Small QR code scanning is risky

2025年7月10日 | admin | ewtgrgdf

  Small QR code scanning is risky

  Experts believe that supervision should be strengthened to change the disorderly state of making and publishing QR codes as soon as possible.

  

  Meng Qiang

  Zou yang

  Outpatient questions:

  How to prevent the risks brought by scanning QR codes?

  Outpatient specialist:

  Beijing Institute of Technology

  Associate professor Meng Qiang

  Zou Yang, Procurator of Hanjiang District Procuratorate, Yangzhou City, Jiangsu Province

  Expert opinion:

  ◇ The low illegal cost makes the QR code easy to be used by criminals, which seriously threatens the information security of users.

  ◇ Improve the laws and regulations on mobile Internet security, restrict the status quo of "everyone can make, print and publish QR codes", and clearly stipulate the qualification, certification and filing of QR code enterprises to promote the healthy development of the whole industry.

  Salesmen who used to stand on the roadside and on subway platforms and hand out leaflets and coupons are now mostly equipped with upgrades. They held an "advertising bill" in their hands and mobilized pedestrians coming and going: "Scan a code and pay attention!"

  Scan the QR code on the leaflet, pay attention to the merchant WeChat official account, and regularly receive the preferential information pushed by the merchant. This promotion method is called "scanning the code to push" by the insiders. In order to let more people "sweep", "sweep the code and push" generally gives some small gifts. This seems to be a win-win promotion, but there are many security risks.

  Ms. Wang, the owner of the online shop in Jiaxing, Zhejiang Province, used her mobile phone to scan the QR code, but the mobile phone webpage was never displayed. Ms. Wang, who felt that something was wrong, logged into Alipay and Taobao accounts and found that more than 30,000 yuan of funds in the account were transferred away.

  Ms. Xu of Yangzhou City, Jiangsu Province also lost more than 20,000 yuan because she scanned a QR code. Compared with other victims, she is lucky. After the Hanjiang District Procuratorate of Yangzhou City prosecuted this new type of credit card fraud case, all four defendants were convicted, and the money finally returned to Ms. Xu. Recently, the reporter interviewed Meng Qiang, associate professor of Beijing Institute of Technology and secretary general of China Civil Law Research Association, and Zou Yang, deputy section chief of the Public Prosecution Department of Hanjiang District Procuratorate, who undertook the case.

  What is the QR code?

  Reporter:What is a QR code? Do I have to go through approval before publishing?

  Meng Qiang:Two-dimensional code has become a key technology for the development of the Internet of Things because of its large amount of information and convenient use. However, recently, the loss incidents of users’ mobile phones after scanning the two-dimensional code have occurred frequently in various places, which should attract the attention of the regulatory authorities on the management loopholes of the two-dimensional code. Two-dimensional code is a black-and-white figure distributed by a certain geometric figure according to a certain law. Because of its characteristics of large amount of stored information, convenient access to information, simple generation and easy operation, two-dimensional code has been widely used in many fields such as commodity traceability, logistics tracking, identity authentication and so on. With the popularity of mobile smart phones, in daily life, you can add friends, download coupons, pay bills, browse the web, download mobile applications and so on with a "sweep" of your mobile phone. From Baidu’s search for "QR code generator", more than 460,000 search results appeared. It can be seen that the generation of QR codes is very simple and convenient, and any institution or organization can make and publish QR codes at will.

  Reporter:Any institution or organization can make and publish QR codes at will, will it bring risks to public safety?

  Meng Qiang:It is the low illegal cost that makes the QR code easy to be used by criminals, so that bad information such as network virus, pornography and reaction can be released and spread at will, which seriously threatens the information security of users. From the user’s point of view, the two-dimensional code can’t directly identify whether the information it contains is legal or not. Criminals usually generate a two-dimensional code from toxic or plug-in websites, and declare coupons, software or videos to induce users to scan, and the beginning of code scanning represents the beginning of risk. There are two main risks brought by QR codes to users: The first is to obtain personal information in the user’s mobile phone by malicious implantation of Trojan virus, forced download and account registration, resulting in personal information leakage. The second is to maliciously deduct fees by inducing the installation of software, information verification, etc., or even steal the user’s savings card and credit card account by Trojan implantation. Although China has not yet promulgated the personal information protection law, Article 5 of the General Principles of the Civil Law stipulates that the legitimate civil rights and interests of citizens and legal persons are protected by law, and no organization or individual may infringe upon them. Article 2 of the Tort Liability Law also stipulates that anyone who infringes upon civil rights and interests shall bear tort liability. Every citizen’s personal information is his own legitimate rights and interests, which should be protected. If he maliciously obtains other people’s information through QR code, the actor should bear the responsibility for the damage caused. At the same time, such behavior also endangers the social economic management order and may be subject to administrative punishment. Moreover, malicious deduction of fees and theft of accounts infringe on the property rights and interests of users.It may constitute theft, fraud and credit card fraud.

  How do ordinary consumers prevent and control code scanning risks?

  Reporter:Two-dimensional code technology provides a lot of convenience for our lives, but also brings risks and security risks. Before "sweeping", how can users be vigilant and reduce information security risks?

  Meng Qiang:There is no free lunch in the world. Users should first raise their awareness of vigilance and choose a QR code from a safe and reliable channel for reading. For QR codes of unknown origin, especially roadside advertisements, advertisements in elevators, advertising leaflets and QR codes of unknown websites, don’t blindly scan them, and if necessary, detect them in advance. According to the relevant tips of China Consumers Association, some mobile phone security software has cooperated with QR code scanning software or independently launched a QR code scanning tool with security detection function. After consumers scan the QR code, these scanning software will automatically detect whether the QR code contains security threats such as malicious websites, mobile phone Trojan viruses or download links of malicious software. Once a threat is detected, the scanning software will remind consumers to download and install it carefully, so as to prevent consumers’ mobile phones from being infected with malicious software and ensure users’ safety. Good use habits are an important means to reduce the threat of information security. At the same time, if the user scans the QR code and finds that it is an illegal link, he should immediately close the link uninstallation software to block the way for criminals to obtain information. Once the personal information has been leaked or the bank card has been stolen, the user should immediately report to the police and keep relevant evidence for the police to investigate.

  Zou Yang:In the case that Ms. Xu was cheated in Yangzhou, after Ms. Xu scanned the QR code sent by a seller with her mobile phone while shopping in Taobao, the bank card was stolen by more than 24,000 yuan. The investigation by the Hanjiang District Public Security Bureau found that a person named "Ye Jinhua" was suspected of committing a major crime, so he followed the trail and arrested four suspects, including Ye Jinhua. Since August 2013, Ye Jinhua, Ye Jialiang’s on-line Chen Mingchun and Dai Zhihao rented a "two-dimensional code Trojan program" through the Internet, and pre-programmed their own mobile phone numbers into the two-dimensional code Trojan program. Later, Chen Mingchun disguised as a Taobao seller to "build a Chinese dream" to sell electrical appliances. As long as a buyer "takes the bait", he sent the QR code containing the Trojan horse through Taobao Want Want, and fabricated various reasons to convince the buyer that scanning the QR code would be cheaper. The mobile phone number preset by Chen Mingchun and Dai Zhihao in the Trojan virus will automatically intercept the victim’s mobile phone message (mainly intercepting the verification code in the fast payment), and then log in to the victim’s Taobao account. Get the bank card information bound by the victim’s Taobao account by logging in to Taobao account, and bind the victim’s bank card to his own Yifubao account, and then use Xu’s credit card to spend or cash out on the shopping platform through fast payment. It can be seen that cyber crime has broken the limitation of crime space and target groups, with low crime cost, wide range of harm and more confusing and deceptive. With the popularization and application of mobile phones and the Internet, all kinds of people have become the targets of criminal gangs. Objectively, this kind of case has high detection cost and is difficult to recover.At present, a comprehensive and effective prevention and strike mechanism has not been formed. Therefore, it is more important for consumers to strengthen self-prevention.

  Reporter:What warning can we get from this criminal chain with mobile phone number as the breakthrough?

  Zou Yang:After the suspect intercepts the mobile phone number, the password of Taobao account can be found through the mobile phone verification code. Knowing the bank card number of the victim who opened the fast payment function, plus controlling his mobile phone, you can use the received payment random verification code to complete the payment. Therefore, it is suggested that consumers, first, the mobile phone number bundled with Taobao account and the mobile phone number bundled with fast payment should not be commonly used; Second, the above two numbers are not the same number. In this way, if there is a Trojan virus in one mobile phone, the other mobile phone has a line of defense.

  How do regulators plug the security loopholes of QR codes?

  Reporter:In the face of the information security threat brought by QR code, how should the regulatory authorities plug the security loopholes?

  Meng Qiang:As a regulatory authority, in order to plug the security loopholes of QR codes, it is imperative to introduce the standards for the use of QR codes, improve the laws and regulations on mobile Internet security, restrict the status quo that QR codes can be produced, printed and published by everyone, and clearly stipulate the qualifications, certification and filing of QR codes. Only in this way can the healthy development of the whole industry be promoted. Some experts also suggested that a "trusted two-dimensional code platform" should be set up by a regulatory agency or company, and combined with digital signature technology, so that users can know which organization generated this two-dimensional code every time they scan it, and can ensure that it has not been tampered with in the middle, and at the same time, the source of malicious two-dimensional code can be traced. This is also a feasible solution to the risk of QR code. At the same time, the regulatory authorities should also guide QR code enterprises to establish a standardized industry self-discipline mechanism. As early as 2002, internet society of china announced the "China Internet Industry Self-discipline Convention", which advocated the Internet industry practitioners to join the Convention, and required members to "consciously safeguard the legitimate rights and interests of consumers and keep user information secret; Do not use the information provided by users to engage in any activities unrelated to the commitments made to users, and do not use technology or other advantages to infringe on the legitimate rights and interests of consumers or users. " As an important means of personal information protection mechanism, industry self-discipline is of great significance to personal information protection. Gradually establishing such a self-discipline mechanism in the QR code industry is also conducive to guiding the healthy development of the whole industry.

  Reporter:Criminals use fast payment as a "money laundering" platform for fraudulent use of other people’s credit cards. Should this new method attract the attention of regulators?

  Zou Yang:The fast payment services launched by third-party payment platforms such as Eppay and Alipay allow users who do not have online banking to pay transactions by binding credit cards or savings cards as a fast payment method. When binding, as long as you know the cardholder’s bank card number, ID number and mobile phone number, you can complete the payment without bank card password verification. Although it is convenient, it also leaves opportunities for scammers. According to the investigators, from the analysis of handling cases in recent years, there is no problem in monitoring the flow of bank funds in the system, but if criminals transfer huge amounts of funds through third-party payment platforms, or directly buy online games and sell them at a discount, they can successfully "launder money", and some even can’t trace the whereabouts of funds. This kind of crime seriously endangers social and economic security and stability, and needs to attract the attention of regulators.