Pages:
Author

Topic: QR codes vs NFC in Bitcoin Wallets - page 3. (Read 864 times)

hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
February 12, 2022, 10:47:53 PM
#21
I'm late to the party! Anyone still here?! Wink
My 2 satoshis: QR code over NFC any day of the week.
1] usability: I have multiple laptops and computers & since the days of video calls also webcams that I can plug in if needed.
2] security: An NFC chip is always on. It can transmit without me noticing, which isn't possible with QR codes (someone scanning my screen without me noticing Huh). It can also be eavesdropped and wormholed. Here's a pretty long, but well explained video about NFC and this type of attack.
3] verifiability: Since you can read out a QR code with a normal phone's camera application, you can verify what is transmitted. It is much harder to audit this on NFC-based wallets, since you need a special reader. Maybe it's also possible with an app? Not sure.. It's definitely simple enough, especially if you're very paranoid, to periodically check the QR codes the wallet is spitting out. We spoke already about hardware wallet attack vectors and one argument against air-gap was that even an airgapped wallet could leak e.g. the seed through modified QR codes / PSBTs (after being infected e.g. through a software update). It's much easier to make sure this isn't happening when you use QR, rather than NFC.
legendary
Activity: 2212
Merit: 7064
February 12, 2022, 05:09:31 PM
#20
Call me old-fashioned, but I prefer the good old cable connection. If not, I would pick QR codes over NFC chips.
I also prefer cables much more than wireless connections for several reasons, but for hardware wallets best thing to be air-gapped and still functional would be QR codes for now.

This is not just inconvenient but also risky. You cold infect your phone, even at home wit your own PC you should try not directly connecting devices as much as you can.
It's not less risky going in some shop and connecting on their network on their wi-fi network with your device, and yet most people are doing this all the time.

Someone monitoring you using QR codes in public can at most spy on your transaction, but cannot change the codes or the transaction data without replacing the merchant's terminal or similar.
That is true, but they could copy/scan it than alter QR code and replace it with their own that look almost identical.
I think something like this was happening recently with scammers creating similar QR codes with different links directing to some malware website.
Knowing how people can often act like zombies without using their brains, it's not hard to imagine they could also be scammed like this, but I do agree it's easier to get scammed with altered NFC.
legendary
Activity: 2268
Merit: 18771
February 12, 2022, 02:53:18 AM
#19
But QR also can be a problem if one doesn't look around carefully, since nowadays more and more cameras are surveilling the public spaces.
Someone monitoring you using QR codes in public can at most spy on your transaction, but cannot change the codes or the transaction data without replacing the merchant's terminal or similar. Whereas someone could intercept unencrypted NFC data and alter the transaction data. It would be fairly easy for an attacker to attach their own NFC transmitting chip or device to a merchant's terminal without anyone realizing, whereas such a thing is impossible with QR codes. Obviously everyone should be checking the address with the merchant after the transaction has been loaded on to your device, but we all know that very few people actually do this.

Encrypting the message with TLS and doing a Diffie-Hellman handshake beforehand prevents this kind of problem while only taking up a few extra bytes.
But also requires the software you and the merchant are using to implement this and to implement it properly, and is far beyond the scope of most users to verify.
legendary
Activity: 2730
Merit: 7065
February 12, 2022, 02:34:10 AM
#18
Imagine wanting to make a payment in a shop and pulling out your cable to connect your phone to their computer, waiting for the system to recognize your phone and then letting them access your whole device to give you the payment information you need to sign Tongue
This is not just inconvenient but also risky.
I was thinking and focusing more on hardware wallets when I wrote the previous post. My hardware wallet will not leave the safety of my home. I have never carried it with me and don't plan to do it unless I am forced to in some way. If I need some pocket money or want to spend Bitcoin for shopping, the needed amounts will be transferred from my hardware wallet to my phone. I don't need any cables from that point on. 
legendary
Activity: 3472
Merit: 10611
February 11, 2022, 11:13:16 PM
#17
Call me old-fashioned, but I prefer the good old cable connection.
Imagine wanting to make a payment in a shop and pulling out your cable to connect your phone to their computer, waiting for the system to recognize your phone and then letting them access your whole device to give you the payment information you need to sign Tongue
This is not just inconvenient but also risky. You cold infect your phone, even at home wit your own PC you should try not directly connecting devices as much as you can.
legendary
Activity: 2730
Merit: 7065
February 11, 2022, 03:13:11 PM
#16
Call me old-fashioned, but I prefer the good old cable connection. If not, I would pick QR codes over NFC chips. If we are guided by the assumption that we cannot trust closed-source secure elements and chips that are used in hardware wallets, I don't see the point in trusting closed-source NFC chips. If the reddit post I found the other day is true, and you can boost the NFC signal up to a few meters using an antenna, a wire loop, and a tuning capacitor, that just gives more reasons not to use an NFC-enabled device.   
legendary
Activity: 2212
Merit: 7064
February 11, 2022, 07:03:58 AM
#15
Of course, top security precautions for wallets with bank-sized money. But I believe for small wallets with a few hundred dollars in them, NFC technology will actually result in less user mistakes. For one, the address cannot be "damaged" like it could be on a QR paper (assuming that's the only thing the NFCs are used to send).
NFC address maybe can't be damaged, but NFC chip and antennas can certainly be damaged easy, and there is no way you can verify what is happening behind mysterious ''tap'' feature.
You need to trust the chip manufacturer that it is going to do what it suppose to be doing.

It is not a big deal. Only a kernel module (Linux, specifically) needs to be made that can parse the byte-level input sent by NFC device drivers when they receive a communication. Then you can basically send whatever format you want.
There are some reading devices you can buy online now, and I saw some of them are even used with function of writing codes on other devices.
This can be used for nfc keychains that can be used for opening doors instead of typing codes or something similar.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
February 10, 2022, 01:21:40 PM
#14
Nit-picking here:

It is also possible intercept and alter NFC transmissions, effectively committing a man-in-the-middle attack. Yes, the range is very small, but a thief could plant a malicious device on a merchant's terminal or other device you would be placing your phone or hardware wallet near anyway in order to use NFC in the first place. The likelihood of losing coins via such a method is admittedly small, but it is non-zero.

Encrypting the message with TLS and doing a Diffie-Hellman handshake beforehand prevents this kind of problem while only taking up a few extra bytes. For example if AES256 is the encryption cypher used then the payload size increase is up to 255 bytes (AFAIK)

In short, I'd maybe use it in a hot mobile wallet with a small amount of funds, but I'd never use it for a hardware wallet. The additional speed over displaying and scanning a QR code is negligible.

Of course, top security precautions for wallets with bank-sized money. But I believe for small wallets with a few hundred dollars in them, NFC technology will actually result in less user mistakes. For one, the address cannot be "damaged" like it could be on a QR paper (assuming that's the only thing the NFCs are used to send).

As far as I know NFC technology is not supported in any desktop wallets so that is big disadvantage for NFC, but it's a different story with mobile devices.
That's indeed a big disadvantage [despite knowing a way around that issue (NFC reader and an android emulator), it still comes with a lot of risks (not worth the trouble)].

It is not a big deal. Only a kernel module (Linux, specifically) needs to be made that can parse the byte-level input sent by NFC device drivers when they receive a communication. Then you can basically send whatever format you want.

Same gist with Windows, just create a dummy device driver that doesn't actually talk to anything, only in this case you'd probably be getting the device input via a USB cable since I don't think Windows 11 supports NFCs out of the box.
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
February 10, 2022, 12:36:33 PM
#13
As far as I know NFC technology is not supported in any desktop wallets so that is big disadvantage for NFC, but it's a different story with mobile devices.
That's indeed a big disadvantage [despite knowing a way around that issue (NFC reader and an android emulator), it still comes with a lot of risks (not worth the trouble)].

I am trying to make some list of supported wallets with comparison but it's not going great for now :/ any help would be appreciated.
If you're not in a rush, I can help from Saturday onwards Smiley
legendary
Activity: 2702
Merit: 4002
February 10, 2022, 10:14:58 AM
#12
At the moment, QR codes are the most popular because most phones can read them more than NFC tags.
The short range of NFC, which is currently 1.5 inches, may not give it an added advantage in Bitcoin transactions, but it is better in terms of sharing data and bank card addresses.

Perhaps the only downside to QR is privacy but most of the time they are addresses for making payments, these addresses are not private.

anyway i think we should compare NFC with Bluetooth Low Energy
legendary
Activity: 2212
Merit: 7064
February 10, 2022, 07:39:08 AM
#11
QR codes are not 100% safe either.
I know they are not, nothing is 100% safe.
It should be mandatory to double check each QR code image to verify if it matches the bitcoin address or not, but they can be encoded.
QR codes MUST be transparent and some hardware wallets like Keystone have open source software called KeystoneQRVerifier, and with that you can verify if signed data is correct:
https://github.com/KeystoneHQ/KeystoneQRVerifier

Keystone explained this process in more details on their blog page:
https://blog.keyst.one/ever-wondered-what-your-hardware-wallet-inputs-and-outputs-9b33b4cedafd

I am not sure how other wallets are handling this but I know that Safepal is worst, so I consider it a black box and I don't recommend it to anyone.
Next time you see QR code it would be a good idea to try reading and decoding it manually.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
February 10, 2022, 07:14:54 AM
#10
QR codes are not 100% safe either.
Although it has not happed to them yet (that we know of) there was an interesting hack shown a while ago on camera firmware where if it saw "X" it actually passed data for "Y"
Was showing how facial recognition could be faked at the hardware level.
Also, as mentioned with QR codes and some places make them 'cute and annoying' that do not scan well.
And too many places and people do not include the BTC address in the QR image. So now you have to dig to make sure.

So.... they both have their issues....which is less bad.

-Dave
legendary
Activity: 2212
Merit: 7064
February 09, 2022, 01:43:54 PM
#9
Both of them have their own flaws, but I'd prefer to use a wallet with Qr codes over something [NFC] that doesn't always work.
I would give advantage to QR codes but I am not sure if they can be found in all Bitcoin wallets.
Electrum and Wasabi wallet does support QR codes even in desktop versions, but I didn't research all other wallets and I can't find much information about this.
As far as I know NFC technology is not supported in any desktop wallets so that is big disadvantage for NFC, but it's a different story with mobile devices.
I am trying to make some list of supported wallets with comparison but it's not going great for now :/ any help would be appreciated.

While I was searching on Google, I stumbled upon an interesting technology: LiFi [video of LiFi-enabled phone cases communicating with each other]
First time I hear about LiFi but I will check it out later.

legendary
Activity: 3472
Merit: 10611
February 08, 2022, 10:33:38 PM
#8
Bitcoin transactions are far more complex than a Visa transactions.
We need to choose our UTXO and customize fees.
Wallets have done a very good job at simplifying everything to the point that all the complications are basically "advanced features" that you can use but you don't have to. In other words all the UTXO selection and fees are set based on simple pre defined preferences by the user. For example you choose privacy in your initial setup and your wallet only prioritizes UTXOs that are already linked.
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
February 08, 2022, 06:22:38 PM
#7
What do you think it's better technology to be used in Bitcoin wallets?
Both of them have their own flaws, but I'd prefer to use a wallet with Qr codes over something [NFC] that doesn't always work.

Maybe there is something better than both QR and NFC.
While I was searching on Google, I stumbled upon an interesting technology: LiFi [video of LiFi-enabled phone cases communicating with each other]
- I'm still not entirely sure it's going to be better than those two [I'll read more in the morning], but it seems promising.

  • More secure: light does not pass through walls like radio waves do, and this prevents intruders from intercepting LiFi communications through a wireless network.

    More reliable: LiFi transmits its signal without interruptions, making communication more stable than with wifi.

    No interference: electronic light does not interfere with radio communications, interact with other systems or compromise transmissions from aircraft, ships, etc.

  • How it works exactly
    Data is captured in modulated light frequencies of a solid-sate LED light source and is then transmitted and received by LiFi-enabled devices. A photosensitive detector demodulates the light frequency signal and converts it back into an electronic data stream and – in so doing – allows for faster-than-ever, more secure, bi-directional wireless communication.
legendary
Activity: 2212
Merit: 7064
February 08, 2022, 12:28:46 PM
#6
There are a number of additional risks you expose yourself to when using NFC over QR. It is possible to eavesdrop on NFC transmissions, which can result in loss of privacy.
I know about this and that is why I am trying to understand why so many people are forcing the use of NFC technology everywhere, including bitcoin related devices.
If you think about it, 10cm is a lot of space if someone just comes near you they can connect with your chip and catch the signal you are sending all the time.

And obviously, if you want your wallet device to be properly airgapped, then using NFC means that is no longer the case. There's no knowing what future bugs or vulnerabilities might be found and exploited to allow attackers to upload malware or false transactions to your device.
Problem is that people are making their own twisted definition for airgapped devices, they fit them to their own needs or products they make.
For example Coldcard is planning to release new device with NFC chip and they still call it airgapped and open source, even if it's not.

To be fair, NFC doesn't have universal standard either. Wikipedia (https://en.wikipedia.org/wiki/Near-field_communication#Standards) mention there are at least 4 different standard for NFC.
I saw that on wikipedia but those standards are used for different purposes, and you have to consider the year of creation for each of them.

QR is more widely compatible and I'd prefer it (does your laptop have NFC?)
I think that QR codes are more popular than NFC, but everyday news comes out about tap feature payment etc.
Here is apple today announcing how they are empowering businesses to accept contactless payments through Tap to Pay on iPhone, using NFC technology:
https://www.apple.com/newsroom/2022/02/apple-unveils-contactless-payments-via-tap-to-pay-on-iphone/

QR Codes are also not perfect, and scammers may use them, here is one report from three letter agency saying how Cybercriminals are Tampering with QR Codes to Steal Victim Funds.
I guess many people are falling for this, or they wouldn't post warning like this:
https://www.ic3.gov/Media/Y2022/PSA220118

legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
February 08, 2022, 11:06:46 AM
#5
What do you think it's better technology to be used in Bitcoin wallets?

Normally QR would be the best, since nobody could interfere with a powerful enough antenna.
But QR also can be a problem if one doesn't look around carefully, since nowadays more and more cameras are surveilling the public spaces.

On the other hand, a properly made hardware wallet and a properly made companion software wallet should display all the information you need to properly check whether you indeed sign the transaction you expect. And then maybe convenience will win (although it may be more convenient for some to use NFC and for others the QR).

QR is more widely compatible and I'd prefer it (does your laptop have NFC?)
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
February 08, 2022, 09:03:56 AM
#4
What do you think it's better technology to be used in Bitcoin wallets?
Maybe there is something better than both QR and NFC.

On the user point of view, I don't see any benefit of using NFC over QR codes.

Bitcoin transactions are far more complex than a Visa transactions.

We need to choose our UTXO and customize fees.

Even if you do not care about which UTXO you are expending, you need to choose the fee (or at least approve it).

When using QR Codes, it is basically the same. You will scan the code and review the fees.

I don't see much gains. The only benefit would be if you could use a card machine.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
February 08, 2022, 07:56:02 AM
#3
Cost for QR codes is minimal, but there is no universal standard and it can be encrypted with closed source like in Safepal wallet, so you can't verify anything.

To be fair, NFC doesn't have universal standard either. Wikipedia (https://en.wikipedia.org/wiki/Near-field_communication#Standards) mention there are at least 4 different standard for NFC.

What do you think it's better technology to be used in Bitcoin wallets?

If your main concern is security and you know how to setup cold/airgapped wallet, QR code is better option.
legendary
Activity: 2268
Merit: 18771
February 08, 2022, 07:53:38 AM
#2
There are a number of additional risks you expose yourself to when using NFC over QR. It is possible to eavesdrop on NFC transmissions, which can result in loss of privacy. It is also possible intercept and alter NFC transmissions, effectively committing a man-in-the-middle attack. Yes, the range is very small, but a thief could plant a malicious device on a merchant's terminal or other device you would be placing your phone or hardware wallet near anyway in order to use NFC in the first place. The likelihood of losing coins via such a method is admittedly small, but it is non-zero.

And obviously, if you want your wallet device to be properly airgapped, then using NFC means that is no longer the case. There's no knowing what future bugs or vulnerabilities might be found and exploited to allow attackers to upload malware or false transactions to your device.

In short, I'd maybe use it in a hot mobile wallet with a small amount of funds, but I'd never use it for a hardware wallet. The additional speed over displaying and scanning a QR code is negligible.
Pages:
Jump to: