QR Codes and Smartphones: A Match Made in Heaven?
1-D barcodes were originally developed to identify warehouse and supermarket products and have since become the most widely recognized barcode types. Since the early days of this technology, barcodes have evolved into a more sophisticated form of printed information. This is where 2-D barcodes come in.
2-D barcodes can represent much more data per unit area, positioning them as interesting for a broader range of applications. Out of the different 2-D barcodes in use, QR codes (Quick Response Barcodes) have become the predominant choice. Such as when VHS defeated Beta or when Netflix defeated traditional TV broadcasting, QR Codes are now the leader in 2-D barcodes.
QR Code Capabilities
QR codes have many interesting capabilities:
- They’re capable of storing up to 4,296 alphanumeric characters or 2,953 bytes (approx. 2.8kBytes) of coded information;
- They can be read even if the QR code is dirty or damaged; and
- Their supporting technology is constantly updating and increasingly more information can be stored inside them.
Are they secure enough to replace credit cards?
The answer is YES! Magnetic stripes only need 120 bytes of information to be read which is less than 5% of what QR codes are capable of storing. Chip enabled cards (EMV cards) are more secure than magnetic cards as the self encrypting chip sends 128 bytes of ciphered information to the card reader using 3DES. Another increasingly popular options is mobile phone NFC payments. NFC chips can store up to 8,192 bytes of information and offer higher degree encryption using the AES-128 algorithm. QR codes can be used as an alternative to these payment methods and they also offer different security algorithms such as AES-128, AES-256, Twofish, RSA or 3-DES.
Smartphones, a good friend to the QR code, make for a great security companionship. The colourful and high quality display of a smartphone coupled with it’s computational power far surpasses the security abilities of chip-enabled cards or the other payment methods mentioned above. Smart phones offer several encryption algorithms, authentication and non-repudiation methods, and can be as dynamic as the application and the security level demands.
QR codes working together with the smartphone
Smartphones are capable of piecing information together and generating QR codes dynamically, which is what makes these two a strong pair. For example, QR codes typically already contain information about the location, the establishment brand and the corresponding encryption key that correlates to the establishment type and the branch office. However, if you move the printed QR code of the facility to the smartphone, the smartphone can confirm the location using GPS and request encryption keys on demand, thus reducing the possibility of exposing a key. On top of this, smartphones can add several security layers, such as adding a customer account, amount, date and time of the transaction, etc. which can prevent counterfeiting. Then, using an AES-128 algorithm combined with the previous data, it can generate a dynamic ciphered barcode which can protect against eavesdropping. This ciphered QR code can have a lifetime of just a few seconds before it becomes invalid. This way, there is no possibility of counterfeiting a QR code by means photography.
Smartphones can potentiate QR codes, serve as payment methods and can be adjusted depending on the application in which the QR code is being used. If needed, security measures and mechanisms can be enhanced just by means of upgrading the smartphone app. Essentially, the smartphone and QR code pairing offers functionality that is time-proof and counterfeit-proof if adequate measures are taken.
It’s worth noting that the security of the QR payment method directly relates to the security of the smartphone itself. This means that a QR payment method is as vulnerable as a 4-digit access code, fingerprint or face recognition-based security measure. This ease of access is an additional security layer that must be considered when exploring QR codes and the smartphone.
Gaston Salinas Carpio studied Electronics and Communications Engineering at the Instituto Politécnico Nacional in Mexico, focusing his Masters Degree on low noise electronics. He has since been involved in the integration of tolling and vehicle identification solutions for approximately 11+ years.
He has worked for important industry leaders such as IBI, Kapsch and Neology and has participated in electronic and digital solutions for securing information on automatic vehicle identification, tolling and ETC solutions such as the national vehicle registry for Mexico – REPUVE, and also for the ETC market in Mexico providing a non repudiation mechanism for one of the most broadly spread tags. He has also developed security applications using different encryption algorithms used for ciphering, authentication and non repudiation of information streams.