Author

Topic: How is sending bitcoin through a QR-code safe ? (Read 262 times)

hero member
Activity: 714
Merit: 1298
QR code to me is the safest way to scan and send payment since there is no copy and paste to send payment only scan and pay without copying address. QR code is already being designed with rightful address so there's no way to be attacked by any scammer or hacker. Although I can not say with all assurance that it can't be hacked, nowadays things are really happening because scammer are exploring different ways to phish people's funds.
I consider QR code scanning to be a safe mode of payment transfer as there is no option to make a mistake by scanning the QR code or sending the payment to another address.

Not at all.

Faulty QR readers may result in making mistake and sending payment into wrong address. Besides of that, QR code may be compromised  by malware  sitting on the source device. So it is a good practice to   always check the details of transaction rather than rely on QR code itself.
sr. member
Activity: 490
Merit: 294
QR code to me is the safest way to scan and send payment since there is no copy and paste to send payment only scan and pay without copying address. QR code is already being designed with rightful address so there's no way to be attacked by any scammer or hacker. Although I can not say with all assurance that it can't be hacked, nowadays things are really happening because scammer are exploring different ways to phish people's funds.
I consider QR code scanning to be a safe mode of payment transfer as there is no option to make a mistake by scanning the QR code or sending the payment to another address. Most of the time we copy the address seen in the case of payment transfer and then send the money to that address but many times due to our little mistake we use the wrong address or some other word in the middle of the address, as a result of which our money goes to someone else's wallet or disappears. Mainly to eliminate this possibility QR code is scanned so that payment can be transferred to 100% correct address. If you have the option to scan the QR code for your payment transfer, you must scan the QR code and transfer the payment.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
This attack could just as well have happened by email. The main problem isn't the QR-code, the problem is giving a phone access to a bank account that can send $20,000.
Here, banks are more and more moving towards mobile usage. Until now, I've been able to avoid it, but they're replacing more and more dedicated hardware devices by a code on an app. It's cheaper for the bank, but they sacrifice security for convenience.
hero member
Activity: 1820
Merit: 775
A bitcointalker sent a very interesting article about the potential fraudulent use of a QR-code (on another topic). This is of course not the same as sending btc to an address, but it had to be thought about nonetheless.

The QR-code refers to a fraudulent third-party application whose all authorizations must be validated. Then the scammer takes control of the smartphone remotely. Always the same thing: it is a question of promising a gift or threatening a fine (and sending the victim to pay on a fraudulent site). It is therefore quite simply a question of phishing as it has existed for a long time by email.

https://upgradedtamilan.com/an-ordinary-cup-of-tea-cost-a-woman-from-singapore-1-5-million-rubles/
hero member
Activity: 1064
Merit: 843
Either you use QR code or paste your address, make sure you double or triple check all the characters, not only check on the last three characters. What make QR code isn't more safe than copy paste is you wouldn't know what it is especially it's shortened link.

You see? In summary, it then simply means that the security of our funds lies only with us and not on some gadgets. These gadgets, to start with, are the creation of man. Man can manipulate them. It takes a man to break any system or manipulate any computer or software.
You're just like saying there's nothing safe for anything created by other people, what about hardware wallet, non custodial wallet or device that used to be a cold storage? you're use that for holding your Bitcoin and those weren't created by you.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I know you can personalize a QR-code so that people scan it and go to a website for example (I've already done this by modifying the colors, adding a logo etc), can you do the same with a bitcoin address (I assume so?) and which site do you recommend to do it safely?
I wouldn't recommend any website. I've used command line qrencode (a standard package easily installed on Linux).
Adding a logo is basically abusing the QR-code's built-in error correction: set is as high as possible, and test if the QR-code still works after you cover part of it with a logo.
legendary
Activity: 2716
Merit: 1225
Once a man, twice a child!
First of all, the QR code itself can be replaced without hacking. For example, if it's a sticker, someone can put their own sticker on top of the original one. If it's a photo posted on social media, someone can edit it in Photoshop to put their address. You get the idea.

But on software level, this task is not as trivial as replacing a clipboard, but still could be achieved, at least theoretically. The QR-code scanner app could be exploited to replace Bitcoin adresses with hacker's address, if it has such a sophisticated vulnerability.
You see? In summary, it then simply means that the security of our funds lies only with us and not on some gadgets. These gadgets, to start with, are the creation of man. Man can manipulate them. It takes a man to break any system or manipulate any computer or software.

I haven't received Bitcoin or any crypto through a QR before. I consider it a more complicated process than copying and pasting addresses. When it comes to financial issues, whether with Bitcoin or fiat, I think those involved should exercise caution and patience. Go through the details slowly. That's what I do. I'm never going to be in a haste. What for? Except it's an old address that I've saved up on my wallet, I take my time to run through new addresses meticulously.
hero member
Activity: 1820
Merit: 775
Incredible, I'd never have thought of all that. Thanks to LoyceV for the two articles, which I'll read now.

Now I have another question: I know you can personalize a QR-code so that people scan it and go to a website for example (I've already done this by modifying the colors, adding a logo etc), can you do the same with a bitcoin address (I assume so?) and which site do you recommend to do it safely?

Thanks
hero member
Activity: 3024
Merit: 745
Top Crypto Casino
Possible, like if you're in a store and a con gets in and tried to lose the attention of the staff replacing the QR code that's dedicated for direct store payments. I've seen a video dramatization of it. So, it's like a group of people, either a woman and man but also can be done by a single person. The woman attracts the staff and makes a conversation not knowingly, there's the intention of replacing the QR code with the one that they've made. So, this is the scenario in physical places. What I think for online transactions, it's the same scam that they're trying to imitate someone and just simply sends their own QR code to misled customers. And as said by satcraper, through malware so be cautious with links and files that you guys download.
hero member
Activity: 2702
Merit: 716
Nothing lasts forever
I was reading the very interesting post of LoyceV about this clipboard virus (https://bitcointalksearch.org/topic/how-to-lose-your-bitcoins-with-ctrl-c-ctrl-v-5190776)

Quote
How it works
1. You select a Bitcoin address, and press CTRL-C.
2. The malware changes the address to an address owned by the hacker/scammer.
3. You press CTRL-V and lose any funds you send.
Even if you check part of the pasted Bitcoin address, chances are the first few characters are the same, and you still won't notice the address was changed.

i was wondering if it's possible to change a QR-code the same way that the victim sends the btc to the scammer address ?

Clipboard virus won't be able to do anything when we are using QR codes.
To apply the same technique for a QR the hacker will have to inject malicious code in the app that the user is using to scan the QR code.
That is something very hard to achieve because of security protocols on devices these days.
So we are good when using QR codes.
hero member
Activity: 714
Merit: 1298

i was wondering if it's possible to change a QR-code the same way that the victim sends the btc to the scammer address ?

The short answer is YES,it is technically possible for malware to manipulate QR codes.

That is why it is very important to check the transaction's details ( such as destination address, change address, amount being sent) shown on the screen of airgapped hardware wallet if what is meant  in your question was HW interaction with bitcoin light client.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
With QR-codes, there's a much simpler attack vector than changing the QR-code: the malware will be in the software used to create or read the code.
Both malicious QR code generators and readers exist.
copper member
Activity: 1470
Merit: 1609
Bitcoin Bottom was at $15.4k
It's difficult to replace a QR Code from a website if it's in SVG shapes like and if it's just an image, it can be easily replaced just like the Bitcoin Wallet Address.
If you don't understand the difference, I will explain it a bit more.

1. QR Code as a combination of Rectangles:


In this, you can see each rectangle has to be replaced to form a new QR.

2. QR Code as an Image: That will be just a QR code in a .png or .jpeg format and one line of code can replace it.

Hope it's helpful.
legendary
Activity: 3024
Merit: 2148
First of all, the QR code itself can be replaced without hacking. For example, if it's a sticker, someone can put their own sticker on top of the original one. If it's a photo posted on social media, someone can edit it in Photoshop to put their address. You get the idea.

But on software level, this task is not as trivial as replacing a clipboard, but still could be achieved, at least theoretically. The QR-code scanner app could be exploited to replace Bitcoin adresses with hacker's address, if it has such a sophisticated vulnerability.
full member
Activity: 952
Merit: 232
If the exchange shows options to send or receive crypto via QR code, it means it is a possible choice for transactions incase the other fails or you fail to have the requirements for it to approve a transaction.

QR code has been existing for some time now and it is rare to see most devices these days without its feature. One interesting thing is the way exchanges and some apps has included it as authentication option for login into an account, sharing files, data, contacts too. The uniqueness of the Hash is what also sets it apart. Each individual to its own hash.
Although the fear of having malicious bugs or phishing URL embedded within once scanned is accurate, to ensure a second or maybe a third confirmation of the details displayed is necessary to avoid falling victim to hackers or scammers.
hero member
Activity: 700
Merit: 673
~
all you have to do is ask the receiver to send you the QR code, and you can scan it from wherever you are.

I think that is exactly what he was implying. If the recipient sends the QR code remotely, for example via email or chat messages, then there is a risk that a potential attacker can intercept that communication and modify the QR code. Paying with a QR code is only safe if you are sure of the authenticity and integrity of the QR code you are scanning.

That's why it will always be advisable to me to request that the QR code be attached with the wallet below it for authentication purposes, and when that is also being done to take some extra measures for security reasons, we should always ask the sender to confirm if the address received and gotten from the QR code is the same as what was sent.

It may have happened to me, fraudulent schemes are currently growing and becoming more sophisticated. Before making a payment with a QR code, we can see the payment information that appears before selecting the send button. here will be shown the intended merchant information and input the nominal to be sent. Sometimes there are people who replace the physical QR code in a store with their QR code (fraudsters) with almost the same name. That 's why you have to be careful and confirm before sending.

Exactly why I said this 👇👇
And one should always cross-check his address before authorizing a transaction.
legendary
Activity: 1946
Merit: 1157
MAaaN...!! CUT THAT STUPID SHIT
~
all you have to do is ask the receiver to send you the QR code, and you can scan it from wherever you are.

I think that is exactly what he was implying. If the recipient sends the QR code remotely, for example via email or chat messages, then there is a risk that a potential attacker can intercept that communication and modify the QR code. Paying with a QR code is only safe if you are sure of the authenticity and integrity of the QR code you are scanning.

It may have happened to me, fraudulent schemes are currently growing and becoming more sophisticated. Before making a payment with a QR code, we can see the payment information that appears before selecting the send button. here will be shown the intended merchant information and input the nominal to be sent. Sometimes there are people who replace the physical QR code in a store with their QR code (fraudsters) with almost the same name. That 's why you have to be careful and confirm before sending.
hero member
Activity: 1428
Merit: 653
Leading Crypto Sports Betting & Casino Platform
QR code to me is the safest way to scan and send payment since there is no copy and paste to send payment only scan and pay without copying address. QR code is already being designed with rightful address so there's no way to be attacked by any scammer or hacker. Although I can not say with all assurance that it can't be hacked, nowadays things are really happening because scammer are exploring different ways to phish people's funds.
legendary
Activity: 1526
Merit: 1359
~
all you have to do is ask the receiver to send you the QR code, and you can scan it from wherever you are.

I think that is exactly what he was implying. If the recipient sends the QR code remotely, for example via email or chat messages, then there is a risk that a potential attacker can intercept that communication and modify the QR code. Paying with a QR code is only safe if you are sure of the authenticity and integrity of the QR code you are scanning.
hero member
Activity: 1386
Merit: 513
Payment Gateway Allows Recurring Payments
You pointed out a very good question. To understand the answer we must know how QR code works. We do know that each person has it's own unique QR code which is generated each time somewhere like in some wallets or exchanges such codes are unique everytime. Coming back to the point.

In QR code scams, a scammer could replicate ke exchange his own QR code with your QR code so when an other person intends to send you money by scanning that QR code then the money will be sent to him not you. And k think detecting such activities are difficult in QR code because in wallet address we can compare the characters but in QR code it is a big difficult to compare the patterns which might look same but the numbers hidden in it might contain different wallet address and that can't be seen by naked eyes of at least without decryption of it.
hero member
Activity: 700
Merit: 673
It might be possible by hacking the person's phone camera but this will be very difficult and will require a high professional tools which might not worth the stress and time.

There is nothing impossible for these hackers, and nothing is expensive for them; they are already professionals in that field, looking for victims. If they see a tool that could help them hack through a camera (if there isn't any already), it will cost them little compared to what they will use that tool for, and as such, they will pay anything to get it. You spend money, combined with skill, to get things done.

Quote
Scanning QR code seems secure for now but the problem with scanning is that distance transaction can not be carried out using scanning method.
 
How do you mean that if I send a coin to the Bitcoin address of someone, do I need the person to be in the same place as me? No. The same thing is applicable with the QR code. If you are not sending it to your own wallet, where you will directly scan it from the wallet provider, all you have to do is ask the receiver to send you the QR code, and you can scan it from wherever you are.
hero member
Activity: 644
Merit: 661
- Jay -
i was wondering if it's possible to change a QR-code the same way that the victim sends the btc to the scammer address ?
To the best of my software knowledge (which is not much), it is not possible yet for a QR code to be changed through a malware on the device it is being scanned on. If that is possible, then the phone need to have been so corrupted that the hackers will be able to steal whatever is on it without going through all that.

You will be extra secure if you double check every letter in the (scanned or copied) address before sending.

- Jay -
member
Activity: 756
Merit: 30
But for QR codes, what you need is to use your device, scan through the QR code, and it will automatically be imputed to wherever you are sending from. So for the hacker to be able to change the QR Code scanner, they will need more extra work, but for the main time, address scanning is still the best option. And one should always cross-check his address before authorizing a transaction.
It might be possible by hacking the person's phone camera but this will be very difficult and will require a high professional tools which might not worth the stress and time. Scanning QR code seems secure for now but the problem with scanning is that distance transaction can not be carried out using scanning method.
legendary
Activity: 2212
Merit: 7064
i was wondering if it's possible to change a QR-code the same way that the victim sends the btc to the scammer address ?
They started putting everything in QR codes, and I don't think this is always a good idea, but it can certainly be used for sending and receiving Bitcoin, or importing and exporting seed phrases.  
One of the problems I have with QR codes is bunch of different encoding that can be closed sourced, and it often happens one QR code is not compatible with some devices and smartphones.
It's trivial for scammers to change and modify QR codes, but using airgapped wallets (Passport, Keystone, Coldcard, Krux SeedSigner, etc) reduces that risk a lot.
Using QR codes with hot wallets can be problematic because it's much harder to verify if something is modified or not, so it's good to confirm address additioanlly.
legendary
Activity: 1624
Merit: 2594
Top Crypto Casino
i was wondering if it's possible to change a QR-code the same way that the victim sends the btc to the scammer address ?

To my knowledge, there hasn't been a single documented case of this specific type of attack. When you scan a QR code with your software wallet, the payment information is directly fed into your wallet without going through a clipboard buffer. This eliminates the possibility of malware intercepting and modifying the information. Nevertheless, it's still a good idea to double-check that the payment details actually match what you see on the screen next to the QR code, just to be safe.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
If you are the receiver and you click on receive and the receive address is brought up as QR code, you are safe if the sender scan the QR code directly like that. But if you copy the address and want to send, the address can be changed by clipboard malware to a hackers address. So QR code is safe if you are the receiver and the sender scan the QR code directly from your device.

If you are the sender and you scan the QR code directly, it is also safe. You do not copy anything to the clipboard, not to talk of any data modified.

The malware gain access to the clipboard of a device and modifies data that is copied and change to attackers data. But with QR code, no data/address copied to the clipboard.

QR code used in this way is very safe. QR code is the safest for making bitcoin transaction, not only because data is not modified, but also because no way for malware to be transmitted.

But always check and double check the address before sending.
hero member
Activity: 700
Merit: 673
i was wondering if it's possible to change a QR-code the same way that the victim sends the btc to the scammer address ?
I don't think that will ever be possible. The reason is this: for the clipboard virus, the hacker needs the victim to copy the original address, which he could change to his own. That's how the malware is being programmed.

But for QR codes, what you need is to use your device, scan through the QR code, and it will automatically be imputed to wherever you are sending from. So for the hacker to be able to change the QR Code scanner, they will need more extra work, but for the main time, address scanning is still the best option. And one should always cross-check his address before authorizing a transaction.
hero member
Activity: 1820
Merit: 775
I was reading the very interesting post of LoyceV about this clipboard virus (https://bitcointalksearch.org/topic/how-to-lose-your-bitcoins-with-ctrl-c-ctrl-v-5190776)

Quote
How it works
1. You select a Bitcoin address, and press CTRL-C.
2. The malware changes the address to an address owned by the hacker/scammer.
3. You press CTRL-V and lose any funds you send.
Even if you check part of the pasted Bitcoin address, chances are the first few characters are the same, and you still won't notice the address was changed.

i was wondering if it's possible to change a QR-code the same way that the victim sends the btc to the scammer address ?
Jump to: