address. You get the idea.

But on software level, this task is not as trivial as replacing a clipboard, but still could be achieved, at least theoretically. The QR-code scanner app could be exploited to replace Bitcoin adresses with hacker's address, if it has such a sophisticated vulnerability.

You see? In summary, it then simply means that the security of our funds lies only with us and not on some gadgets. These gadgets, to start with, are the creation of man. Man can manipulate them. It takes a man to break any system or manipulate any computer or software.

I haven't received Bitcoin or any crypto through a QR before. I consider it a more complicated process than copying and pasting addresses. When it comes to financial issues, whether with Bitcoin or fiat, I think those involved should exercise caution and patience. Go through the details slowly. That's what I do. I'm never going to be in a haste. What for? Except it's an old address that I've saved up on my wallet, I take my time to run through new addresses meticulously.

Becassine

hero member

Activity: 1820

Merit: 775

Incredible, I'd never have thought of all that. Thanks to LoyceV for the two articles, which I'll read now.

Now I have another question: I know you can personalize a QR-code so that people scan it and go to a website for example (I've already done this by modifying the colors, adding a logo etc), can you do the same with a bitcoin address (I assume so?) and which site do you recommend to do it safely?

Thanks

tabas

hero member

Activity: 3024

Merit: 745

Top Crypto Casino

Possible, like if you're in a store and a con gets in and tried to lose the attention of the staff replacing the QR code that's dedicated for direct store payments. I've seen a video dramatization of it. So, it's like a group of people, either a woman and man but also can be done by a single person. The woman attracts the staff and makes a conversation not knowingly, there's the intention of replacing the QR code with the one that they've made. So, this is the scenario in physical places. What I think for online transactions, it's the same scam that they're trying to imitate someone and just simply sends their own QR code to misled customers. And as said by satcraper, through malware so be cautious with links and files that you guys download.

pawanjain

hero member

Activity: 2702

Merit: 716

Nothing lasts forever

Quote from: Becassine on July 14, 2023, 02:19:21 PM

I was reading the very interesting post of LoyceV about this clipboard virus (https://bitcointalksearch.org/topic/how-to-lose-your-bitcoins-with-ctrl-c-ctrl-v-5190776)

Quote

How it works
1. You select a Bitcoin address, and press CTRL-C.
2. The malware changes the address to an address owned by the hacker/scammer.
3. You press CTRL-V and lose any funds you send.
Even if you check part of the pasted Bitcoin address, chances are the first few characters are the same, and you still won't notice the address was changed.

i was wondering if it's possible to change a QR-code the same way that the victim sends the btc to the scammer address ?

Clipboard virus won't be able to do anything when we are using QR codes.
To apply the same technique for a QR the hacker will have to inject malicious code in the app that the user is using to scan the QR code.
That is something very hard to achieve because of security protocols on devices these days.
So we are good when using QR codes.

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: Becassine on July 14, 2023, 02:19:21 PM

i was wondering if it's possible to change a QR-code the same way that the victim sends the btc to the scammer address ?

The short answer is YES,it is technically possible for malware to manipulate QR codes.

That is why it is very important to check the transaction's details ( such as destination address, change address, amount being sent) shown on the screen of airgapped hardware wallet if what is meant in your question was HW interaction with bitcoin light client.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

With QR-codes, there's a much simpler attack vector than changing the QR-code: the malware will be in the software used to create or read the code.
Both malicious QR code generators and readers exist.

ImThour

copper member

Activity: 1470

Merit: 1609

Bitcoin Bottom was at $15.4k

It's difficult to replace a QR Code from a website if it's in SVG shapes like and if it's just an image, it can be easily replaced just like the Bitcoin Wallet Address.
If you don't understand the difference, I will explain it a bit more.

1. QR Code as a combination of Rectangles:

In this, you can see each rectangle has to be replaced to form a new QR.

2. QR Code as an Image: That will be just a QR code in a .png or .jpeg format and one line of code can replace it.

Hope it's helpful.

hatshepsut93

legendary

Activity: 3024

Merit: 2148

First of all, the QR code itself can be replaced without hacking. For example, if it's a sticker, someone can put their own sticker on top of the original one. If it's a photo posted on social media, someone can edit it in Photoshop to put their address. You get the idea.

But on software level, this task is not as trivial as replacing a clipboard, but still could be achieved, at least theoretically. The QR-code scanner app could be exploited to replace Bitcoin adresses with hacker's address, if it has such a sophisticated vulnerability.

Cryptomultiplier

full member

Activity: 952

Merit: 232

If the exchange shows options to send or receive crypto via QR code, it means it is a possible choice for transactions incase the other fails or you fail to have the requirements for it to approve a transaction.

QR code has been existing for some time now and it is rare to see most devices these days without its feature. One interesting thing is the way exchanges and some apps has included it as authentication option for login into an account, sharing files, data, contacts too. The uniqueness of the Hash is what also sets it apart. Each individual to its own hash.
Although the fear of having malicious bugs or phishing URL embedded within once scanned is accurate, to ensure a second or maybe a third confirmation of the details displayed is necessary to avoid falling victim to hackers or scammers.

Nwada001

hero member

Activity: 700

Merit: 673

Quote from: Stalker22 on July 14, 2023, 05:04:25 PM

Quote from: Nwada001 on July 14, 2023, 04:29:31 PM

~
all you have to do is ask the receiver to send you the QR code, and you can scan it from wherever you are.

I think that is exactly what he was implying. If the recipient sends the QR code remotely, for example via email or chat messages, then there is a risk that a potential attacker can intercept that communication and modify the QR code. Paying with a QR code is only safe if you are sure of the authenticity and integrity of the QR code you are scanning.

That's why it will always be advisable to me to request that the QR code be attached with the wallet below it for authentication purposes, and when that is also being done to take some extra measures for security reasons, we should always ask the sender to confirm if the address received and gotten from the QR code is the same as what was sent.

Quote from: kamvreto on July 14, 2023, 05:48:51 PM

It may have happened to me, fraudulent schemes are currently growing and becoming more sophisticated. Before making a payment with a QR code, we can see the payment information that appears before selecting the send button. here will be shown the intended merchant information and input the nominal to be sent. Sometimes there are people who replace the physical QR code in a store with their QR code (fraudsters) with almost the same name. That 's why you have to be careful and confirm before sending.

Exactly why I said this 👇👇

Quote from: Nwada001 on July 14, 2023, 02:23:01 PM

And one should always cross-check his address before authorizing a transaction.

kamvreto

legendary

Activity: 1946

Merit: 1157

MAaaN...!! CUT THAT STUPID SHIT

Quote from: Stalker22 on July 14, 2023, 05:04:25 PM

Quote from: Nwada001 on July 14, 2023, 04:29:31 PM

~
all you have to do is ask the receiver to send you the QR code, and you can scan it from wherever you are.

I think that is exactly what he was implying. If the recipient sends the QR code remotely, for example via email or chat messages, then there is a risk that a potential attacker can intercept that communication and modify the QR code. Paying with a QR code is only safe if you are sure of the authenticity and integrity of the QR code you are scanning.

It may have happened to me, fraudulent schemes are currently growing and becoming more sophisticated. Before making a payment with a QR code, we can see the payment information that appears before selecting the send button. here will be shown the intended merchant information and input the nominal to be sent. Sometimes there are people who replace the physical QR code in a store with their QR code (fraudsters) with almost the same name. That 's why you have to be careful and confirm before sending.

Adbitco

hero member

Activity: 1428

Merit: 653

Leading Crypto Sports Betting & Casino Platform

QR code to me is the safest way to scan and send payment since there is no copy and paste to send payment only scan and pay without copying address. QR code is already being designed with rightful address so there's no way to be attacked by any scammer or hacker. Although I can not say with all assurance that it can't be hacked, nowadays things are really happening because scammer are exploring different ways to phish people's funds.

Stalker22

legendary

Activity: 1526

Merit: 1359

Quote from: Nwada001 on July 14, 2023, 04:29:31 PM

~
all you have to do is ask the receiver to send you the QR code, and you can scan it from wherever you are.

I think that is exactly what he was implying. If the recipient sends the QR code remotely, for example via email or chat messages, then there is a risk that a potential attacker can intercept that communication and modify the QR code. Paying with a QR code is only safe if you are sure of the authenticity and integrity of the QR code you are scanning.

Faisal2202

hero member

Activity: 1386

Merit: 513

Payment Gateway Allows Recurring Payments

You pointed out a very good question. To understand the answer we must know how QR code works. We do know that each person has it's own unique QR code which is generated each time somewhere like in some wallets or exchanges such codes are unique everytime. Coming back to the point.

In QR code scams, a scammer could replicate ke exchange his own QR code with your QR code so when an other person intends to send you money by scanning that QR code then the money will be sent to him not you. And k think detecting such activities are difficult in QR code because in wallet address we can compare the characters but in QR code it is a big difficult to compare the patterns which might look same but the numbers hidden in it might contain different wallet address and that can't be seen by naked eyes of at least without decryption of it.

Topic: How is sending bitcoin through a QR-code safe ? (Read 262 times)