QR code scams strike China

QR payment codes, a mainstay in China’s cashless society, have presented con artists with yet another avenue to secure a quick payday.

The scammers enjoy a vast pool of potential victims in China as well, with a recent study showing that 98% of people with smartphones in urban areas use their devices for mobile payments. The quick response codes have become so commonplace that they are used even to pay traffic tickets.

A driver in Shanghai who parked in a restricted area found what appeared to be a ticket affixed to his car after returning from his office job. The ticket ordered him to scan the QR code to pay a 200-yuan ($30) fine, which he did using WeChat Pay, the smartphone app distributed by Tencent Holdings. But a few days later, the man received a notice from police, saying he had yet to pay his parking ticket.

It turned out that the scanned ticket was a fake, and the payment was directed to a private WeChat Pay account. Because the account used a profile photo featuring a male police officer, the victim failed to notice something was amiss.

“I already paid the fee, but I’ll have to pay it again,” the man said.

To combat the proliferation of such scams, police are notifying citizens that any traffic ticket using QR codes will be given in person by officers, while tickets without the codes are left on vehicles.

Scammers target merchants as well by switching out QR payment codes on display with their own. Vegetable sellers, food stall operators and other small vendors lose revenue as a result.

Swindlers get away with these tricks so often because “it is difficult to tell if QR codes are authentic with a quick look,” said Masakatsu Morii, a professor at Kobe University’s department of electrical and electronic engineering.

Human eyes cannot easily decipher among the patterns of dots, outside of physically examining whether a fake QR code has been pasted on top of an authentic one.

Moreover, the codes can be read by smartphones even if they are stained or have other defects, as long as the reader can correct the pattern automatically. This ability introduces a new risk for otherwise legitimate QR codes.

Graying out certain areas of the code, for instance, can direct someone to a fraudulent website. Slightly warping square dots in the code also can trick the scanning device.

The private sector is taking up the fight against the cheats, which is a problem not just limited to China. TriForce Consulting, based in Tokyo, is developing an authentication system that uses digital signatures along with QR codes. If a user shops online, the system produces a unique QR code for that occasion that will be read by a dedicated smartphone app. That means users do not have to enter a name and password to complete a payment. The company looks to have the system become available later this year.

Mediaseek, also in Tokyo, has developed a system that alerts people to fraudulent QR codes. If a payment code produces a suspicious URL upon a smartphone scan, a user can report the website to Mediaseek at a press of a button. Others who try accessing the URL later will receive a warning.

Give it a share: