Pages:
Author

Topic: QR codes vs NFC in Bitcoin Wallets (Read 854 times)

sr. member
Activity: 1008
Merit: 366
December 19, 2022, 01:44:33 PM
#61
QR code is the safest way to do it, I guess. NFC has some flaws, and it's being new, I think in the future this will be improved. But for now until that happens, i think using QR codes will be the best option.
All you need is a camera which will scan the code. But for NFC it needs something extra and those devices which doesn't support NFC will no longer be able to work. So until people come up with something new, QR codes will be used mostly.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
November 18, 2022, 12:52:02 PM
#60
But what about NFC? (Re: QR codes vs NFC in Bitcoin Wallets) NFC is only used in hardware wallets from what I can tell.
I personally don't like NFC and I never used any Bitcoin wallet that uses NFC but most new models of smartphones support this technology so it would be trivial to add support for software wallets.
If you can use NFC to pay something with fiat currencies using your smartphone, I don't see why this should be different for bitcoin wallets.
All you need to have in other end is receiving payment terminal with NFC or other smartphone to accept payment.
NFC is fairly new but there is already list of supported wallets, I just don't know how accurate it is:
https://cryptonfc.org/list-all
https://cryptonfc.org/compatible
These are hardware wallets, though. I was confused by your comment regarding what type of wallets this topic is about, since I assumed hardware wallets.
Talking about QR codes outside 'hardware wallets' makes sense, since software wallets can use QR codes to scan addresses from websites or print. But I don't know of any software wallets scanning in receiving addresses (e.g. from a terminal) through NFC.
legendary
Activity: 2212
Merit: 7064
November 17, 2022, 04:13:32 PM
#59
But what about NFC? (Re: QR codes vs NFC in Bitcoin Wallets) NFC is only used in hardware wallets from what I can tell.
I personally don't like NFC and I never used any Bitcoin wallet that uses NFC but most new models of smartphones support this technology so it would be trivial to add support for software wallets.
If you can use NFC to pay something with fiat currencies using your smartphone, I don't see why this should be different for bitcoin wallets.
All you need to have in other end is receiving payment terminal with NFC or other smartphone to accept payment.
NFC is fairly new but there is already list of supported wallets, I just don't know how accurate it is:
https://cryptonfc.org/list-all
https://cryptonfc.org/compatible
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
November 16, 2022, 04:11:59 PM
#58
This doesn't apply to hardware wallets though, right.
The flow graph in the picture assumes someone randomly scanning that vulnerable QR code from a malicious website. You wouldn't normally scan QR codes from websites using a hardware wallet; only from your wallet application.
I was talking about all software wallets, this is not directly related with hardware wallets that are not famous for QR code support, at least most of them.
My bad! So this refers to mobile wallets and scanning in Bitcoin addresses through QR codes, then?
But what about NFC? (Re: QR codes vs NFC in Bitcoin Wallets) NFC is only used in hardware wallets from what I can tell.
legendary
Activity: 2212
Merit: 7064
November 16, 2022, 02:23:57 PM
#57
This doesn't apply to hardware wallets though, right.
The flow graph in the picture assumes someone randomly scanning that vulnerable QR code from a malicious website. You wouldn't normally scan QR codes from websites using a hardware wallet; only from your wallet application.
I was talking about all software wallets, this is not directly related with hardware wallets that are not famous for QR code support, at least most of them.
Anything can be secretly hidden if you can't verify QR codes, and that is especially relevant for closed source protocols for QR codes, like in case with Safepal wallet and their app.
Besides, I don't know anyone who is actually checking QR codes before they scan them with smartphones.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
November 14, 2022, 05:57:30 PM
#56
I always liked QR codes more than NFC for bitcoin wallets, but we should also be aware of hidden dangers behind QR codes.
There is a good article that explains in details all potential dangers and attacks that could be performed using QR codes.
In past we saw cases of malware being distributed using QR codes, and they can also contain bugs in different applications.
QRLJacking or Quick Response Code Login Jacking is one of the attack examples:


https://hackernoon.com/the-hidden-danger-of-qr-codes
This doesn't apply to hardware wallets though, right.
The flow graph in the picture assumes someone randomly scanning that vulnerable QR code from a malicious website. You wouldn't normally scan QR codes from websites using a hardware wallet; only from your wallet application.
The hardware wallet should also simply reject anything that doesn't decode to a valid PSBT, instead of parsing it and maybe even navigating to the destination, if it's a URL - like phones do.

When attempting to attack hardware wallets through QR codes, you would be looking for exploitable bugs in the QR code parser itself. I'm not saying that it's not an interesting subject (would probably recommend fuzzing a virtualized instance of the target), but be aware that the attack surface is tiny compared to a phone scanning QR codes; where bugs could lie and be exploited before, within and after the image parser.
legendary
Activity: 2212
Merit: 7064
November 10, 2022, 04:10:13 PM
#55
I always liked QR codes more than NFC for bitcoin wallets, but we should also be aware of hidden dangers behind QR codes.
There is a good article that explains in details all potential dangers and attacks that could be performed using QR codes.
In past we saw cases of malware being distributed using QR codes, and they can also contain bugs in different applications.
QRLJacking or Quick Response Code Login Jacking is one of the attack examples:


https://hackernoon.com/the-hidden-danger-of-qr-codes
legendary
Activity: 2212
Merit: 7064
October 22, 2022, 03:02:57 PM
#54
Reasons
With that kind of thinking you should not use anything written in code, because you can't read it, so it's best for you to move in and start to live in some cave.
Don't use phones, computers, wallets, and any electronic device, maybe join Amish community or Bushmen in Africa.
I don't see what your post has to do with topic subject, that is QR codes vs NFC in Bitcoin Wallets.

SeedSigner also use same format under name SeedQR and CompactSeedQR[2].
I know they are supporting it, but Seedsigner is not supporting static qr codes which means it can't work properly with Electrum wallet.  Tongue
legendary
Activity: 2268
Merit: 18711
October 22, 2022, 03:28:37 AM
#53
ive come to the conclusion at some point you are trusting developers so hardware and software will always have the same amount of risk involved.
Putting the trust of developers to one side for a moment, hardware and software wallets have hugely different risk profiles. Even if you assume a perfect software wallet and a perfect hardware wallet, both without any bugs or vulnerabilities, then the hardware wallet with its private keys stored on a dedicated device and protected from the internet and general malware is exponentially more secure than a software wallet on a daily use computer.

You arguments regarding open source versus closed source have been discussed by the posters above. Just because you cannot personally read the code does not mean you do not gain additional benefit from the code being open source and having the eyes of the community on it.

Still, if you don't like all this, then use Bitcoin Core on an airgapped computer. If you cannot read the code yourself, then there is no way to use bitcoin with less trust than this.
legendary
Activity: 3472
Merit: 10611
October 22, 2022, 02:58:49 AM
#52
hardware and software will always have the same amount of risk involved.
They are two entirely different categories.

Quote
I see no benefit to a hardware wallet at this point or in the future.
The benefits of using a hardware wallet is as always to gain a high level of security very easily and without needing any knowledge (ie. newbie friendly way).

Quote
1. Users cant read code written in 50+(and counting) programming languages
Projects are almost always written in one language only not 50+. For example bitcoin core is write in in C++ and has some C code which a C++ developer can also read (the rest of the languages like python are for tests not the code itself).
You also don't need to read the code, if the project is popular and is used by many people for a long time that means others have read it. For example Electrum source code is already reviewed by many users (I've personally checked many parts of it involving wallets, keys, signing, transactions, cryptography, etc).
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
October 22, 2022, 12:38:08 AM
#51
you are trusting developers so hardware and software will always have the same amount of risk involved.
By that logic, it doesn't matter what you do: you're always using software. It's an oversimplification: there are different levels of risk, and generally speaking a hardware wallet is safer than a software wallet.

Quote
I see no benefit to a hardware wallet at this point or in the future.

Reasons:
1. Users cant read code written in 50+(and counting) programming languages
That's no doubt true for most users, but it doesn't mean they don't benefit from using a hardware wallet.

Quote
2. Users cant investigate all these datacenter in a box chips
Again: true in most cases, but again: it doesn't mean a hardware wallet doesn't help secure their funds.

Quote
3. Users cant use dedicated bitcoin to bitcoin hardware and networking without internet
The Bitcoin blockchain is public knowledge. That's okay.
What matters, is keeping your private keys offline, and even though that's 100% possible using only software wallets, it's a lot easier when using dedicated hardware.

Quote
5. ZERO accountability on any level from any software/hardware company for "BUGS"
That's not limited to Bitcoin, that's the entire software industry. If software companies would have been held accountable for their bugs, they would have gone out of business decades ago and we'd still be using type writers.
jr. member
Activity: 49
Merit: 11
October 21, 2022, 07:48:13 PM
#50
Blockstream Jade made interesting update in their latest firmware version 0.1.38 with support of CompactSeedQR codes.


Had my eye on that for awhile looks like a neat device but after buying so many hardware wallets ive come to the conclusion at some point you are trusting developers so hardware and software will always have the same amount of risk involved. I see no benefit to a hardware wallet at this point or in the future.

Reasons:
1. Users cant read code written in 50+(and counting) programming languages
2. Users cant investigate all these datacenter in a box chips
3. Users cant use dedicated bitcoin to bitcoin hardware and networking without internet
4. Java

Trustless is a lie, with that said trust LESS i agree with.

edit:
5. ZERO accountability on any level from any software/hardware company for "BUGS"
legendary
Activity: 2212
Merit: 7064
October 17, 2022, 03:50:06 PM
#49
Blockstream Jade made interesting update in their latest firmware version 0.1.38 with support of CompactSeedQR codes.
This contains 7x7 square table grid, and this codes can easily be drawn on a piece of paper and it reminds me on game I played on my school paper.
I am not a fan of Jade hardware wallet, but I like this new CompactSeedQR codes and I wonder if someone saw them in other Bitcoin wallets?


https://www.nobsbitcoin.com/blockstream-jade-v-0-1-38/
legendary
Activity: 2212
Merit: 7064
February 25, 2022, 09:00:39 AM
#48
Please do and if possible keep us posted, I'm really interesting to see if it really does work in the way that they claim! If it does, and considering that it's actively being development, this could be a serious option to consider if needed in the future.
I did basic testing and I can see this program can generate many other barcodes along with QR code with IDO 18004 and HIBC, there is also UPNQR, Micro QR code, rMQR, that look very similar.
Difference compared with QR workshop is that Zint Barcode Studio can't read and decode QR codes from images.
legendary
Activity: 1148
Merit: 3117
February 21, 2022, 06:00:42 PM
#47
Is it Zint or Zinc typo?
I think that Zinc is important mineral that has nothing related with QR codes  Cheesy
You're absolutely right @dkbit98! While I'm sure that it would be interesting to see how we could implement Zinc as a way to improve the overall QR code concept, it's not what I wanted to write indeed! I'll correct my wording on the previous post.
Anyway I just download this software now and I will test how it works in next few days.
Please do and if possible keep us posted, I'm really interesting to see if it really does work in the way that they claim! If it does, and considering that it's actively being development, this could be a serious option to consider if needed in the future.
legendary
Activity: 2212
Merit: 7064
February 20, 2022, 04:24:52 PM
#46
What about Zinc[3]? It's also free, open sourced and has been updated fairly often according to their activity on the SourceForge page[4]. A quick definition for it can be found on GitHub page[5]:
Is it Zint or Zinc typo?
I think that Zinc is important mineral that has nothing related with QR codes  Cheesy
Anyway I just download this software now and I will test how it works in next few days.

My opinion is that QR codes can be dangerous and scammers can use them to share malicious links, that is why I like to read their content before scanning that automatically opens a web page.
Most people are not using their brain most of the time so it's a very good attack to be executed on mobile devices.







legendary
Activity: 1148
Merit: 3117
February 20, 2022, 12:00:36 PM
#45
Ideally, this should be a native feature of your device, so simply opening the camera and scanning a QR code would display the information encoded in plain text.
I don't know about iOS devices, but I do know that at least Pixel devices have this option in their Google Camera app[1] - you just point at a QR code and a little popup appears telling you what information/url is contained and if you want you just click it and the browser opens. However the popup that appears is a bit small and most of the time you are unable to see the full url that you're about to visit...

I think that the biggest challenge is how we can guarantee that the website that we are being led to is, in fact, 100 % legit and was not replaced by another agent. If people nowadays still fall for this type of scam while they are in their desktop computers I can easly imagine that they'll fall more quickly in the same kind of "trap" in their handled devices...

[1]https://android.gadgethacks.com/how-to/scan-qr-codes-your-pixels-camera-app-0192157/
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
February 20, 2022, 11:40:44 AM
#44
I agree with the 'separate browser' idea, since malicious websites can for example steal your other website's cookies and stuff like this.
You can either use an entire separate browser app to your main one (having Firefox, Firefox Beta, +/- Firefox Nightly is great for this sort of thing), or you can use a different instance of your usual browser. There are apps such as Island (https://island.oasisfeng.com/) which allow you to run apps more than once, with the cloned version having no access to any of your personal data or files. I'm not sure if the sandbox offered by such apps would do anything additional to protect against malware, though.
I do like using something called 'Multi-Account Containers'; it's within Firefox and it allows you to have different 'containers' with separate sets of cookies, but nothing regarding malware, that I know of. Island sandbox might be better, but I doubt it, because it's above the OS, right. Real sandboxing has to be at least one layer 'below' the software running in the different boxes, intuitively.

In fact there's actually some free and open sourced applications that do allow you to preview whatever information/url is embedded in a QR code and let you inspect it before opening it
Ideally, this should be a native feature of your device, so simply opening the camera and scanning a QR code would display the information encoded in plain text.
Unfortunately, it seems the default QR code scanner in iOS, while allowing to 'copy URL' by long-pressing on iOS 14, since iOS 15 only allows to visit the site directly! Yikes.
legendary
Activity: 2268
Merit: 18711
February 20, 2022, 11:35:37 AM
#43
I agree with the 'separate browser' idea, since malicious websites can for example steal your other website's cookies and stuff like this.
You can either use an entire separate browser app to your main one (having Firefox, Firefox Beta, +/- Firefox Nightly is great for this sort of thing), or you can use a different instance of your usual browser. There are apps such as Island (https://island.oasisfeng.com/) which allow you to run apps more than once, with the cloned version having no access to any of your personal data or files. I'm not sure if the sandbox offered by such apps would do anything additional to protect against malware, though.

In fact there's actually some free and open sourced applications that do allow you to preview whatever information/url is embedded in a QR code and let you inspect it before opening it
Ideally, this should be a native feature of your device, so simply opening the camera and scanning a QR code would display the information encoded in plain text.
legendary
Activity: 1148
Merit: 3117
February 20, 2022, 07:22:12 AM
#42
I do believe the worst thing happening when opening a random QR code should be landing on a phishing site (something the OS can't / shouldn't control); against everything else, there should be mechanisms in place.
You're definitely right just look at this scenario were malicious agents just replaced the QR codes on parking meters so they could phish any user that decided to pay by scanning the QR code[1].

There are two things you can do on your phone when scanning QR codes (other than just not scanning them at all) to protect yourself from these kinds of attack. The first is set it up so when you a scan a QR code, rather than it immediately visiting a website or whatever, it decodes the QR code and shows you the plain text decoding. You can then examine the URL manually to see if it is pointing to where you think it should be pointing or if it looks malicious.
I support this idea. In fact there's actually some free and open sourced applications that do allow you to preview whatever information/url is embedded in a QR code and let you inspect it before opening it:

  • Android: SecScanQR[2], Barcode to PC[3][4], QR & Barcode Scanner[5] or ZBar[6];
  • iOS: Barcode to PC[3][4], ZBar[6]


[1]https://www.theverge.com/2022/1/12/22879728/phishing-scam-parking-meter-qr-code-austin-san-antonio
[2]https://github.com/Fr4gorSoftware/SecScanQR
[3]https://barcodetopc.com/
[4]https://github.com/fttx/barcode-to-pc-app
[5]https://github.com/wewewe718/QrAndBarcodeScanner
[6]http://zbar.sourceforge.net/
Pages:
Jump to: