QR codes that can't be copied - possible?

Question

I assume this is impossible, but I need to find a barcode (that can contain a url, i.e., a QR style one).

It has to be photographed by our smartphone app, but the image will not be changed over a period of weeks or months and has to be on paper.

No matter what we put in the barcode, we always come up with the same flaw: someone could photograph the QR code, print and rescan.

Which is what we are trying to avoid: unauthorised scans of the barcode.

The barcode will only be shown to the phone for a few seconds, and won't be easy available otherwise.

We thought of using AGPS to get the location, however a malicious user could photograph and print the code, then scan near the location they originally got it (which will never move).

So, to sum up: we need a barcode that can contain a url that will only change every few weeks/months that needs to be scannable by a smartphone, that can't be scanned without permission, without interaction with the device except by the owner (i.e., the person who has the barcode can't use the device to scan).

The answers are all flailing around because the question doesn't clarify what your actual scenario and goal is. Please edit the question to clarify what your underlying problem is, the assets you're trying to protect, your threat environment etc. What does "secure" mean to you? See the [faq]. — nealmcb, Jul 18 '11 at 13:24
First thought: The **phone** needs to copy the image in enough detail to decode it accurately in order for it to work at all. If you could operate some form of magic or technical wizardry to make it uncopyable, it would stop functioning. — Phoshi, Jul 18 '11 at 13:35
@Phoshi, thanks, you've just made me realise another security flaw. Someone could just steal the paper. — Ray Britton, Jul 18 '11 at 13:45
If your formulation of the problem is that someone has to use a phone to interpret a barcode which people get to see, but the barcode must remain a secret, there's no way. It is far harder than the decades of effort to copy-protect music, movies, software and the like, all of which have failed. I'm just suggesting that if you explain more about your underlying problem (which can usually be done without revealing anything sensitive), then we can help solve that. — nealmcb, Jul 18 '11 at 18:09
As everyone else says, *needs more details*. For instance - how *often* would a person need to read the code? If it's rarely, (say monthly), you could give them a page of twelve (unique, single-use codes), then mark them as *used*, in a central server, each time one is sent. So if someone scanned a code twice, it would be rejected. — John C, Jul 18 '11 at 20:47
I also facing the same problem. We use barcode and apps barcode ready to control how ofter the sales people visit the sites. Some sales person dijust photograph the image and print them out. So instead visit the site the just scan that barcode and submit. Now we are thingking of using nfc laper on the sites but the costs wise very expensive. — , Oct 24 '15 at 06:46

score 28 · Accepted Answer · answered Jul 18 '11 at 14:47

28

This is a bad idea.

To understand why, imagine there is no QR code, just a human-readable display of the URL.

Now, would you base a security scheme around keeping this URL secret? Of course you wouldn't, it is the rankest security by obscurity.

If you want to keep the url fairly confidential, do so without any advanced wizardry, but you need your security to be secure even if everyone knows the URL. Implement authentication on access to the resource, not (just) on access to the resource name.

answered Jul 18 '11 at 14:47

Marcin

385
2
7

3

I know it's a bad idea, I just needed to make sure I wasn't missing something obvious, and with this answer I should be able to get the system changed. Thanks. – Ray Britton Jul 18 '11 at 15:00
Great! Glad to help with this. – Marcin Jul 18 '11 at 15:22

score 9 · Answer 2 · answered Jul 18 '11 at 10:25

9

No matter what we put in the barcode, we always come up with the same flaw: someone could photograph the qr code, print and rescan.

Or just scan a screen displaying the code. This can't be avoided since QR code where made specifically to address this kind of issues (bad printing, some transformation, rotation etc).

You won't find a technique to prevent photographies of the code also, since if you can shot the picture then the reader won't be either.

The idea that comes to my mind is :

Register the devices allowed to access the service (deviceid or so)
Move the service to a VPN area, with internal addresses that won't be available by anyone that can't connect to it.

answered Jul 18 '11 at 10:25

M'vy

13,033
3
47
69

Sorry, should have explained, anyone can download and use our app. – Ray Britton Jul 18 '11 at 10:52
2

In this case, I don't know what is the purpose of having "hidden" QR-Codes? Does the users generate them for access to private data? If you can't control the user and can't control the QR-Code... this will be difficult. If you want to share to specific people, maybe you can print a QR on the receiver phone and one can scan it to generated an address to some content of his specifically designed for the scanned device? – M'vy Jul 18 '11 at 11:04
1

M'vy, it's a silly solution and I needed to check it was impossible and I wasn't missing anything obvious. – Ray Britton Jul 18 '11 at 11:18
1

Well `impossible` is very context dependent. Maybe your context has a property that can be used to do what you want. But I can't guess it :P – M'vy Jul 18 '11 at 11:22

score 6 · Answer 3 · answered Jul 18 '11 at 12:05

This hinges on how you would implement the validation of access permission. If it's simply having access to a certain location, you'd need physical security. For example, you could send a letter to a personal address and request the recipient to destroy the code after use. If it's having some specific information, then you're back to encryption solutions. For example, you could use one of the many solutions that online banks use, like one-time pads of numbers or random number tokens.

What you cannot possibly protect against with any method except actually working biometrics (or human validation in the case of physical security), is the fact that anybody who has access can simply hand over that access to anybody else.

It would like this: the clerk hands over a shows a piece of paper to the user, they scan it, our app logs this. I'm trying to get it changed to scanning a scan, so the barcode can be time/date/etc based. — Ray Britton, Jul 18 '11 at 13:00

john · Answer 4 · 2011-07-18T11:44:45.567

4

If that someone who can "photograph the qr code, print and rescan" does not have access to your custom scanning application (or a password to use it), then it sounds like what you need is encryption.

When you use QR codes in Extended Channel Interpretation (ECI) Mode (data -> 8bit byte values) you can implement your own encryption solution on top, for example encrypt the URL using a password. Then only your application will be able to read it, which shares this password. Even better, that password may be known only to your users, not stored in the app - or stored in encrypted form that gets decrypted when the user provides the password to open the app.

Asymmetric solutions could work too, if you make the output fit in the QR code.

There are already apps that work like this, see here or here

Of course the other way is to store the text in a garbled way, by applying transformations that only your app can reverse - but that's obscurity.

edited Jul 18 '11 at 11:44

answered Jul 18 '11 at 11:37

john

10,968
1
36
43

3

Although this still won't fix the problem that anyone could copy the visual representation and put it wherever they want... – Rory Alsop Jul 18 '11 at 12:29
Is that a problem if noone but authorised users can make use of reprint? – john Jul 18 '11 at 12:39
Everyone has access to the app, and if the user has the password (which can't change) for the first scan, why couldn't they use it a second time? – Ray Britton Jul 18 '11 at 12:58
@raybritton Oh, so you are not trusting your own users? I was under the impression that you wanted to forbid scans from unauthorised users. – john Jul 18 '11 at 14:10

score -3 · Answer 5 · answered Mar 27 '14 at 13:49

-3

although crude it could be refined but place your qr code over a metalic background (like foil) this way scanners and copiers will create a black image , your hand held device uses natural light and seems to be able to read the code with ease.

answered Mar 27 '14 at 13:49

andy

1

3

Won't work for two reasons: many photocopiers would cope just fine, and in general, these days you can just copy directly using your phone. – Rory Alsop Mar 27 '14 at 15:00
My hand-held device uses natural light. It also contains, besides the QR-code app, a Camera app (incidentally, most devices also access the same software stack for camera and QR scanning) - voila, I have overcome this barrier by making a photo, using the same smartphone I might use for scanning (and many QR apps can work on any image - so now I'm able to QR-scan this image anywhere, anytime). – Piskvor left the building Mar 27 '14 at 15:03

QR codes that can't be copied - possible?

5 Answers5

Linked

Related