1

Ill gave you the following scenario:

A customer comes to a coffeshop and drinks 1 coffee. Then he put out a App from this Coffeeshop and opens the integrated QR Scanner. The worker shows him a QR Code and then the Counter goes 1 up on the App of the customer. If the Customer got 10 he gets 1 Coffee for free.

The Problem here is that the Customer could take a picture of that QR Code and could start a Replay Attack to gain free Coffees all the time.

How could be a System like this secure? What should the QR Code contain? And so on. Please help me.

  • What about the app on the phone being only a registration that generates a QR code for the user? Then the server scans the user qr code and a back-end database keeps track of the coffees. That way all the important stuff is server-side and any replay attacks would have to involve the server as well. Any QR code copying client-side would only give the customer id, and frankly if they want to give someone else free coffees that's their prerogative as far as i would be concerned. Basically I propose switching the data required to be held by each party. – Nalaurien Nov 17 '17 at 18:43
  • make each qr code different, a saved uuid that's logged in a db. the app knows the uuids it's scanned, the backend knows which are valid. – dandavis Nov 17 '17 at 19:53
  • One thing that you can do is ask the user to provide some sort of user id when they buy the coffee(phone number/email ID etc), then everytime the user sends a QR code, you can check if the customer bought a coffee after the last time they scanned the QR code. This would let the user scan the code sometime later even if they forget to scan it at the moment – Limit Nov 21 '17 at 21:38

2 Answers2

1

You can’t secure a static barcode against copying. It’s not possible.

What you need to protect against this kind of attack is to have the customer enter/scan something dynamic. It has to be changed every time it’s used; it has to change in an unpredictable manner, so that dishonest customers can’t make up a value and fool it; and the back end system must refuse to accept multiple scans of the same code.

One way to do this is to display the QR code on a tablet mounted on the counter. Every time a customer scans it and their app posts a message back to the server, it validates the current code and then changes the QR code to show a new random number to the next customer.

This needs more security, of course. You have to somehow limit your customer records so he can’t just scan 10 barcodes in a row in one minute. You could solve this by only displaying a QR code after the cash register receives payment. Or you could limit the customer record to ignore multiple scans within a 30 minute window.

You could have the cash register print unique barcodes on the receipts, but thieves will pick up discarded receipts from the trash and scan them. It takes sophisticated back end logic to detect this kind of fraud.

John Deters
  • 33,650
  • 3
  • 57
  • 110
0

As a more low-tech alternative, you could change the code daily, and only allow redemption once per day.

The code could contain a signed payload that depends both on the location of the sign, and the date.

Laikulo
  • 234
  • 1
  • 5