Pages:
Author

Topic: How is sending bitcoin through a QR-code safe ? (Read 264 times)

hero member
Activity: 714
Merit: 1298
QR code to me is the safest way to scan and send payment since there is no copy and paste to send payment only scan and pay without copying address. QR code is already being designed with rightful address so there's no way to be attacked by any scammer or hacker. Although I can not say with all assurance that it can't be hacked, nowadays things are really happening because scammer are exploring different ways to phish people's funds.
I consider QR code scanning to be a safe mode of payment transfer as there is no option to make a mistake by scanning the QR code or sending the payment to another address.

Not at all.

Faulty QR readers may result in making mistake and sending payment into wrong address. Besides of that, QR code may be compromised  by malware  sitting on the source device. So it is a good practice to   always check the details of transaction rather than rely on QR code itself.
sr. member
Activity: 490
Merit: 294
QR code to me is the safest way to scan and send payment since there is no copy and paste to send payment only scan and pay without copying address. QR code is already being designed with rightful address so there's no way to be attacked by any scammer or hacker. Although I can not say with all assurance that it can't be hacked, nowadays things are really happening because scammer are exploring different ways to phish people's funds.
I consider QR code scanning to be a safe mode of payment transfer as there is no option to make a mistake by scanning the QR code or sending the payment to another address. Most of the time we copy the address seen in the case of payment transfer and then send the money to that address but many times due to our little mistake we use the wrong address or some other word in the middle of the address, as a result of which our money goes to someone else's wallet or disappears. Mainly to eliminate this possibility QR code is scanned so that payment can be transferred to 100% correct address. If you have the option to scan the QR code for your payment transfer, you must scan the QR code and transfer the payment.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
This attack could just as well have happened by email. The main problem isn't the QR-code, the problem is giving a phone access to a bank account that can send $20,000.
Here, banks are more and more moving towards mobile usage. Until now, I've been able to avoid it, but they're replacing more and more dedicated hardware devices by a code on an app. It's cheaper for the bank, but they sacrifice security for convenience.
hero member
Activity: 1820
Merit: 775
A bitcointalker sent a very interesting article about the potential fraudulent use of a QR-code (on another topic). This is of course not the same as sending btc to an address, but it had to be thought about nonetheless.

The QR-code refers to a fraudulent third-party application whose all authorizations must be validated. Then the scammer takes control of the smartphone remotely. Always the same thing: it is a question of promising a gift or threatening a fine (and sending the victim to pay on a fraudulent site). It is therefore quite simply a question of phishing as it has existed for a long time by email.

https://upgradedtamilan.com/an-ordinary-cup-of-tea-cost-a-woman-from-singapore-1-5-million-rubles/
hero member
Activity: 1064
Merit: 843
Either you use QR code or paste your address, make sure you double or triple check all the characters, not only check on the last three characters. What make QR code isn't more safe than copy paste is you wouldn't know what it is especially it's shortened link.

You see? In summary, it then simply means that the security of our funds lies only with us and not on some gadgets. These gadgets, to start with, are the creation of man. Man can manipulate them. It takes a man to break any system or manipulate any computer or software.
You're just like saying there's nothing safe for anything created by other people, what about hardware wallet, non custodial wallet or device that used to be a cold storage? you're use that for holding your Bitcoin and those weren't created by you.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I know you can personalize a QR-code so that people scan it and go to a website for example (I've already done this by modifying the colors, adding a logo etc), can you do the same with a bitcoin address (I assume so?) and which site do you recommend to do it safely?
I wouldn't recommend any website. I've used command line qrencode (a standard package easily installed on Linux).
Adding a logo is basically abusing the QR-code's built-in error correction: set is as high as possible, and test if the QR-code still works after you cover part of it with a logo.
legendary
Activity: 2716
Merit: 1225
Once a man, twice a child!
First of all, the QR code itself can be replaced without hacking. For example, if it's a sticker, someone can put their own sticker on top of the original one. If it's a photo posted on social media, someone can edit it in Photoshop to put their address. You get the idea.

But on software level, this task is not as trivial as replacing a clipboard, but still could be achieved, at least theoretically. The QR-code scanner app could be exploited to replace Bitcoin adresses with hacker's address, if it has such a sophisticated vulnerability.
You see? In summary, it then simply means that the security of our funds lies only with us and not on some gadgets. These gadgets, to start with, are the creation of man. Man can manipulate them. It takes a man to break any system or manipulate any computer or software.

I haven't received Bitcoin or any crypto through a QR before. I consider it a more complicated process than copying and pasting addresses. When it comes to financial issues, whether with Bitcoin or fiat, I think those involved should exercise caution and patience. Go through the details slowly. That's what I do. I'm never going to be in a haste. What for? Except it's an old address that I've saved up on my wallet, I take my time to run through new addresses meticulously.
hero member
Activity: 1820
Merit: 775
Incredible, I'd never have thought of all that. Thanks to LoyceV for the two articles, which I'll read now.

Now I have another question: I know you can personalize a QR-code so that people scan it and go to a website for example (I've already done this by modifying the colors, adding a logo etc), can you do the same with a bitcoin address (I assume so?) and which site do you recommend to do it safely?

Thanks
hero member
Activity: 3024
Merit: 745
🌀 Cosmic Casino
Possible, like if you're in a store and a con gets in and tried to lose the attention of the staff replacing the QR code that's dedicated for direct store payments. I've seen a video dramatization of it. So, it's like a group of people, either a woman and man but also can be done by a single person. The woman attracts the staff and makes a conversation not knowingly, there's the intention of replacing the QR code with the one that they've made. So, this is the scenario in physical places. What I think for online transactions, it's the same scam that they're trying to imitate someone and just simply sends their own QR code to misled customers. And as said by satcraper, through malware so be cautious with links and files that you guys download.
hero member
Activity: 2702
Merit: 716
Nothing lasts forever
I was reading the very interesting post of LoyceV about this clipboard virus (https://bitcointalksearch.org/topic/how-to-lose-your-bitcoins-with-ctrl-c-ctrl-v-5190776)

Quote
How it works
1. You select a Bitcoin address, and press CTRL-C.
2. The malware changes the address to an address owned by the hacker/scammer.
3. You press CTRL-V and lose any funds you send.
Even if you check part of the pasted Bitcoin address, chances are the first few characters are the same, and you still won't notice the address was changed.

i was wondering if it's possible to change a QR-code the same way that the victim sends the btc to the scammer address ?

Clipboard virus won't be able to do anything when we are using QR codes.
To apply the same technique for a QR the hacker will have to inject malicious code in the app that the user is using to scan the QR code.
That is something very hard to achieve because of security protocols on devices these days.
So we are good when using QR codes.
hero member
Activity: 714
Merit: 1298

i was wondering if it's possible to change a QR-code the same way that the victim sends the btc to the scammer address ?

The short answer is YES,it is technically possible for malware to manipulate QR codes.

That is why it is very important to check the transaction's details ( such as destination address, change address, amount being sent) shown on the screen of airgapped hardware wallet if what is meant  in your question was HW interaction with bitcoin light client.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
With QR-codes, there's a much simpler attack vector than changing the QR-code: the malware will be in the software used to create or read the code.
Both malicious QR code generators and readers exist.
copper member
Activity: 1498
Merit: 1619
Bitcoin Bottom was at $15.4k
It's difficult to replace a QR Code from a website if it's in SVG shapes like and if it's just an image, it can be easily replaced just like the Bitcoin Wallet Address.
If you don't understand the difference, I will explain it a bit more.

1. QR Code as a combination of Rectangles:


In this, you can see each rectangle has to be replaced to form a new QR.

2. QR Code as an Image: That will be just a QR code in a .png or .jpeg format and one line of code can replace it.

Hope it's helpful.
legendary
Activity: 3038
Merit: 2162
First of all, the QR code itself can be replaced without hacking. For example, if it's a sticker, someone can put their own sticker on top of the original one. If it's a photo posted on social media, someone can edit it in Photoshop to put their address. You get the idea.

But on software level, this task is not as trivial as replacing a clipboard, but still could be achieved, at least theoretically. The QR-code scanner app could be exploited to replace Bitcoin adresses with hacker's address, if it has such a sophisticated vulnerability.
full member
Activity: 980
Merit: 237
If the exchange shows options to send or receive crypto via QR code, it means it is a possible choice for transactions incase the other fails or you fail to have the requirements for it to approve a transaction.

QR code has been existing for some time now and it is rare to see most devices these days without its feature. One interesting thing is the way exchanges and some apps has included it as authentication option for login into an account, sharing files, data, contacts too. The uniqueness of the Hash is what also sets it apart. Each individual to its own hash.
Although the fear of having malicious bugs or phishing URL embedded within once scanned is accurate, to ensure a second or maybe a third confirmation of the details displayed is necessary to avoid falling victim to hackers or scammers.
hero member
Activity: 798
Merit: 702
~
all you have to do is ask the receiver to send you the QR code, and you can scan it from wherever you are.

I think that is exactly what he was implying. If the recipient sends the QR code remotely, for example via email or chat messages, then there is a risk that a potential attacker can intercept that communication and modify the QR code. Paying with a QR code is only safe if you are sure of the authenticity and integrity of the QR code you are scanning.

That's why it will always be advisable to me to request that the QR code be attached with the wallet below it for authentication purposes, and when that is also being done to take some extra measures for security reasons, we should always ask the sender to confirm if the address received and gotten from the QR code is the same as what was sent.

It may have happened to me, fraudulent schemes are currently growing and becoming more sophisticated. Before making a payment with a QR code, we can see the payment information that appears before selecting the send button. here will be shown the intended merchant information and input the nominal to be sent. Sometimes there are people who replace the physical QR code in a store with their QR code (fraudsters) with almost the same name. That 's why you have to be careful and confirm before sending.

Exactly why I said this 👇👇
And one should always cross-check his address before authorizing a transaction.
legendary
Activity: 1974
Merit: 1157
MAaaN...!! CUT THAT STUPID SHIT
~
all you have to do is ask the receiver to send you the QR code, and you can scan it from wherever you are.

I think that is exactly what he was implying. If the recipient sends the QR code remotely, for example via email or chat messages, then there is a risk that a potential attacker can intercept that communication and modify the QR code. Paying with a QR code is only safe if you are sure of the authenticity and integrity of the QR code you are scanning.

It may have happened to me, fraudulent schemes are currently growing and becoming more sophisticated. Before making a payment with a QR code, we can see the payment information that appears before selecting the send button. here will be shown the intended merchant information and input the nominal to be sent. Sometimes there are people who replace the physical QR code in a store with their QR code (fraudsters) with almost the same name. That 's why you have to be careful and confirm before sending.
hero member
Activity: 1428
Merit: 653
Leading Crypto Sports Betting & Casino Platform
QR code to me is the safest way to scan and send payment since there is no copy and paste to send payment only scan and pay without copying address. QR code is already being designed with rightful address so there's no way to be attacked by any scammer or hacker. Although I can not say with all assurance that it can't be hacked, nowadays things are really happening because scammer are exploring different ways to phish people's funds.
legendary
Activity: 1526
Merit: 1359
~
all you have to do is ask the receiver to send you the QR code, and you can scan it from wherever you are.

I think that is exactly what he was implying. If the recipient sends the QR code remotely, for example via email or chat messages, then there is a risk that a potential attacker can intercept that communication and modify the QR code. Paying with a QR code is only safe if you are sure of the authenticity and integrity of the QR code you are scanning.
hero member
Activity: 1428
Merit: 513
Payment Gateway Allows Recurring Payments
You pointed out a very good question. To understand the answer we must know how QR code works. We do know that each person has it's own unique QR code which is generated each time somewhere like in some wallets or exchanges such codes are unique everytime. Coming back to the point.

In QR code scams, a scammer could replicate ke exchange his own QR code with your QR code so when an other person intends to send you money by scanning that QR code then the money will be sent to him not you. And k think detecting such activities are difficult in QR code because in wallet address we can compare the characters but in QR code it is a big difficult to compare the patterns which might look same but the numbers hidden in it might contain different wallet address and that can't be seen by naked eyes of at least without decryption of it.
Pages:
Jump to: