Pages:
Author

Topic: QR codes vs NFC in Bitcoin Wallets - page 2. (Read 861 times)

hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
February 20, 2022, 06:04:40 AM
#41
There are two things you can do on your phone when scanning QR codes (other than just not scanning them at all) to protect yourself from these kinds of attack. The first is set it up so when you a scan a QR code, rather than it immediately visiting a website or whatever, it decodes the QR code and shows you the plain text decoding. You can then examine the URL manually to see if it is pointing to where you think it should be pointing or if it looks malicious. Secondly, if you do visit the website then open it a completely separate browser to your usual browser(s), preferably one which is sandboxed so to prevent any malware from escaping in to your device.
That's honestly great advice; also a thought on sandboxing: maybe QR codes are less risky than assumed, taking in consideration that you usually don't scan those with an (unsandboxed) desktop OS. Since probably all mobile OSes today are reasonably sandboxed, the risk of system takeover through visiting a webpage should be minimized compared to visiting an unknown webpage on a laptop / desktop PC.

I agree with the 'separate browser' idea, since malicious websites can for example steal your other website's cookies and stuff like this.
legendary
Activity: 2268
Merit: 18711
February 20, 2022, 04:16:00 AM
#40
There are two things you can do on your phone when scanning QR codes (other than just not scanning them at all) to protect yourself from these kinds of attack. The first is set it up so when you a scan a QR code, rather than it immediately visiting a website or whatever, it decodes the QR code and shows you the plain text decoding. You can then examine the URL manually to see if it is pointing to where you think it should be pointing or if it looks malicious. Secondly, if you do visit the website then open it a completely separate browser to your usual browser(s), preferably one which is sandboxed so to prevent any malware from escaping in to your device.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
February 19, 2022, 08:47:57 PM
#39
the risk of blatantly scanning every QR code that they find
This is an interesting topic that I recently thought about a lot, when experiencing a small 'outrage' on Twitter lately, after a Coinbase ad which was shown during Superbowl that just contains a QR code. Infosec Twitter went crazy about how huge of an attack vector this is (people just scanning random QR codes), while on the other hand voices came up in the community, suggesting people should be able to scan random QR codes without being hacked.

It's an interesting discussion and I have no definitive opinion on this; it's clear that opposed to URLs which you can read out before visiting, QR codes do hide it, on the other hand that's what they're meant to do. The parser & OS should be secured against attacks on the QR parser as well as protected against any type of 0-click attack that is triggered by simply visiting a website.

I do believe the worst thing happening when opening a random QR code should be landing on a phishing site (something the OS can't / shouldn't control); against everything else, there should be mechanisms in place. If they don't work, the whole field of web security as well as cookie protections and OS sandboxing has kinda failed, to be honest.

What about Zint[3]? It's also free, open sourced and has been updated fairly often according to their activity on the SourceForge page[4].
From pure stats / numbers this looks a lot better to me! Thanks for digging up another open source alternative. Smiley
legendary
Activity: 1148
Merit: 3117
February 19, 2022, 08:34:57 PM
#38
I think it's fair to say that QR code has exploded in the past couple of years due to the COVID virus. Nowadays whenever I go to a restaurant I'm given a little piece of paper (or most of the time it's printed to the table) with a QR code that allows me to see the menu in the restaurant website (thus avoiding sharing menus with other clients). While it's a good idea to reduce "attack vectors" (the menu themselves), I often wonder that it would be very easy for a malicious agent to get a hold of a couple of tables and just stick his/her malicious QR code on top of those stickers and most probably people will never notice the switch. In fact, the FBI had already warned about such issue about one month ago[1]:
Please stay vigilant about the 'open source = secure' fallacy. Especially that QRworkshop which has been abandoned almost a decade ago; I wouldn't trust that over what's built into Electrum without thoroughly reading all the code myself (which I have little to no time for).
What about Zinct*[3]? It's also free, open sourced and has been updated fairly often according to their activity on the SourceForge page[4]. A quick definition for it can be found on GitHub page[5]:
Quote
Zint is a suite of programs to allow easy encoding of data in any of the wide range of public domain barcode standards and to allow integration of this capability into your own programs.
*Thank you dkbit98!

[1]https://www.ic3.gov/Media/Y2022/PSA220118
[2]https://www.axios.com/qr-code-safety-coinbase-4b7f97d0-940c-45f4-9366-bf5d7f2f3c8f.html
[3]https://www.zint.org.uk/
[4]https://sourceforge.net/projects/zint/
[5]https://github.com/zint/zint
legendary
Activity: 2212
Merit: 7064
February 17, 2022, 09:49:10 AM
#37
Please stay vigilant about the 'open source = secure' fallacy. Especially that QRworkshop which has been abandoned almost a decade ago; I wouldn't trust that over what's built into Electrum without thoroughly reading all the code myself (which I have little to no time for).
I am not trusting QRworkshop or any other software that has open source label and I know it wasn't updated for a long time, I just posted it as only option I know for windows os.
Don't trust me and my words but go and check last github releasel of this program from 2014, or find something better for windows.
Electrum wallet is fine but we all remember phishing attacks they had with update notifications, so scammers could make something similar with QR codes again.

I found one article talking about history of NFC technology that was first created back in 2003 by Philips and Sony, and promoted by both of them and Nokia in 2004 (something I didn't know).
Today we have several manufacturers who are making NFC chips, and we know some of them are also making secure elements used in hardware wallets, or in mobile devices:

- NXP Semiconductors
- STMicroelectronics
- Infineon Technologies
- Samsung
- Texas Instruments
- Marvell Technology
- Broadcom
- Qualcomm
- MediaTek
- Intel
- Sony
- Ams
- Renesas
- MStar Semi
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
February 16, 2022, 09:37:42 PM
#36
Quote
Coldcard is planning to release new device with NFC chip and they still call it airgapped
Lol. By that definition my Wifi is airgapped too Tongue
That's a pretty good way to put it, honestly. Most people still believe NFC is some magical thing transferring data by touching two devices, as if the bytes were flowing through the devices' plastic casings or something.
It's 13.56 MHz radio waves, while WiFi is 2.4GHz.. Grin WiFi also has different modulation scheme etc., but that's beside the point.

Well, with QR, you have to scan twice, right. So it's one extra step in a way. But a single extra QR code scan (usually doable in ~1s can hardly justify the weakened security.
If you are transmitting data between two devices which are permanently in your control, such as a phone and a hardware wallet, when you can ensure they have not been tampered with and you can be sure there are no other devices in the vicinity which could intercept the data then maybe there is an argument for using NFC over QR codes. But when scanning a merchant's terminal, I see no benefit to using NFC.
If you have this level of confidence in your devices' integrity, then you might just as well use a cable though.

Good idea; if you whip up a thread for it, I'd contribute by analyzing / sending in Passport v1 and v2 codes. Pretty sure it's standard PSBT (unencrypted) by looking at the code, but I have to verify. I also expect / hope this is the industry standard and only Safepal puts some closed-source encryption around it, but it would be interesting to gather info on all QR-based HW models in one place.
If you can please test how Passport is dealing with QR codes (encrypted or not) and post it in this topic, I will later see if I will add information in first post or created new topic for that.
Thank you in advance.
I'm 99% sure it's a raw PSBT in cleartext, but I will verify and DM or @ you.

For Linux it's program called CoBang that can work in most Linux OS and there is even Flatpak version... developer even mentioned other Linux alternative called Decoder in his github page:
https://github.com/hongquan/CoBang

For Windows it's open source portable program called QRworkshop, that can be used for generating and reading any QR codes from images.
https://www.fluxbytes.com/software-releases/qr-workshop/
Please stay vigilant about the 'open source = secure' fallacy. Especially that QRworkshop which has been abandoned almost a decade ago; I wouldn't trust that over what's built into Electrum without thoroughly reading all the code myself (which I have little to no time for).
legendary
Activity: 2212
Merit: 7064
February 15, 2022, 02:22:24 PM
#35
On Windows 10, if you want to read QR codes, all you have to do is enable the experimental features on the "stock" camera application. No need to install other stuff.
Should I mention that Electrum already creates and reads the QR codes it needs? That way one doesn't have to rely on 3rd party software which has happened to generate the wrong QR code in case of Bitcoin addresses (of course, it was websites doing this, not open source programs).
I didn't know about this experimental feature, but I am not interested in using any of their closed source windows junkware that nobody can verify, and QR workshop is portable open source software so there is no need for any installation.
Electrum can be used only for generating bitcoin addresses, and QR workshop can be used for generating QR codes with anything, including website links, addresses, etc.
Even better option is switching to Linux OS and using CoBang.

I've used CoBang for some time and it works quite well compared with other QR scanner for linux. You also can drag and drop QR code image which is quite convenient if you were to make a payment and the website only show QR code.
CoBang is probably the best option we have for Linux os right now.
I know there are some online websites doing similar thing but this can't be verified or checked, and there is always a danger of getting phishing attack with altered results.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
February 15, 2022, 03:09:46 AM
#34
For Windows it's open source portable program called QRworkshop, that can be used for generating and reading any QR codes from images.
https://www.fluxbytes.com/software-releases/qr-workshop/

On Windows 10, if you want to read QR codes, all you have to do is enable the experimental features on the "stock" camera application. No need to install other stuff.
Should I mention that Electrum already creates and reads the QR codes it needs? That way one doesn't have to rely on 3rd party software which has happened to generate the wrong QR code in case of Bitcoin addresses (of course, it was websites doing this, not open source programs).
legendary
Activity: 2212
Merit: 7064
February 14, 2022, 02:41:59 PM
#33
Good idea; if you whip up a thread for it, I'd contribute by analyzing / sending in Passport v1 and v2 codes. Pretty sure it's standard PSBT (unencrypted) by looking at the code, but I have to verify. I also expect / hope this is the industry standard and only Safepal puts some closed-source encryption around it, but it would be interesting to gather info on all QR-based HW models in one place.
If you can please test how Passport is dealing with QR codes (encrypted or not) and post it in this topic, I will later see if I will add information in first post or created new topic for that.
Thank you in advance.

I have a "Digipass" from ING bank. It scans a "QR" code, but instead of black it uses red, green and blue dots. And it doesn't have the "3 squares" to identify the orientation of the QR-code. The most impressive part is the speed: it scans almost instantly, while my phone needs about a second to read a QR-code.
By using multiple colors, the QR-code can be smaller.
I found few free opensource programs that can be used for reading QR codes on regular computers, so we don't have to trust any phones or other devices.

For Linux it's program called CoBang that can work in most Linux OS and there is even Flatpak version... developer even mentioned other Linux alternative called Decoder in his github page:
https://github.com/hongquan/CoBang

For Windows it's open source portable program called QRworkshop, that can be used for generating and reading any QR codes from images.
https://www.fluxbytes.com/software-releases/qr-workshop/

I had a bank account that started requiring it. I closed the account. I refuse to use their software to give them access to a chip in my passport.
I think they are going to push even harder for NFC now that apple iphones are promoting it heavily for payments with easy tap.  Tongue
legendary
Activity: 2268
Merit: 18711
February 14, 2022, 05:58:08 AM
#32
Well, with QR, you have to scan twice, right. So it's one extra step in a way. But a single extra QR code scan (usually doable in ~1s can hardly justify the weakened security.
If you are transmitting data between two devices which are permanently in your control, such as a phone and a hardware wallet, when you can ensure they have not been tampered with and you can be sure there are no other devices in the vicinity which could intercept the data then maybe there is an argument for using NFC over QR codes. But when scanning a merchant's terminal, I see no benefit to using NFC.

This is kind of off-topic, but I'm following Framework's developments and recently they mentioned starting development for a new 'product category'. I really hope it will be a Linux smartphone with hardware toggles for sensors and antennas, just like on their laptop. I don't have it, but would buy it if I needed a laptop, from what I've seen about it so far.
Just FYI in case you are interested, but there are a number of phones already on the market with built in hardware kill switches for various pieces of hardware, such as the PinePhone and Librem phone.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
February 14, 2022, 05:03:13 AM
#31
Maybe there is something better than both QR and NFC.
I have a "Digipass" from ING bank. It scans a "QR" code, but instead of black it uses red, green and blue dots. And it doesn't have the "3 squares" to identify the orientation of the QR-code. The most impressive part is the speed: it scans almost instantly, while my phone needs about a second to read a QR-code.
By using multiple colors, the QR-code can be smaller.

I am trying to understand why so many people are forcing the use of NFC technology everywhere
I had a bank account that started requiring it. I closed the account. I refuse to use their software to give them access to a chip in my passport.

Call me old-fashioned, but I prefer the good old cable connection. If not, I would pick QR codes over NFC chips.
I love the user interface a cable provides Smiley It's very clear what's happening. I usually use a (very old) USB stick to transfer data to and from an offline system, QR-codes require a working camera (with drivers).
Or I just enter the data on the keyboard.

with ocr being so advanced why are qr codes needed over just human readable strings?
The main difference is error correction. A QR-code still works even if a part of it can't be read.
For the same reason shops use barcodes.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
February 13, 2022, 09:15:06 PM
#30
Still, neither of the systems can be called perfect. I prefer QR, but we cannot deny that NFC, where it's supported, can be much more convenient to use (and of course, this means lower security).
Is it really any more convenient though? Open your wallet and hold it next to the terminal for a second or two versus open your wallet and point it at a QR code for a second or two. It really doesn't seem any different to me?
Well, with QR, you have to scan twice, right. So it's one extra step in a way. But a single extra QR code scan (usually doable in ~1s can hardly justify the weakened security.

And then the only problem remaining may be that NFC is not supported by so many devices (as QR would be).
I disagree here. NFC provides a route for data to enter and leave your device, which has the potential to be exploited. Who's to say someone can't develop malware which can be loaded on to your device just by standing or sitting near you, similar to RFID skimming? Unlikely, but possible. It's an unnecessary risk.
That's correct. When using QR codes, you know that data can only be exchanged when the phone is physically out of your pocket and pointed at a QR code, while NFC can work through clothes and inside bags without user notice. If I walk around with my phone in my hand and someone tries to hold a QR code in front of it, I'd obviously notice, while that can't be said about a powerful 'evil' NFC transceiver in someone's backpack probing for vulnerable devices.

with ocr being so advanced why are qr codes needed over just human readable strings? i cant translate a qr code by looking at it. even if the string was long between NFT capabilities and human readable addresses a better compromise could be made.
This is a terrible idea. Aside the fact that you can't verify a PSBT by just looking at it anyway, QR codes are much faster and reliable to scan through the pattern, alignment squares and built-in checksum / error correction. OCR often messes up things like l and I (lowercase L and uppercase I) or sometimes mistakes those even for a pipe |. It's even hard to distinguish for humans.

I was thinking how to test all wallets to see how exactly they are using QR codes and NFC chips in their devices.
Good idea; if you whip up a thread for it, I'd contribute by analyzing / sending in Passport v1 and v2 codes. Pretty sure it's standard PSBT (unencrypted) by looking at the code, but I have to verify. I also expect / hope this is the industry standard and only Safepal puts some closed-source encryption around it, but it would be interesting to gather info on all QR-based HW models in one place.

An NFC chip is always on. It can transmit without me noticing, which isn't possible with QR codes
Maybe you can turn off NFC function on smartphones but can you really prove you really turned it off, or it's just on stand by?
I know some phones can spy their users and perform some functions even if they are turned off, so best way would be to put phone or device in faraday cage bag.
This is kind of off-topic, but I'm following Framework's developments and recently they mentioned starting development for a new 'product category'. I really hope it will be a Linux smartphone with hardware toggles for sensors and antennas, just like on their laptop. I don't have it, but would buy it if I needed a laptop, from what I've seen about it so far.

Security risk of connecting to WiFi is the same as connecting to internet any other way. I don't think there is any way to inject anything into your device through WiFi, but it is trivial to inject something through a direct connection via cable.
This is not true.
Wi-fi has multiple times higher risk, especially if you are using public spot network.
Well, if you know all the websites you visit and all the applications / programs you use, are restricted to HTTPS and deny connections to outdated SSL / TLS standards, it should be safe to use. In practice, it's not so simple to ensure this, so any data transmitted without encryption to an open WiFi router, can be intercepted and read by anyone. One mitigation would be using a VPN, since that 'packages' up everything, no matter if HTTPS or HTTP traffic, however VPNs pose a risk themselves, too. Soo 'I don't think there is any way to inject anything into your device through WiFi' is honestly wrong.
legendary
Activity: 2212
Merit: 7064
February 13, 2022, 02:33:42 PM
#29
I'm late to the party! Anyone still here?! Wink
We are here, don't worry Smiley
I was thinking how to test all wallets to see how exactly they are using QR codes and NFC chips in their devices.
Some wallets use encrypted QR codes but they all lack in documentation explaining what they are using and how exactly.
I found that most NFC chips are coming from one or two companies, so it's closed source monopoly black box.

I have multiple laptops and computers & since the days of video calls also webcams that I can plug in if needed.
Same goes for smartphones, even old phones have cameras that can read QR codes.

An NFC chip is always on. It can transmit without me noticing, which isn't possible with QR codes
Maybe you can turn off NFC function on smartphones but can you really prove you really turned it off, or it's just on stand by?
I know some phones can spy their users and perform some functions even if they are turned off, so best way would be to put phone or device in faraday cage bag.

Since you can read out a QR code with a normal phone's camera application, you can verify what is transmitted.
Not for all wallets if they are encrypted.
It's a bit more complicated than I was first thinking... doing some more research about that now.

Security risk of connecting to WiFi is the same as connecting to internet any other way. I don't think there is any way to inject anything into your device through WiFi, but it is trivial to inject something through a direct connection via cable.
This is not true.
Wi-fi has multiple times higher risk, especially if you are using public spot network.

legendary
Activity: 2268
Merit: 18711
February 13, 2022, 02:16:47 PM
#28
with ocr being so advanced why are qr codes needed over just human readable strings?
QR codes have a number of advantages, including being able to scan the whole thing instantly and not having to pan back and forth or display multiple screen of text as you might have to do with a string of characters, and built in error correction.

i cant translate a qr code by looking at it.
Most people can't make sense of the kind of data you would want to scan to use bitcoin either. A raw address maybe, but the vast majority of people can't translate a raw unsigned or signed transaction and understand if there is a problem with it.
jr. member
Activity: 49
Merit: 11
February 13, 2022, 12:08:58 PM
#27
with ocr being so advanced why are qr codes needed over just human readable strings? i cant translate a qr code by looking at it. even if the string was long between NFT capabilities and human readable addresses a better compromise could be made.

i love your input on nfc and its disadvantages.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
February 13, 2022, 10:34:46 AM
#26
Is it really any more convenient though? Open your wallet and hold it next to the terminal for a second or two versus open your wallet and point it at a QR code for a second or two. It really doesn't seem any different to me?

I've already got the camera lens broken/blurry at one phone and one tablet, maybe that's why I may be overthinking this a little Grin

I disagree here. NFC provides a route for data to enter and leave your device, which has the potential to be exploited. Who's to say someone can't develop malware which can be loaded on to your device just by standing or sitting near you, similar to RFID skimming? Unlikely, but possible. It's an unnecessary risk.

I agree 100% that it's an unnecessary risk. Just in my head it doesn't look like so much likely (nor big).
I mean that I expect that you will have to do more than for a CC, i.e. take a look and sign/allow the transaction, which hopefully won't be skipped.
legendary
Activity: 2268
Merit: 18711
February 13, 2022, 10:28:33 AM
#25
Still, neither of the systems can be called perfect. I prefer QR, but we cannot deny that NFC, where it's supported, can be much more convenient to use (and of course, this means lower security).
Is it really any more convenient though? Open your wallet and hold it next to the terminal for a second or two versus open your wallet and point it at a QR code for a second or two. It really doesn't seem any different to me?

And then the only problem remaining may be that NFC is not supported by so many devices (as QR would be).
I disagree here. NFC provides a route for data to enter and leave your device, which has the potential to be exploited. Who's to say someone can't develop malware which can be loaded on to your device just by standing or sitting near you, similar to RFID skimming? Unlikely, but possible. It's an unnecessary risk.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
February 13, 2022, 10:13:56 AM
#24
Someone monitoring you using QR codes in public can at most spy on your transaction, but cannot change the codes or the transaction data without replacing the merchant's terminal or similar. Whereas someone could intercept unencrypted NFC data and alter the transaction data. It would be fairly easy for an attacker to attach their own NFC transmitting chip or device to a merchant's terminal without anyone realizing, whereas such a thing is impossible with QR codes. Obviously everyone should be checking the address with the merchant after the transaction has been loaded on to your device, but we all know that very few people actually do this.

Indeed, QR issues may be more related to privacy (if you are sure the wallet/system generating them is not corrupted).
Still, neither of the systems can be called perfect. I prefer QR, but we cannot deny that NFC, where it's supported, can be much more convenient to use (and of course, this means lower security).

I'm late to the party! Anyone still here?! Wink

You are not late and I can say that you've done a pretty good sum up.


My conclusion is that although QR is safer than NFC, if the HW and companion software wallet used are good enough, everything can be properly double checked before signed.
And then the only problem remaining may be that NFC is not supported by so many devices (as QR would be). My current smartphone doesn't have NFC at all.
legendary
Activity: 2268
Merit: 18711
February 13, 2022, 06:51:26 AM
#23
That is true, but they could copy/scan it than alter QR code and replace it with their own that look almost identical.
I'm not sure how they could pull off such an attack though? Sure, they could create a malicious QR code, but they can't exactly upload that to the merchant's terminal or print it out and stick it over the screen of the terminal. And if the merchant has a single QR code printed and stuck on the wall which the attacker replaces, then at most they can scam a single customer before the merchant goes "Hey, your payment didn't arrive, let's figure out why."

I don't think there is any way to inject anything into your device through WiFi, but it is trivial to inject something through a direct connection via cable.
You don't even need to connect to a malicious device or network to fall victim. Chips containing malware can be hidden inside USB cables, charging terminals, etc. I wouldn't physically connect any of my devices to anything public, ever.
legendary
Activity: 3472
Merit: 10611
February 12, 2022, 11:10:46 PM
#22
It's not less risky going in some shop and connecting on their network on their wi-fi network with your device, and yet most people are doing this all the time.
Security risk of connecting to WiFi is the same as connecting to internet any other way. I don't think there is any way to inject anything into your device through WiFi, but it is trivial to inject something through a direct connection via cable.
Pages:
Jump to: